Anyone who tried to access SSLFail.com late last night or this morning would have noticed that it was down. I apparently caused my own server outage with python. Here’s how it happened.
When sockstress was first discussed I was rather intrigued and thought about it for a bit, but then I quickly abandoned it… I just had too many other things on my plate. However discussions at SecTOR renewed my interest in exploring how this tool worked. After a bit of googling, I found this page which gives an explanation of what is occurring, although I wasn’t sure if it was correct. It did, however, fit with the ‘TCP/IP Zero Window Size Vulnerability’ in MS09-048.
I decided I would code up the diagram on the Check Point page and see what happened when I tested it. I started writing in python using SOCK_RAW and was ready to send my first packet… or so I’d thought. I forgot to send an appropriate Ethernet header, which meant parsing the packet found garbage instead of a valid packet… and port security on on the switch found an invalid MAC address and quickly disabled the port. Which means no more using the SSLFail.com server for playing with raw sockets.
Anyways, everything is back up and running now.
November 13, 2009
Once again, the benefits of a closed testing system make themselves apparent.