Apple Computer has released OT Tuner 1.0, a tiny patch which disables an option in Open Transport that could enable Macs connected to the Internet to be used as traffic amplifiers (see below) in a distributed denial-of-service attack. The update is for any computer running Mac OS 9, or Power Mac G4s, iBooks, or current slot-loading iMacs (like the iMac DV) running Mac OS 8.6. OT Tuner 1.0 is a 175K download, although the patch itself is less than 2K.
[05-Jan-00: Apple has withdrawn OT Tuner 1.0 in favor of Open Transport 2.6 which purports to offer the same abuse prevention without the problems some users experienced with OT Tuner 1.0. -Geoff]
OT Tuner 1.0 is a direct response to a behavior in Open Transport publicized by John Copeland at the Georgia Institute of Technology. The basic premise is that Open Transport will sometimes send a 1,500-byte response to certain small data packets sent from a remote machine elsewhere on the Internet. (This behavior is part of a standard called Path MTU Discovery detailed over nine years ago in RFC 1191.) The problem is that the small data packets could be forged to look like they came from a third computer elsewhere on the Internet; in that case, Open Transport would send its 1,500-byte response to that third computer. According to Copeland, the forged packet might be as short as 29 bytes, so Open Transport effectively enables a malicious third party to send 1,500 bytes to a remote computer by transmitting a mere 29 bytes – a traffic amplification of over 5000 percent.
These data packets aren’t enormous, but they can be generated quickly and the behavior could be exploited in several Macs to launch a distributed denial-of-service attack. In theory, a targeted computer’s Internet connection could be flooded with thousands of 1,500-byte packets per second, and the computer would probably be brought to its knees trying to process all the inbound data. Distributed denial-of-service attacks are a relatively new phenomenon – see CERT Advisory CA-99-17 – and so far no tools are known to take advantage of Open Transport’s potential vulnerability. In any case, only Macs running Mac OS 9 (or the models above running Mac OS 8.6) that are continuously connected to the Internet would be in any danger of exploitation.
Although many folks are using Apple’s OT Tuner 1.0 without trouble, there are persistent reports of the patch causing problems for users with AirPort networks as well as some cable modem and DSL connections. Some users also report difficulty switching TCP/IP configurations with the patch installed. It’s probably safest to err on the side of caution and give Apple’s OT Tuner a try, but disable it using the Extensions Manager if you find it causes problems with your connectivity.