[Dailydave] SMBLoris

Discussion:

Dave Aitel

2017-08-08 18:27:57 UTC

So I know it's Microsoft Tuesday, but we've been working on that SMBLoris
bug a bit more for release to customers as well, and as part of that, we're
spending a lot of time thinking about it, as deceptively simple as it is.

The thing I'm wondering is why people outside of FinancialSec think DoS is
almost a non-issue. Most companies have only a few domain controllers, and
when those go down, the company goes down. And they have to be reachable on
these exact ports, from anywhere in the company, essentially.

It seems like this is one of those things that got a tiny splash of
attention, but could be worth more. :)

-dave

Oliver Friedrichs

2017-08-08 18:47:23 UTC

Permalink

Sorry to see that things havenât changed.

While itâs certainly not as sexy as RCE, itâs damaging, can lead to data loss, and as you point out, an enterprise wide outage.

Found the first one of these in NT in 1998 while reversing Microsoftâs DCE-RPC implementation which at the time was not yet documented:

http://insecure.org/sploits/NT.smb.login.DOS.html

Oliver

From: Dailydave <dailydave-***@lists.immunityinc.com> on behalf of Dave Aitel <***@gmail.com>
Date: Tuesday, August 8, 2017 at 11:27 AM
To: "***@lists.immunityinc.com" <***@lists.immunityinc.com>
Subject: [Dailydave] SMBLoris

So I know it's Microsoft Tuesday, but we've been working on that SMBLoris bug a bit more for release to customers as well, and as part of that, we're spending a lot of time thinking about it, as deceptively simple as it is.

The thing I'm wondering is why people outside of FinancialSec think DoS is almost a non-issue. Most companies have only a few domain controllers, and when those go down, the company goes down. And they have to be reachable on these exact ports, from anywhere in the company, essentially.

It seems like this is one of those things that got a tiny splash of attention, but could be worth more. :)

-dave

_______________________________________________ Dailydave mailing list ***@lists.immunityinc.com https://lists.immunityinc.com/mailman/listinfo/dailydave

Konrads Smelkovs

2017-08-08 19:15:35 UTC

Permalink

Mostly due to BCP. Guys that do construction can probably live without a
domain controller for a bit

--
Konrads Smelkovs
Applied IT sorcery.

Post by Dave Aitel
So I know it's Microsoft Tuesday, but we've been working on that SMBLoris
bug a bit more for release to customers as well, and as part of that, we're
spending a lot of time thinking about it, as deceptively simple as it is.
The thing I'm wondering is why people outside of FinancialSec think DoS
is almost a non-issue. Most companies have only a few domain controllers,
and when those go down, the company goes down. And they have to be
reachable on these exact ports, from anywhere in the company, essentially.
It seems like this is one of those things that got a tiny splash of
attention, but could be worth more. :)
-dave
_______________________________________________
Dailydave mailing list
https://lists.immunityinc.com/mailman/listinfo/dailydave

Bob Auger

2017-08-08 19:40:33 UTC

Permalink

TLDR: Sockets/connections can always be exhausted at the app level based on
the hardware, configuration, and design.

1. Discuss <InsertDaemonNameHere>loris.
2. Hype the media on #1
3. Discuss that DOS is still bad (no debate)
4. Inform users of configuration/rate limiting opportunities/hardware/fault
tolerance design (to the extent you can)
5. Profit from #4

- Robert

On Tue, Aug 8, 2017 at 12:15 PM, Konrads Smelkovs <

Post by Konrads Smelkovs
Mostly due to BCP. Guys that do construction can probably live without a
domain controller for a bit
--
Konrads Smelkovs
Applied IT sorcery.

_______________________________________________
Dailydave mailing list
https://lists.immunityinc.com/mailman/listinfo/dailydave