Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

TCP Vulnerability Published

michael posted more than 10 years ago | from the DOS-for-fun-and-profit dept.

676

Bob Slidell writes "According to Yahoo!, there is a critical flaw in TCP that affects everyone and everything. The article is scant on details and long on fear, hopefully someone will post more details on this." The advisory has more information, and is long on details but only moderate on fear.

Sorry! There are no comments related to the filter you selected.

OpenBSD is safe? (5, Informative)

Anonymous Coward | more than 10 years ago | (#8920405)


This just hit the misc@openbsd mail list:
Date: Tue, 20 Apr 2004 12:57:12 -0600
From: Theo de Raadt <deraadt@cvs.openbsd.org>
[snip]

In the OpenBSD case, this is something not to worry about. For what
they discuss, OpenBSD handles this extremely well.

We'll explain more in a week or so.
It sounds (again) like proactive security auditting saves the day!

Slashdotters, I implore you (-1, Offtopic)

Anonymous Coward | more than 10 years ago | (#8920453)

Surely, there is some way to blame this on M$, or turn it into "another Windoze hole?"

Re:OpenBSD is safe? (5, Funny)

Anonymous Coward | more than 10 years ago | (#8920473)

What about proactive spelling auditing?

Re:OpenBSD is safe? (5, Funny)

shatfield (199969) | more than 10 years ago | (#8920481)

Great, I guess Microsoft will just have to copy the BSD TCP/IP code again to ensure that their customers are safe ;-)

Re:OpenBSD is safe? (5, Informative)

Jeremiah Cornelius (137) | more than 10 years ago | (#8920652)

Yeah. The biggest problem here is the ease with which one could DoS the BGP-4 protocol.

The Internet BGP tables are ricketey enough these days - they don't need every other route to "flap"!

Yes yes (-1, Flamebait)

Anonymous Coward | more than 10 years ago | (#8920521)

You know what's just as secure as OpenBSD? A brick. It has the same features, too.

Re:Yes yes (0, Offtopic)

Anonymous Coward | more than 10 years ago | (#8920573)


Hmm.. I'm using OpenBSD on my desktop as I type this. Seems like it has enough features to me. (not using KDE though, moved to lightweight Windowmaker..)

Re:OpenBSD is safe? (4, Funny)

GoofyBoy (44399) | more than 10 years ago | (#8920527)

>For what
they discuss, OpenBSD handles this extremely well. We'll explain more in a week or so.

Is the margin of the page too small to explain the wonderful reason why it handles this so well?

Re:OpenBSD is safe? (4, Insightful)

AndyBusch (160585) | more than 10 years ago | (#8920588)

Good and funny :) but I think what they mean is that more details would give more info for exploits, so their sitting mum til things can get solidified a little more.

Re:OpenBSD is safe? (4, Insightful)

thedillybar (677116) | more than 10 years ago | (#8920535)

It sounds (again) like proactive security auditting saves the day!

It doesn't save anything. When someone exploits this and takes out 90% of the Internet's routers, you're screwed no matter what.

It definitely makes a good argument for both OpenBSD and proactive security auditting. But it doesn't save the day.

Re:OpenBSD is safe? (1)

October_30th (531777) | more than 10 years ago | (#8920625)

We'll explain more in a week or so.

Proactive security? So what's the hold-up?

Best security advice... (4, Funny)

Anonymous Coward | more than 10 years ago | (#8920409)

Just unplug your PC from the internet and wash your hands of it.. the whole thing feels holier than swiss cheese :(

Re:Best security advice... (5, Funny)

kasperd (592156) | more than 10 years ago | (#8920536)

Just unplug your PC from the internet

How would that keep you safe from DoS attacks?

Re:Best security advice... (0)

Anonymous Coward | more than 10 years ago | (#8920610)

Surely you're joking...

Re:Best security advice... (0)

Anonymous Coward | more than 10 years ago | (#8920635)

Er.... No connections = No attacks ?
Well, and a lack of availablility of course.

Re:Best security advice... (1, Funny)

Anonymous Coward | more than 10 years ago | (#8920611)

But you wouldn't be in such a mess if you'd washed your PC regularly like your mother keeps telling you.

He plans to show the exploit this Thursday! (5, Interesting)

Novanix (656269) | more than 10 years ago | (#8920412)

This kind man responsible for finding this vulnerability is going to present this exploit at the security conference in Vancouver this Thursday. He then predicts "hackers will understand how to begin launching attacks 'within five minutes of walking out of that meeting.'" The article talks about how the government has been "fortifying" its networks against this, does that means they quickly rewrote the tcp protocol? I would love to know.

