Is Apple’s IMAc OperAtIng systeM Secure under flooding Attacks? by aditya chintala Introduction How IMac’s Leopard and snow leopard OS vulnerable to the flooding attacks. Here is an issue, https://discussions.apple.com/thread/3156859 Is Windows more secure than Mac against flooding attacks? Outline Experimental Setup Performance Evaluation Types of DDOs Attacks - ARP Flood Attack - ping flood attack -tcp syn flood attack conclusion Experimental setup The experiment simulated a network condition in which multiple computers sent a barrage of DDoS attack traffic to a remote victim computer. DDoS attack traffic is sent to a remote victim computer at a speed of 10 mbps to 1,000 Mbps. Victim Computers : Apple OS X 10.6.3 Snow Leopard and Microsoft Windows 7. Experimental Setup: Performance Evaluation 1. Processor utilization : processor exhaustion is CPU utilization of a victim computer under DDoS attack traffic. Complete processor exhaustion must be avoided to prevent a victim computer from crashing under a DDoS attack. 2. Wired Pages/ Non-paged : These pool allocations in main memory can’t be paged out because they’re required for execution of specific kernel tasks. ARP Flood Attack What is ARP: Address Resolution Protocol is used in Local Area networks to resolve IP addresses into hardware MAC (medium access control) addresses. It is a very basic and essential protocol used to communicate in a LAN either by gateway or by any host. we considered the ARP Flood attack that usually can be launched on computers in a local area network. In ARP attacks, the victim computer is attacked by storming the host with ARP requests known as Denial of Service (DoS) attack . Message on the screen after a few minutes of ARP storm hitting the snow leopard. After forced reboot of the Leopard based iMAC computer the error log popped up that showed the cause of CPU panic which is due to “zalloc” retry failure in “rtentry”. Zallocs are the “Zone Allocators” that provides an efficient interface for managing dynamically-sized collections of items of similar size. 1. Wed Sep 2 09:30:53 2011 2. Panic (cpu 1 caller 0x001431A9): "zalloc: \"rtentry\" (2057063 elements) retry fail 3"@/SourceCache/xnu/xnu1228.5.20/osfmk/kern/zalloc.c:770 3. Backtrace, Format - Frame : Return Address (4 potential args on stack) 4. 0x3d8e3ac8 : 0x12b0fa (0x4592a4 0x3d8e3afc 0x133243 0x0) 5. 0x3d8e3b18 : 0x1431a9 (0x45aef0 0x471d14 0x1f6367 0x3) Comparing Windows 7 and Snow Leopard Processor utilization (on a logarithmic scale). Our evaluation of how Windows 7 and Snow Leopard can handle an ARP flood attack shows zero processor utilization for Snow Leopard after it crashed. Processor utilization in Snow Leopard. With ARP flood traffic loads at 10 Mbps, 5 Mbps, and 2 Mbps, we see processor utilization become zero after the iMac loaded with Snow Leopard crashed. Wired page allocation in Imac Snow Leopard Non-Page allocation in Windows 7 Ping Flood Attack Ping is diagnostic ICMP (Internet control message protocol) message used to determine the availability of another computer in a network. Attackers can exploit this protocol and flood victim computers with ping requests, which ultimately consumes the victim computer’s resources. Snow Leopard can be bogged down significantly even with a low load of ping flood attack traffic. Windows 7 vs Snow Leopard TCP-SYN Flood Attack The attacker attempts multiple TCP connections by sending a flood of TCP-SYN packets to the victim computer, forcing it to exhaust its resources. This attack creates a large number of half-open connections. Microsoft service packs in particular mitigate this type of TCP-SYN-based DDoS attack by controlling the rate of half-open connections. Windows 7 vs Snow Leopard conclusion This is quite remarkable, tests performed in an Apple environment (iMac) directly contradicts Apple’s advertised superb security aspects. Advancement in Firewall protection and Intrusion Prevention systems (IPS) would abate the problem. Is it how it would be after the brutal Flooding attack?? References S. Kumar, Impact of Distributed Denial of Service (DDoS) Attack Due to ARP Storm, Springer-Verlag Berlin Heidelberg, Book Series: Lecture Notes in Computer Science, pages 9911002, April-2005. D.C. Plummer, “Ethernet Address Resolution Protocol,” IETF Network Working Group, RFC-826, November 1982, available online at (http://www.ietf.org/rfc/rfc826.txt) last access on: Feb-06, 2010. S. Kumar, “PING Att ack: How Bad Is It?” Computers & Security J., vol. 25, July 2006, pp. 332–337. S. Kumar and E. Petana, “Mitigation of TCP-SYN Att acks with Microsoft ’s Windows XP Service Pack2 (SP2) Soft ware,” Proc. 7th Int’l Conf. Networking, IEEE, 2008, pp. 238–242.