Transcript Aditya Chintala`s presentation on Comparing Windows and Mac

Is Apple’s IMAc OperAtIng systeM
Secure under
flooding Attacks?
by
aditya chintala
Introduction

How IMac’s Leopard and snow leopard OS
vulnerable to the flooding attacks.

Here is an issue,
https://discussions.apple.com/thread/3156859

Is Windows more secure than Mac against
flooding attacks?
Outline
Experimental Setup
 Performance Evaluation
 Types of DDOs Attacks

- ARP Flood Attack
- ping flood attack
-tcp syn flood attack

conclusion
Experimental setup

The experiment simulated a network condition in
which multiple computers sent a barrage of DDoS
attack traffic to a remote victim computer.

DDoS attack traffic is sent to a remote victim
computer at a speed of 10 mbps to 1,000 Mbps.

Victim Computers : Apple OS X 10.6.3 Snow
Leopard and Microsoft Windows 7.
Experimental Setup:
Performance Evaluation
1. Processor utilization : processor exhaustion is
CPU utilization of a victim computer under
DDoS attack traffic.
 Complete processor exhaustion must be
avoided to prevent a victim computer from
crashing under a DDoS attack.
2. Wired Pages/ Non-paged : These pool
allocations in main memory can’t be paged
out because they’re required for execution of
specific kernel tasks.
ARP Flood Attack

What is ARP: Address Resolution Protocol is used in
Local Area networks to resolve IP addresses into
hardware MAC (medium access control) addresses.

It is a very basic and essential protocol used to
communicate in a LAN either by gateway or by any
host.

we considered the ARP Flood attack that usually can be
launched on computers in a local area network.

In ARP attacks, the victim computer is attacked by
storming the host with ARP requests known as Denial
of Service (DoS) attack .
Message on the screen after a few minutes of ARP
storm hitting the snow leopard.

After forced reboot of the Leopard based iMAC
computer the error log popped up that showed the cause
of CPU panic which is due to “zalloc” retry failure in
“rtentry”.

Zallocs are the “Zone Allocators” that provides an
efficient interface for managing dynamically-sized
collections of items of similar size.
1. Wed Sep 2 09:30:53 2011
2. Panic (cpu 1 caller 0x001431A9): "zalloc: \"rtentry\"
(2057063 elements) retry fail
3"@/SourceCache/xnu/xnu1228.5.20/osfmk/kern/zalloc.c:770
3. Backtrace, Format - Frame : Return Address (4
potential args on stack)
4. 0x3d8e3ac8 : 0x12b0fa (0x4592a4 0x3d8e3afc
0x133243 0x0)
5. 0x3d8e3b18 : 0x1431a9 (0x45aef0 0x471d14
0x1f6367 0x3)
Comparing Windows 7 and Snow Leopard
Processor utilization (on a logarithmic scale). Our evaluation of how
Windows 7 and Snow Leopard can handle an ARP flood attack shows
zero processor utilization for Snow Leopard after it crashed.
Processor utilization in Snow Leopard. With ARP flood traffic loads at 10 Mbps, 5
Mbps, and 2 Mbps, we see processor utilization become zero after the iMac loaded
with Snow Leopard crashed.
Wired page allocation in Imac Snow Leopard
Non-Page allocation in Windows 7
Ping Flood Attack
Ping
is diagnostic ICMP (Internet control message
protocol) message used to determine the
availability of another computer in a network.
Attackers
can exploit this protocol and flood
victim computers with ping requests, which
ultimately consumes the victim computer’s
resources.
Snow
Leopard can be bogged down significantly
even with a low load of ping flood attack traffic.
Windows 7 vs Snow Leopard
TCP-SYN Flood Attack
The
attacker attempts multiple TCP connections by
sending a flood of TCP-SYN packets to the victim
computer, forcing it to exhaust its resources.
This
attack creates a large number of half-open
connections.
Microsoft
service packs in particular mitigate this type
of TCP-SYN-based DDoS attack by controlling the rate of
half-open connections.
Windows 7 vs Snow Leopard
conclusion

This is quite remarkable, tests performed in an Apple
environment (iMac) directly contradicts Apple’s
advertised superb security aspects.

Advancement in Firewall protection and Intrusion
Prevention systems (IPS) would abate the problem.
Is it how it would be after
the brutal Flooding attack??
References

S. Kumar, Impact of Distributed Denial of Service (DDoS) Attack Due to ARP
Storm, Springer-Verlag Berlin Heidelberg, Book Series: Lecture Notes in
Computer Science, pages 9911002, April-2005.

D.C. Plummer, “Ethernet Address Resolution Protocol,” IETF Network
Working Group, RFC-826, November 1982, available online at
(http://www.ietf.org/rfc/rfc826.txt) last
access on: Feb-06, 2010.

S. Kumar, “PING Att ack: How Bad Is It?” Computers & Security J., vol. 25,
July 2006, pp. 332–337.

S. Kumar and E. Petana, “Mitigation of TCP-SYN Att acks with Microsoft ’s
Windows XP Service Pack2 (SP2) Soft ware,” Proc. 7th Int’l Conf. Networking,
IEEE, 2008, pp. 238–242.