Re:He plans to show the exploit this Thursday! (3, Interesting)

somethinghollow (530478) | more than 10 years ago | (#8920531)

Maybe the speed at which TCP was written is the problem. If they re-wrote it, I hope they did a slow re-write, because we will need the patches.

Really, I think the problem is that the flaw affected /some routers/ whose implementation of the TCP stack was flawed. That is what I gathered, anyway. If this is so, they just need to find non-flawed software.

Re:He plans to show the exploit this Thursday! (1)

John Courtland (585609) | more than 10 years ago | (#8920594)

I read it affected every version of TCP they tested (too bad they didn't list affected systems...) Anyhow, this is going to require a LOT of rewriting/updating of software and firmware. Which, in turn, most people won't even apply, a la Blaster.

I'm sure this... (3, Funny)

darth_MALL (657218) | more than 10 years ago | (#8920413)

...will turn out to be nothi* [Carrier Lost]

I Pee Total Cool Pee (-1, Offtopic)

Anonymous Coward | more than 10 years ago | (#8920417)

I Pee/Total Cool Pee

Iee Pee See Eee Ceee

Good (4, Funny)

rokzy (687636) | more than 10 years ago | (#8920425)

let's all just start again

TCP2
SMTP2
POP32 ...

Re:Good (2, Interesting)

beh (4759) | more than 10 years ago | (#8920464)


Might this be THE final topic to bring IPv6 to a wider attention?

I'd hope so... ;-)

Re:Good (1)

Orgazmus (761208) | more than 10 years ago | (#8920514)

That would be nice, since its long overdue anyways.

Re:Good (5, Insightful)

adam mcmaster (697132) | more than 10 years ago | (#8920539)

I'm no expert, but wouldn't a security problem with TCP be completely unrelated to IP?

Re:Good (2, Informative)

Anonymous Coward | more than 10 years ago | (#8920649)

No. IPSEC is mandatory in IPv6: IPSEC is one of the three mitigations listed.

Re:Good (5, Insightful)

robslimo (587196) | more than 10 years ago | (#8920563)

I don't think so.

Looks like the weakest point for net-wide effects in routers implementing BGP. A concerted attack could tie up critical routers rebuilding routes after losing connection to their peers. Since this could be globally critical, I suspect the major hardware vendors and service providers will be jumping through hoops to get the fix in before some blackhats get coordinated with an exploit. There would still be weaknesses, but IPv6 will get to sit idle a bit longer.

Re:Good (0)

Anonymous Coward | more than 10 years ago | (#8920484)

i think you mean POP4

Re:Good (1)

mebob (57853) | more than 10 years ago | (#8920517)

better yet, IMAP

Re:Good (1)

Em Ellel (523581) | more than 10 years ago | (#8920490)


let's all just start again

TCP2
SMTP2
POP32 ...
.... or simply IPV6

Re:Good (5, Informative)

frenetic3 (166950) | more than 10 years ago | (#8920566)

As frightening as this "vulnerability" sounds, this is nothing really new; other TCP weaknesses are syn floods [cs.hut.fi] (not quite the same thing, but somewhat similar -- in fact, this vulnerability might as well be called a "RST flood"), connection hijacking (by sniffing packets and sending spoofed packets with the correct sequence numbers), and so on. It's also an implementation issue that is largely caused by implementations having loose checking of TCP sequence and ack numbers, or accepting too large of a window of sequence numbers.

I wouldn't say TCP is broken or that some other solution would be much better; it would be tough to design a transport protocol that is still simple (and doesnt use CPU burning hashing/encryption techniques) that wouldn't have these sorts of vulnerabilities (especially since it's so easy to spoof IP packets); calling this vulnerability severe is like screaming that highways are fundamentally unsafe because someone could point their car the wrong way and start smashing into oncoming traffic.

-fren

Re:Good (1, Funny)

Anonymous Coward | more than 10 years ago | (#8920597)

let's all just start again

TCP2
SMTP2
POP32 ...

What happened to POP4?

OSVDB (4, Informative)

plcurechax (247883) | more than 10 years ago | (#8920426)

http://www.osvdb.org/displayvuln.php?osvdb_id=4030 [osvdb.org]

TCP Reset Spoofing

OSVDB ID: 4030
Rating: TBD
Disclosure Date: Apr 20, 2004

Description:

The TCP stack implementation of numerous vendors contains a flaw that may allow a remote denial of service. The issue is triggered when spoofed TCP Reset packets are received by the targeted TCP stack, and will result in loss of availability for the the attacked TCP services. ...

Re:OSVDB (1)

jagb (457281) | more than 10 years ago | (#8920487)

also, check out: http://www.ocipep.gc.ca/opsprods/alerts/2004/AL04- 006_e.asp

What me worry?

