Hello, welcome to the Monday, July 31st, 2017 edition of the Sandcent Storm Center's Stormcast.

My name is Johannes Ulrich, and the day I'm recording from Jacksonville, Florida.

This weekend at Defcon in Las Vegas to researchers release details about a flaw in windows that can be used to shut down a window

system by flooding it with SMB requests. The attack works somewhat similar to an older attack

that attacked web servers. The web server attack was dubbed the Slow Loris. So in order to show that similarity, this new attack has been named SMB Loris.

However, the details how the attack works is a little bit different in Slow Loris.

All you did is you chewed up all the connections that a server could handle.

So essentially, you would connect to the web server and send a couple of headers and then just

stop sending any additional data before the complete set of headers was sent.

The end effect was that the system ran out of connections, but the system itself was still

responsive. It could still be, for example,

rebooted remotely via another service like SSH. SMB Loris is a little bit more dangerous in that sense.

The SMB Loris attack opens an SMB connection and requests a buffer.

The maximum buffer size possible for this request is 128 kilobyte, which isn't really a lot,

but still enough once you realize that for each source IP address, you can open 65,535 connections one for each source port which will reserve about

8 gigabyte now this memory is allocated without allowing it to be pageed to swap so this has to be

located in physical RAM and 8 gigabyte is quite a bit of course with a

multiple source IPs you would be able to get multiples of 8 gigabyte reserved.

After 30 seconds the memory is freed so you would have to flood the system with the necessary number of connections

within 30 seconds.

Now unlike in the HDP SlowLoris case, the system however becomes completely unresponsive.

What happens is that as the system tries to find more memory, the CPU is scanning the memory for any free memory

...