Feeds

'New' Internet vuln long ignored

It ain't broke unless we fix it

  • alert
  • submit to reddit

Secure remote control for conventional and virtual desktops

Opinion A researcher named Paul Watson recently revealed that sessions between devices on the Internet can be reset with relative ease. The potential impact would be a distributed denial of service attack causing routers to reset repeatedly, thereby slowing the Net slightly overall and causing periodic local service outages here and there. The flaw itself belongs to TCP, though it affects quite a few devices, most notably routers running BGP (Border Gateway Protocol).

Stupid packet tricks

The problem has existed for as long as TCP has existed, and has probably been recognized for years, but it wasn't fixed until this week's announcement. Yet the essential concept is rather straightforward, even self-evident. To reset a BGP router you must inject a packet, with the SYN (synchronize) or RST (reset) flag set, into a session. The router will restart, which takes a bit of time during which the routing table is rebuilt. If this were done to a lot of machines in a continual, distributed attack, Net performance and availability could be affected.

For the attack to work, the fake packet's sequence number would have to fall within a certain range, or it will be ignored. With BGP, the range is broad enough that an acceptable sequence number can be guessed with a bit of trial and error. There is a value, called the receiver window, which indicates a range of valid sequence numbers for the next packet. Thus, instead of trying every possible sequence number, an attacker need only try numbers separated by the value of the receiver window. The larger the window, the more economical the attack becomes.

But surely this is not the first time someone's thought of an attack like this. Networking has tremendous hobbyist appeal, and people do all sorts of amusing things with customized packets and clever little utilities. It's also hard to believe that this could be news to people involved in network engineering on a daily basis. Indeed, Cisco's advisory includes some rather curious language: the TCP flaw "enables an adversary to reset any established TCP connection in a much shorter time than was previously discussed publicly," the company says. (Our emphasis)

The suggestion here is that the problem has been known for some time, and that, as usual, it's been necessary for someone to make it public before vendors will bother to fix their products.

Window of opportunity

Vendors do hate it when people go public like this. They often say that it hurts their customers, because attackers enjoy a window of opportunity to misuse the information before the rest of us can patch our systems. And strictly speaking, that's true. But one also has to wonder how long the vendors have been waiting for this discovery to be made public, and why they didn't patch their equipment proactively to make it less vulnerable. How big was their window of opportunity, one is tempted to ask.

The IETF (Internet Engineering Task Force) has been working on a few subtle modifications to enhance TCP security against these attacks since the winter of 2003, according to a recent (and quite sensible) draft document released this week.

Interestingly, the IETF draft doesn't acknowledge Paul Watson, which invites speculation that he re-invented the wheel on his own, and that the vendors and IETF were aware of this problem for quite some time and were just waiting for someone to force their hands. Which would be another way of saying that they'd devised a fix, but were unwilling to propose it because they didn't want us to know that something was broken.

Watson told us that he contacted CERT/CC and Cisco in late October and early November of 2003, but received no reply, "which is why I eventually talked with NISCC over in the UK to help coordinate the fixes and notifications."

In truth, the disclosure is a blessing in disguise. We've now got a number of workarounds to a problem that has existed for years, and motivation to adopt the IETF's quite decent recommendations. It's just too bad that vendors don't see it that way. ®

Thomas C Greene is the author of Computer Security for the Home and Small Office, a complete guide to online anonymity, system hardening, encryption, and data hygiene for Windows and Linux, available at discount in the USA, and the UK.

Related stories

Anonymous TCP/IP to debut at CodeCon
Worms pour through MyDoom back door
Watching the Net's background radiation

Secure remote control for conventional and virtual desktops

More from The Register

next story
'Regin': The 'New Stuxnet' spook-grade SOFTWARE WEAPON described
'A degree of technical competence rarely seen'
You really need to do some tech support for Aunty Agnes
Free anti-virus software, expires, stops updating and p0wns the world
Regin: The super-spyware the security industry has been silent about
NSA fingered as likely source of complex malware family
You stupid BRICK! PCs running Avast AV can't handle Windows fixes
Fix issued, fingers pointed, forums in flames
Privacy bods offer GOV SPY VICTIMS a FREE SPYWARE SNIFFER
Looks for gov malware that evades most antivirus
Patch NOW! Microsoft slings emergency bug fix at Windows admins
Vulnerability promotes lusers to domain overlords ... oops
HACKERS can DELETE SURVEILLANCE DVRS remotely – report
Hikvision devices wide open to hacking, claim securobods
prev story

Whitepapers

Why cloud backup?
Combining the latest advancements in disk-based backup with secure, integrated, cloud technologies offer organizations fast and assured recovery of their critical enterprise data.
Forging a new future with identity relationship management
Learn about ForgeRock's next generation IRM platform and how it is designed to empower CEOS's and enterprises to engage with consumers.
How to determine if cloud backup is right for your servers
Two key factors, technical feasibility and TCO economics, that backup and IT operations managers should consider when assessing cloud backup.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.
Security and trust: The backbone of doing business over the internet
Explores the current state of website security and the contributions Symantec is making to help organizations protect critical data and build trust with customers.