Paging Pliney...

Below is a reposting of some comments you made on the Buy.Com...thread of 2/9/2000. Your theory sounds quite plausible. But, what say you to "More Info Please"? Thanks!

I have also added a second set of questions after the excerpts from the thread.

Exerpts from Buy.Com....thread

"I am beginning to suspect that the date-time stamp embedded in packets within the MAC layer of the tcp/ip stack have gone to negative numbers as a result of the CDC (century date change) and some of the routers and switches are having serious problems in reconciling packet reconstruction. This means that the recieving end routers of the tcpip stream (i.e. the 'hacked' sites) are not able to reconstruct the packet stream suffienctly enough to avoid triggering an error condition. This is predictable anamolous behavior (and may have been noted on the Cisco site field notations) if the date-time stamp algorithm were to deal with a year of '00'. This problem will also trigger security alarms and could be easily mistaken for an attack of the *denial of service* kind. Persons on site could use a packet sniffer to retrieve MAC layer address headers and determine if the most significant bit of the date-time stamp was - 1.

If I am correct, then no hackers will take credit for what will become a daily increasing amount of 'hack' attacks. At some point it would be expected to level off at a near critical level for the internet. I would expect that this point would be reached when 24% of routers are involved. Note that this is a wild ass guess as there are many kinds of equipment and expected reponses within the class of routers. Some could be expected to just ignore the negative number. These, though, should exhibt garbaged messages as they could be expected to be reassembled in properly.

Also should note that many cell phone tower packet handlers use the same algorithm."

-- pliney the younger (pliney@puget.sound.rain.light.chilly), February 09, 2000.

_______________________________________________________________

"Very insightful post pliney, thanks. Given the scope of the alledged big hack attacks, I think skepticism about the corporate line on this rapidly emerging problem is wise. Cisco (one of the most important internet infrastructure companies) has posted Field notices reporting a variety of problems since rollover including an apparently minor February 29 date stamping problem with their Optical Product Software. There's a list of post CDC field notices on this thread : http://hv.greenspun.com/bboard/q-and-a-fetch-msg.tcl?msg_id=002WEk

-- Carl Jenkins (Somewherepress@aol.com), February 09, 2000.

_________________________________________________________________

The author above says: "Persons on site could use a packet sniffer to retrieve MAC layer address headers and determine if the most significant bit of the date-time stamp was - 1."

Can you please be more specific?

The MAC layers I know of:

Ethernet (IEEE 802.3) Token Ring (IEEE 802.5) FDDI PPP

have nothing even remotely resembling a "date-time stamp."

All are designed to send a packet as simply as possible and let higher layers (definately not the "MAC" layer) do the complicated stuff like sequencing, time-stamping, acknowledging, error-correcting. As I go through the Internet protocols I know of, I can not find one that would go negative or set the most-significant-bit around the Century Date Change. Can you help me out here and specify an example of a specific field of a specific protocol the you think would exhibit this problem and point quote the relevant paragraph and link to the standard RFC document?

-- More Info Please (AmI@clueless.to), February 10, 2000. ___________________________________________________________________

(End of excerpted thread)

2nd set of questions for Pliney:

Also, someone else who saw your comments had this to say:

"First there is all of the CERT warnings since December about distributed attacks--so that's the most obvious source of problems--second the MAC layers involved in routing and reassembling packets are different, and lastly the router doesn't care what the actual date is, only about packet IDs."

I look forward to your responses.

Thanks very much!

-- Some questions (Some questions@......com), February 11, 2000

Answers

Under the rubric, A Cat Can Look at a King: Question from an ignorant layman:

I thought about Pliney's attractive proposition last night, but can't get over the apparnet focused nature of the "hacker-attackers" being directed at these very high-profile e-commerce sites: eBay, Amazon.com, e+Trade, etc. -- EXCLUSIVELY or so the news stories would have us believe. Is it posisble that these same DNS problems are affecting many other websites with smaller clientele and traffic, but the fact is just not newsworthy? Or are the news stories accurate this far, and the Y2K-router theory is inadequate?

TNX

>"<

-- Squirrel Hunter (nuts@upina.cellrelaytower), February 11, 2000.

Dear Squirrel Hunter >"<

You mentioned not be able to get over the "apparent focused nature of the 'hacker-attackers' being directed at these very high-profile e-commerce sites: eBay, Amazon.com, e+Trade, etc...." According to what I have heard there are alot of smaller clientele affected as well. It would be interesting if they turn out to have the same DNS. I think you're right, that we haven't heard about the smaller clientele as yet because it not as newsworthy.

If I get further details in the next few days regarding who else was affected, I will plan to post it here.

-- Some questions (Some questions@.....com), February 11, 2000.

My apologies. I said date-time stamp as I did not really want to explain what TTL and the fragmentation segments with the IP header. I also did/don't want to be too specific about how this could occur as it has dawned on me that this could be developed into a new cracking tool.

However. Here is the concept. There is a portion of the IP or UDP packet header that all the young pups think is a finite number (255 or less) which is the number of hops from origination to destination. If you are an old puff wind like myself you realize that this number is actually designating a discrete number of seconds that the packet is allowed to live (the TTL = Time To Live).

Anyway, what I suspect is happening is that a date related algorithm in the sending chain starts the problem by placing a negaitve number in one or more of these header fields. This is what is causing the machinen to machine escalation of bad packet resend requests.

As to the specific "targets", please note that all the sites being 'bombed' all are very high end biz sites AND are all using the BIG Whumpen Routers. All the Big Whumpen Routers are one of the common elements of this incident. Might they not all share a common vulnerability as they share a common code base?

