Apple Computer has released OT Tuner 1.0, a tiny patch which disables an option in Open Transport that could enable Macs connected to the Internet to be used as traffic amplifiers (see below) in a distributed denial-of-service attack. The update is for any computer running Mac OS 9, or Power Mac G4s, iBooks, or current slot-loading iMacs (like the iMac DV) running Mac OS 8.6. OT Tuner 1.0 is a 175K download, although the patch itself is less than 2K.
OT Tuner 1.0 is a direct response to a behavior in Open Transport publicized by John Copeland at the Georgia Institute of Technology during the last week. (The pages are also available at his personal site if Georgia Tech isn’t accessible.) The basic premise is that Open Transport will sometimes send a 1,500-byte response to certain small data packets sent from a remote machine elsewhere on the Internet. (This behavior is part of a standard called Path MTU Discovery detailed over nine years ago in RFC 1191.) The problem is that the small data packets could be forged to look like they came from a third computer elsewhere on the Internet; in that case, Open Transport would send its 1,500-byte response to that third computer. According to Copeland, the forged packet might be as short as 29 bytes, so Open Transport effectively enables a malicious third party to send 1,500 bytes to a remote computer by transmitting a mere 29 bytes – a traffic amplification of over 5000 percent.
These data packets aren’t enormous, but they can be generated quickly and the behavior could be exploited in several Macs to launch a distributed denial-of-service attack. In theory, a targeted computer’s Internet connection could be flooded with thousands of 1,500-byte packets per second, and the computer would probably be brought to its knees trying to process all the inbound data. Distributed denial-of-service attacks are a relatively new phenomenon – see CERT Advisory CA-99-17 – and so far no tools are known to take advantage of Open Transport’s potential vulnerability. Apple’s OT Tuner 1.0 eliminates the possibility altogether. In any case, only Macs running Mac OS 9 (or the particular models above running Mac OS 8.6) that are continuously connected to the Internet would be in any danger of exploitation.
For better or worse, this potential vulnerability in Open Transport is often being reported in terms of an international conspiracy culminating in a Mac OS 9-based New Year’s Eve attack on various Internet sites. Based on the information available to us, we find such speculation untenable. As with many things, caution may be warranted, but panic is not.