Feeds

'New' Internet vuln long ignored

It ain't broke unless we fix it

  • alert
  • submit to reddit

High performance access to file storage

Opinion A researcher named Paul Watson recently revealed that sessions between devices on the Internet can be reset with relative ease. The potential impact would be a distributed denial of service attack causing routers to reset repeatedly, thereby slowing the Net slightly overall and causing periodic local service outages here and there. The flaw itself belongs to TCP, though it affects quite a few devices, most notably routers running BGP (Border Gateway Protocol).

Stupid packet tricks

The problem has existed for as long as TCP has existed, and has probably been recognized for years, but it wasn't fixed until this week's announcement. Yet the essential concept is rather straightforward, even self-evident. To reset a BGP router you must inject a packet, with the SYN (synchronize) or RST (reset) flag set, into a session. The router will restart, which takes a bit of time during which the routing table is rebuilt. If this were done to a lot of machines in a continual, distributed attack, Net performance and availability could be affected.

For the attack to work, the fake packet's sequence number would have to fall within a certain range, or it will be ignored. With BGP, the range is broad enough that an acceptable sequence number can be guessed with a bit of trial and error. There is a value, called the receiver window, which indicates a range of valid sequence numbers for the next packet. Thus, instead of trying every possible sequence number, an attacker need only try numbers separated by the value of the receiver window. The larger the window, the more economical the attack becomes.

But surely this is not the first time someone's thought of an attack like this. Networking has tremendous hobbyist appeal, and people do all sorts of amusing things with customized packets and clever little utilities. It's also hard to believe that this could be news to people involved in network engineering on a daily basis. Indeed, Cisco's advisory includes some rather curious language: the TCP flaw "enables an adversary to reset any established TCP connection in a much shorter time than was previously discussed publicly," the company says. (Our emphasis)

The suggestion here is that the problem has been known for some time, and that, as usual, it's been necessary for someone to make it public before vendors will bother to fix their products.

Window of opportunity

Vendors do hate it when people go public like this. They often say that it hurts their customers, because attackers enjoy a window of opportunity to misuse the information before the rest of us can patch our systems. And strictly speaking, that's true. But one also has to wonder how long the vendors have been waiting for this discovery to be made public, and why they didn't patch their equipment proactively to make it less vulnerable. How big was their window of opportunity, one is tempted to ask.

The IETF (Internet Engineering Task Force) has been working on a few subtle modifications to enhance TCP security against these attacks since the winter of 2003, according to a recent (and quite sensible) draft document released this week.

Interestingly, the IETF draft doesn't acknowledge Paul Watson, which invites speculation that he re-invented the wheel on his own, and that the vendors and IETF were aware of this problem for quite some time and were just waiting for someone to force their hands. Which would be another way of saying that they'd devised a fix, but were unwilling to propose it because they didn't want us to know that something was broken.

Watson told us that he contacted CERT/CC and Cisco in late October and early November of 2003, but received no reply, "which is why I eventually talked with NISCC over in the UK to help coordinate the fixes and notifications."

In truth, the disclosure is a blessing in disguise. We've now got a number of workarounds to a problem that has existed for years, and motivation to adopt the IETF's quite decent recommendations. It's just too bad that vendors don't see it that way. ®

Thomas C Greene is the author of Computer Security for the Home and Small Office, a complete guide to online anonymity, system hardening, encryption, and data hygiene for Windows and Linux, available at discount in the USA, and the UK.

Related stories

Anonymous TCP/IP to debut at CodeCon
Worms pour through MyDoom back door
Watching the Net's background radiation

High performance access to file storage

More from The Register

next story
Obama allows NSA to exploit 0-days: report
If the spooks say they need it, they get it
Parent gabfest Mumsnet hit by SSL bug: My heart bleeds, grins hacker
Natter-board tells middle-class Britain to purée its passwords
Web data BLEEDOUT: Users to feel the pain as Heartbleed bug revealed
Vendors and ISPs have work to do updating firmware - if it's possible to fix this
OpenSSL Heartbleed: Bloody nose for open-source bleeding hearts
Bloke behind the cockup says not enough people are helping crucial crypto project
One year on: diplomatic fail as Chinese APT gangs get back to work
Mandiant says past 12 months shows Beijing won't call off its hackers
Call of Duty 'fragged using OpenSSL's Heartbleed exploit'
So it begins ... or maybe not, says one analyst
German space centre endures cyber attack
Chinese code retrieved but NSA hack not ruled out
Experian subsidiary faces MEGA-PROBE for 'selling consumer data to fraudster'
US attorneys general roll up sleeves, snap on gloves
prev story

Whitepapers

Securing web applications made simple and scalable
In this whitepaper learn how automated security testing can provide a simple and scalable way to protect your web applications.
Five 3D headsets to be won!
We were so impressed by the Durovis Dive headset we’ve asked the company to give some away to Reg readers.
HP ArcSight ESM solution helps Finansbank
Based on their experience using HP ArcSight Enterprise Security Manager for IT security operations, Finansbank moved to HP ArcSight ESM for fraud management.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Mobile application security study
Download this report to see the alarming realities regarding the sheer number of applications vulnerable to attack, as well as the most common and easily addressable vulnerability errors.