Feeds

'New' Internet vuln long ignored

It ain't broke unless we fix it

  • alert
  • submit to reddit

Internet Security Threat Report 2014

Opinion A researcher named Paul Watson recently revealed that sessions between devices on the Internet can be reset with relative ease. The potential impact would be a distributed denial of service attack causing routers to reset repeatedly, thereby slowing the Net slightly overall and causing periodic local service outages here and there. The flaw itself belongs to TCP, though it affects quite a few devices, most notably routers running BGP (Border Gateway Protocol).

Stupid packet tricks

The problem has existed for as long as TCP has existed, and has probably been recognized for years, but it wasn't fixed until this week's announcement. Yet the essential concept is rather straightforward, even self-evident. To reset a BGP router you must inject a packet, with the SYN (synchronize) or RST (reset) flag set, into a session. The router will restart, which takes a bit of time during which the routing table is rebuilt. If this were done to a lot of machines in a continual, distributed attack, Net performance and availability could be affected.

For the attack to work, the fake packet's sequence number would have to fall within a certain range, or it will be ignored. With BGP, the range is broad enough that an acceptable sequence number can be guessed with a bit of trial and error. There is a value, called the receiver window, which indicates a range of valid sequence numbers for the next packet. Thus, instead of trying every possible sequence number, an attacker need only try numbers separated by the value of the receiver window. The larger the window, the more economical the attack becomes.

But surely this is not the first time someone's thought of an attack like this. Networking has tremendous hobbyist appeal, and people do all sorts of amusing things with customized packets and clever little utilities. It's also hard to believe that this could be news to people involved in network engineering on a daily basis. Indeed, Cisco's advisory includes some rather curious language: the TCP flaw "enables an adversary to reset any established TCP connection in a much shorter time than was previously discussed publicly," the company says. (Our emphasis)

The suggestion here is that the problem has been known for some time, and that, as usual, it's been necessary for someone to make it public before vendors will bother to fix their products.

Window of opportunity

Vendors do hate it when people go public like this. They often say that it hurts their customers, because attackers enjoy a window of opportunity to misuse the information before the rest of us can patch our systems. And strictly speaking, that's true. But one also has to wonder how long the vendors have been waiting for this discovery to be made public, and why they didn't patch their equipment proactively to make it less vulnerable. How big was their window of opportunity, one is tempted to ask.

The IETF (Internet Engineering Task Force) has been working on a few subtle modifications to enhance TCP security against these attacks since the winter of 2003, according to a recent (and quite sensible) draft document released this week.

Interestingly, the IETF draft doesn't acknowledge Paul Watson, which invites speculation that he re-invented the wheel on his own, and that the vendors and IETF were aware of this problem for quite some time and were just waiting for someone to force their hands. Which would be another way of saying that they'd devised a fix, but were unwilling to propose it because they didn't want us to know that something was broken.

Watson told us that he contacted CERT/CC and Cisco in late October and early November of 2003, but received no reply, "which is why I eventually talked with NISCC over in the UK to help coordinate the fixes and notifications."

In truth, the disclosure is a blessing in disguise. We've now got a number of workarounds to a problem that has existed for years, and motivation to adopt the IETF's quite decent recommendations. It's just too bad that vendors don't see it that way. ®

Thomas C Greene is the author of Computer Security for the Home and Small Office, a complete guide to online anonymity, system hardening, encryption, and data hygiene for Windows and Linux, available at discount in the USA, and the UK.

Related stories

Anonymous TCP/IP to debut at CodeCon
Worms pour through MyDoom back door
Watching the Net's background radiation

Internet Security Threat Report 2014

More from The Register

next story
George Clooney, WikiLeaks' lawyer wife hand out burner phones to wedding guests
Day 4: 'News'-papers STILL rammed with Clooney nuptials
Shellshock: 'Larger scale attack' on its way, warn securo-bods
Not just web servers under threat - though TENS of THOUSANDS have been hit
Apple's new iPhone 6 vulnerable to last year's TouchID fingerprint hack
But unsophisticated thieves need not attempt this trick
PEAK IPV4? Global IPv6 traffic is growing, DDoS dying, says Akamai
First time the cache network has seen drop in use of 32-bit-wide IP addresses
Oracle SHELLSHOCKER - data titan lists unpatchables
Database kingpin lists 32 products that can't be patched (yet) as GNU fixes second vuln
Researchers tell black hats: 'YOU'RE SOOO PREDICTABLE'
Want to register that domain? We're way ahead of you.
Stunned by Shellshock Bash bug? Patch all you can – or be punished
UK data watchdog rolls up its sleeves, polishes truncheon
prev story

Whitepapers

Forging a new future with identity relationship management
Learn about ForgeRock's next generation IRM platform and how it is designed to empower CEOS's and enterprises to engage with consumers.
Storage capacity and performance optimization at Mizuno USA
Mizuno USA turn to Tegile storage technology to solve both their SAN and backup issues.
The next step in data security
With recent increased privacy concerns and computers becoming more powerful, the chance of hackers being able to crack smaller-sized RSA keys increases.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.
A strategic approach to identity relationship management
ForgeRock commissioned Forrester to evaluate companies’ IAM practices and requirements when it comes to customer-facing scenarios versus employee-facing ones.