Gont readily admits that he did not discover the broad vulnerabilities, but refined their definitions and quantified the threat to transmission control protocol, or TCP, connections. Data sent via TCP makes up the lion's share of Internet activity.

Gont identified three attacks that could affect connections made between a host and a client over the Internet. The first could allow an attacker to reset an arbitrary TCP connection. The second could allow an attacker to degrade the throughput of a TCP connection until the target could only send a single packet at a time. The third could allow the attacker to reduce the throughput of the connection and increase the workload of the processor. All are considered "blind" attacks, since they don't require the attacker to sniff the targeted network.

While the attacks could affect Web applications, the serious threat is to the invisible infrastructure that helps the Internet run efficiently, Gont said. For example, using the attacks against routers that use the border gateway protocol, or BGP, to determine the best path to send large quantities of data could result in serious disruptions.

"Being able to use the attacks to successfully attack BGP means you can take entire networks off the Internet," Gont said.

Some have taken the threat seriously. The developers for the OpenBSD operating system fixed the issues using all four of Gont's suggested changes to the protocols, said Theo de Raadt, project leader for OpenBSD.

"This thing has been so frustrating to many of us, because Gont was so careful to write a very good paper about the issues and his fixes, and it is quite clear that no one read his paper," de Raadt said.

Other researchers have agreed with Gont about the severity of the problem, but have couched their assessment in more general terms.

"Any security compromise is serious," said John Day, chief technology officer for Netnostics and a member of the Network Working Group (NWG) that developed the original Internet application protocols. "This attack alone may not be a big deal but it may turn out that in combination with others it has greater impact."

Gont intends to continue to answer his critics and lobby to have his fixes added to the relevant Internet specification.

The IETF working group to which he has submitted his draft has not accepted the document, even though adding some sort of "sanity checks" similar to those proposed by Gont is an idea under consideration, said the IETF's Allman.

"This whole thing has been way overblown," Allman said. "This has been so publicized that if there was a large-scale danger, someone would have exploited it and caused large-scale problems by now."

In one way at least, Allman's point seems to have been made. In July, Gont posted three attack tools to his website to demonstrate the three vulnerabilities. So far, the publicly available tools have not resulted in any obvious major attacks on Internet infrastructure.

In the end, only such a wake-up call may be able to settle the debate. Unless a major event shakes up the security community, most researchers continue to believe that the threat is not a critical one.

That's a serious mistake, said Gont.

"For some reason, it seems the security community does not understand what matters is which threats are current, rather than which threats are new," he said. "If someone can take your entire network off the Internet, does it make a difference whether he did it with a zero-day exploit or with a 20-year-old bug?"

© SecurityFocus

Page:

• ← Prev
• 1
• 2