'New' Internet vuln long ignored
It ain't broke unless we fix it
Opinion A researcher named Paul Watson recently revealed that sessions between devices on the Internet can be reset with relative ease. The potential impact would be a distributed denial of service attack causing routers to reset repeatedly, thereby slowing the Net slightly overall and causing periodic local service outages here and there. The flaw itself belongs to TCP, though it affects quite a few devices, most notably routers running BGP (Border Gateway Protocol).
Stupid packet tricks
The problem has existed for as long as TCP has existed, and has probably been recognized for years, but it wasn't fixed until this week's announcement. Yet the essential concept is rather straightforward, even self-evident. To reset a BGP router you must inject a packet, with the SYN (synchronize) or RST (reset) flag set, into a session. The router will restart, which takes a bit of time during which the routing table is rebuilt. If this were done to a lot of machines in a continual, distributed attack, Net performance and availability could be affected.
For the attack to work, the fake packet's sequence number would have to fall within a certain range, or it will be ignored. With BGP, the range is broad enough that an acceptable sequence number can be guessed with a bit of trial and error. There is a value, called the receiver window, which indicates a range of valid sequence numbers for the next packet. Thus, instead of trying every possible sequence number, an attacker need only try numbers separated by the value of the receiver window. The larger the window, the more economical the attack becomes.
But surely this is not the first time someone's thought of an attack like this. Networking has tremendous hobbyist appeal, and people do all sorts of amusing things with customized packets and clever little utilities. It's also hard to believe that this could be news to people involved in network engineering on a daily basis. Indeed, Cisco's advisory includes some rather curious language: the TCP flaw "enables an adversary to reset any established TCP connection in a much shorter time than was previously discussed publicly," the company says. (Our emphasis)
The suggestion here is that the problem has been known for some time, and that, as usual, it's been necessary for someone to make it public before vendors will bother to fix their products.
Window of opportunity
Vendors do hate it when people go public like this. They often say that it hurts their customers, because attackers enjoy a window of opportunity to misuse the information before the rest of us can patch our systems. And strictly speaking, that's true. But one also has to wonder how long the vendors have been waiting for this discovery to be made public, and why they didn't patch their equipment proactively to make it less vulnerable. How big was their window of opportunity, one is tempted to ask.
The IETF (Internet Engineering Task Force) has been working on a few subtle modifications to enhance TCP security against these attacks since the winter of 2003, according to a recent (and quite sensible) draft document released this week.
Interestingly, the IETF draft doesn't acknowledge Paul Watson, which invites speculation that he re-invented the wheel on his own, and that the vendors and IETF were aware of this problem for quite some time and were just waiting for someone to force their hands. Which would be another way of saying that they'd devised a fix, but were unwilling to propose it because they didn't want us to know that something was broken.
Watson told us that he contacted CERT/CC and Cisco in late October and early November of 2003, but received no reply, "which is why I eventually talked with NISCC over in the UK to help coordinate the fixes and notifications."
In truth, the disclosure is a blessing in disguise. We've now got a number of workarounds to a problem that has existed for years, and motivation to adopt the IETF's quite decent recommendations. It's just too bad that vendors don't see it that way. ®
Thomas C Greene is the author of Computer Security for the Home and Small Office, a complete guide to online anonymity, system hardening, encryption, and data hygiene for Windows and Linux, available at discount in the USA, and the UK.
Sponsored: Customer Identity and Access Management