Feeds

'New' Internet vuln long ignored

It ain't broke unless we fix it

  • alert
  • submit to reddit

Securing Web Applications Made Simple and Scalable

Opinion A researcher named Paul Watson recently revealed that sessions between devices on the Internet can be reset with relative ease. The potential impact would be a distributed denial of service attack causing routers to reset repeatedly, thereby slowing the Net slightly overall and causing periodic local service outages here and there. The flaw itself belongs to TCP, though it affects quite a few devices, most notably routers running BGP (Border Gateway Protocol).

Stupid packet tricks

The problem has existed for as long as TCP has existed, and has probably been recognized for years, but it wasn't fixed until this week's announcement. Yet the essential concept is rather straightforward, even self-evident. To reset a BGP router you must inject a packet, with the SYN (synchronize) or RST (reset) flag set, into a session. The router will restart, which takes a bit of time during which the routing table is rebuilt. If this were done to a lot of machines in a continual, distributed attack, Net performance and availability could be affected.

For the attack to work, the fake packet's sequence number would have to fall within a certain range, or it will be ignored. With BGP, the range is broad enough that an acceptable sequence number can be guessed with a bit of trial and error. There is a value, called the receiver window, which indicates a range of valid sequence numbers for the next packet. Thus, instead of trying every possible sequence number, an attacker need only try numbers separated by the value of the receiver window. The larger the window, the more economical the attack becomes.

But surely this is not the first time someone's thought of an attack like this. Networking has tremendous hobbyist appeal, and people do all sorts of amusing things with customized packets and clever little utilities. It's also hard to believe that this could be news to people involved in network engineering on a daily basis. Indeed, Cisco's advisory includes some rather curious language: the TCP flaw "enables an adversary to reset any established TCP connection in a much shorter time than was previously discussed publicly," the company says. (Our emphasis)

The suggestion here is that the problem has been known for some time, and that, as usual, it's been necessary for someone to make it public before vendors will bother to fix their products.

Window of opportunity

Vendors do hate it when people go public like this. They often say that it hurts their customers, because attackers enjoy a window of opportunity to misuse the information before the rest of us can patch our systems. And strictly speaking, that's true. But one also has to wonder how long the vendors have been waiting for this discovery to be made public, and why they didn't patch their equipment proactively to make it less vulnerable. How big was their window of opportunity, one is tempted to ask.

The IETF (Internet Engineering Task Force) has been working on a few subtle modifications to enhance TCP security against these attacks since the winter of 2003, according to a recent (and quite sensible) draft document released this week.

Interestingly, the IETF draft doesn't acknowledge Paul Watson, which invites speculation that he re-invented the wheel on his own, and that the vendors and IETF were aware of this problem for quite some time and were just waiting for someone to force their hands. Which would be another way of saying that they'd devised a fix, but were unwilling to propose it because they didn't want us to know that something was broken.

Watson told us that he contacted CERT/CC and Cisco in late October and early November of 2003, but received no reply, "which is why I eventually talked with NISCC over in the UK to help coordinate the fixes and notifications."

In truth, the disclosure is a blessing in disguise. We've now got a number of workarounds to a problem that has existed for years, and motivation to adopt the IETF's quite decent recommendations. It's just too bad that vendors don't see it that way. ®

Thomas C Greene is the author of Computer Security for the Home and Small Office, a complete guide to online anonymity, system hardening, encryption, and data hygiene for Windows and Linux, available at discount in the USA, and the UK.

Related stories

Anonymous TCP/IP to debut at CodeCon
Worms pour through MyDoom back door
Watching the Net's background radiation

The smart choice: opportunity from uncertainty

More from The Register

next story
BMW's ConnectedDrive falls over, bosses blame upgrade snafu
Traffic flows up 20% as motorway middle lanes miraculously unclog
Putin: Crack Tor for me and I'll make you a MILLIONAIRE
Russian Interior Ministry offers big pile o' roubles for busting pro-privacy browser
Mozilla fixes CRITICAL security holes in Firefox, urges v31 upgrade
Misc memory hazards 'could be exploited' - and guess what, one's a Javascript vuln
Manic malware Mayhem spreads through Linux, FreeBSD web servers
And how Google could cripple infection rate in a second
How long is too long to wait for a security fix?
Synology finally patches OpenSSL bugs in Trevor's NAS
Don't look, Snowden: Security biz chases Tails with zero-day flaws alert
Exodus vows not to sell secrets of whistleblower's favorite OS
Roll out the welcome mat to hackers and crackers
Security chap pens guide to bug bounty programs that won't fail like Yahoo!'s
prev story

Whitepapers

Top three mobile application threats
Prevent sensitive data leakage over insecure channels or stolen mobile devices.
Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Boost IT visibility and business value
How building a great service catalog relieves pressure points and demonstrates the value of IT service management.
Designing a Defense for Mobile Applications
Learn about the various considerations for defending mobile applications - from the application architecture itself to the myriad testing technologies.
Build a business case: developing custom apps
Learn how to maximize the value of custom applications by accelerating and simplifying their development.