Tuesday, August 30, 2011

Slowloris and RDP

I was reading up on one of the latest worms to be released this week. It uses RDP to initiate a session and then attempts a dictionary attack against windows based hosts. It would seem that this is one of the first attempts to utilize what is really thought of as a utility to initiate a penetration. If one were to be cleaver enough, RDP as a utility and terminal services could become a more prominent attack vector.

I remembered reading about a HTTP SYN flood utility in an IRC channel once a few months ago. Slowloris had been demonstrated at a defcon at one point (I'm not sure which one), but it made me wonder if there have been attempts to initiate half open sessions to terminal services in the past. It could be argued that since the TCP stack in slowloris actually initiates and completes a connection, many of the more common remote options could be targeted via DoS. Since most use the TCP stack and then hand off to another service, most of them could be real targets, especially ones which are not used in the main arena of remote connectivity, like TeamView or something similar.

Now I know that there are defenses against Slowloris, but it requires looking at the number of open connections and determining if that number is too many. This defense would need to be set against each type of remote connection across any number of ports for RDP, ARD, and VNC. Whitelists and constant monitoring would also have to be setup.

It also make me wonder if NetFlow can detect the number of simultaneous connections rather than leaving it to a script running on the host. I will look to see if snort has any specific signatures to determine a slowloris attack and if that sig can be tweaked to look at other services beyond HTTP. I also wonder if Metasploit has a similar vulnerability in the framework.

I guess it's time to go read more...