Another commonality is the manner in which the net as a whole was impacted. This is what got me thinking about this. A normal DOS does not cascade into backbone problems. Also these packet flurries appear to be generated at a phenomenal rate of expansion. Something that an OS driven process with other activities on other threads/processes would be hard pressed to duplicate. This is just an intuitive observation as I have no certain knowledge from the perspective of the 'victim' only what I have heard and deduced.

Also, we were able to mock up a peer to peer router group and replicate this effect of DOS attack on a wholely closed network. And all we needed was some misbehavior at the ttl level of things.

Finally, the stuff I am speaking of relates to the algorithms for the packetizing and packet reassmbly aspect of things. Not specifically machines, but rather the logic employed in the firmware.

Is it better that I am correct? Or that it really is hackers? Either way it is a real, and serious problem to work. The issue for me is to do what I can to assist TPTB in deciding which problem they really are working.

Vale. Et bona dies sunt.

-- pliney the younger (pliney@puget.sound.early.sun), February 11, 2000.

I posted on GICC a traceroute of a site I couldn't reach yesterday. See http://hv.greenspun.com/bboard/q-and-a-fetch-msg.tcl?msg_id=002XEH The tool I used diagnosed a TTL abnormality (documented on the post). The site (www.sprintpcs.com) came back up about an hour or so after my post.

-- Ray Strackbein (Ray@Strackbein.com), February 11, 2000.

link

-- sally strackbein (sally@y2kkitchen.com), February 11, 2000.

Thanks, Ray and Sally:

I guess my followup layman's silly wild-ass question would be, why the sporadic or episodic character of these "hack-attacks" at least as it affects the major sites? Why the surges that took down Yahoo and eBay, yet evidently "subsided" after a few hours, leaving everything normal again? If its a router-embedded-buffer-overflow problem, a layman like me would expect that the problem would simpoky persist and perhaps swell, not cause SURGES and slack-offs. Is there some rhyme or reason or pattern to this -- or will we witness chaos that is truly chaotic, and unpatterned in its timing and extent?

TNX

>"<

-- Squirrel Hunter (nuts@upina.cellrelaytower), February 11, 2000.

I can understand how even a smart person (with a PhD, no less)
who has no technical background could propagate incorrect information,
but these recent denial of service attacks are such "high visibility"
incidents that a plethora of technical information abounds.



When you get right down to it, this "Pilney" has no idea, technically,
what he/she is talking about. Even his/her descriptions of no-menacing
technology frobs are incorrect.



This has got to be one of the most asinine conspiracy theories
I have seen, and can be considered no less than an outright
slanderous assault on the character of Cisco Systems, completely
contrary to well established facts and technologies.

-- Forwarded response from Cisco (duh@conspiracytheory.org), February 11, 2000.

Pliney is posting somewhat misleading information about the TTL field in the IP header.

1. Yes, at one time TTL was considered a time value. But standard practice at router vendors nowdays is to treat it solely as a hop count. Read section 5.3.1 in RFC 1812, at http://www.cis.ohio-state.edu/htbin/rfc/rfc1812.html#id9454

"In this specification, we have reluctantly decided to follow the strong belief among the router vendors that the time limit function should be optional. They argued that implementation of the time limit function is difficult enough that it is currently not generally done. They further pointed to the lack of documented cases where this shortcut has caused TCP to corrupt data (of course, we would expect the problems created to be rare and difficult to reproduce, so the lack of documented cases provides little reassurance that there haven't been a number of undocumented cases)."

Granted, RFC1812 is still in "proposed standard" status, and RFC 791 (dated 1981, it describes TTL as a time count) still holds "standard" status, but RFC1812 reflects what is actually being practiced by router vendors.

Even so, 2. The IP header's TTL field is an 8-bit, UNSIGNED integer, with possible values ranging from 0 to 255 inclusively. There is no way to encode a negative number in the TTL field. Even if you tried, the next router would simply read it as an unsigned integer value above 127.

-Anthony Garcia agarcia@neosoft.com

-- Anthony Garcia (agarcia@neosoft.com), February 11, 2000.

Mitaken, maybe ... but calling a discourse on a possible embedded Y2K- glitch in internet routers an "asinine conspiracy theory" when in fact it is JUST opposite, and occupies a postion contradictory to all the conspiracy theories actually circulating about these filaure -- including the media-promoted conspiracy theory that these are "hack- attacks" and the conspiracy theories which seek to implicate the Chinese gov. ..... well, in short the troll-vitriole of the cross- post is self-discreditsing. Where's the technical argument in refutation (to support the cross-post)?

I would like to see a response to Garcia's post, however.

>"<

-- Squirrel Hunter (nuts@upina.cellrelaytower), February 11, 2000.

TCP/IP packet y2k bug? Good one pliney, ranks up there with the Q7 transistor y2k scare.

-- FactFinder (FactFinder@bzn.com), February 11, 2000.

Hmmm...wonder why the post below was deleted from this thread...could it be that Paula didn't want to appear to have fallen for the "TCP/IP Packet" hoax? lol...

Pliney,

Thanks for the clarification.

Please send me your contact information. I have some suggestions.

-- Paula Gordon (pgordon@erols.com), February 11, 2000.

-- FactFinder (FactFinder@bzn.com), February 11, 2000.

Just found this thread, which answers my question above: http://206.28.81.29/HyperNews/get/gn/1969.html

-- FactFinder (FactFinder@bzn.com), February 11, 2000.