FP (-1, Offtopic)

Anonymous Coward | more than 10 years ago | (#8920428)

SCO$699feetroll [slashdot.org] is an AsShAt

Re:FP (-1, Troll)

grub (11606) | more than 10 years ago | (#8920492)


Fuck you, SCO$699feetroll is (well.. was) original and has an incredible f1st pr0st rate. Truly a god among men.

Re:FP (-1, Offtopic)

Anonymous Coward | more than 10 years ago | (#8920574)

grub [slashdot.org] is an AsSHaT.

That's it! (5, Funny)

Anonymous Coward | more than 10 years ago | (#8920431)

I'm removing support for TCP right now. Give me UDP or give me death!

Re:That's it! (4, Funny)

dasmegabyte (267018) | more than 10 years ago | (#8920562)

And what's ICMP, chopped liver?

I want a new internet based on morse code ping responses... 10 ms for a dah.

Re:That's it! (1)

gstoddart (321705) | more than 10 years ago | (#8920587)

Same thing, isn't it? =)

Re:That's it! (0)

Anonymous Coward | more than 10 years ago | (#8920640)

They're both protocols under IP but They Ain't the same thing. Not even close.

Re:That's it! (2, Funny)

openmtl (586918) | more than 10 years ago | (#8920599)

Sh*t man - screw UDP - I'm going real covert using ICMP. I'll use Perl to chop up streams into ICMP echo with added SHA-2 check-sums.

THEN I'll know my data got to the other side !.

oops? (5, Funny)

Tebriel (192168) | more than 10 years ago | (#8920436)

Looks like someone left ISEXPLOITABLEFLAG = TRUE in the code.

No problem (4, Funny)

niom (638987) | more than 10 years ago | (#8920438)

I'll just switch to UDP.

Re:No problem (5, Funny)

TheTomcat (53158) | more than 10 years ago | (#8920559)

more like:
UDP just I. switch ll'll to I just

S

Re:No problem (1)

Neon Spiral Injector (21234) | more than 10 years ago | (#8920572)

How about RFCs 908 and 1151?

Implementation issue (5, Informative)

JohnGrahamCumming (684871) | more than 10 years ago | (#8920444)

Neither of the linked articles helps understand the issue but this one does [osvdb.org] ,
Furthermore, RFC-793 allows a TCP implementation to verify both sequence and acknowledgement numbers prior to accepting a RST control flag as valid. No TCP stack implemention tested currently implements checking of both sequence and acknowledgement. All tested TCP stacks currently verify only the sequence number. This allows connections to be reset with dramatically less effort than previously believed.
Hence this is an implementation issue that can be patched in TCP stacks.

Move along, little to see here.

John.

Re:Implementation issue (1)

BlackShirt (690851) | more than 10 years ago | (#8920522)

good one, mod up ....

Re:Implementation issue (2, Insightful)

Anonymous Coward | more than 10 years ago | (#8920544)

Move along, little to see here.

the chance of causing arbitrary BGP route flaps went from 1:2^32 to 1:2^2 and you say there is nothing to see here?

you must be a windoze user if this doesn't faze you.

Re:Implementation issue (1, Redundant)

LostCluster (625375) | more than 10 years ago | (#8920570)

It means this isn't earth-shaking, but it likely means another security patch that Microsoft needs to issue for Windows... but this one other TCP stacks may have fallen for too.

Re:Implementation issue (1)

thebatlab (468898) | more than 10 years ago | (#8920651)

Well since MS used the BSD stack (I believe) then yes, I bet other stacks have "fallen for it". But try looking a bit harder next time to blame an overall architecture flaw on Microsoft.

It's like Six Degrees of Separation from Kevin Bacon isn't it? This must be the new hi-tech version. One Degree of Separation between MS and any Technology Problem. I think the shortened form for that name is /.

Re:Implementation issue (1)

maximilln (654768) | more than 10 years ago | (#8920581)

If it's an implementation issue then why haven't they already implemented it?

I was wondering why my network card has been spontaneously restarting over the last two weeks.

Re:Implementation issue (1)

shfted! (600189) | more than 10 years ago | (#8920638)

This might take me a little more than five minutes to exploit... after all, I've never done socket level programming... give me an hour; I'm on it!

Mostly Related to BGP? (1)

sabat (23293) | more than 10 years ago | (#8920452)


A quick scan of the advisory gives me the impression that BGP-users are most vulnerable. Dunno how scared the rest of us should be.

Re:Mostly Related to BGP? (4, Informative)

Zondar (32904) | more than 10 years ago | (#8920518)

Yep, that's the issue. I submitted too, but :(.

Anyway, the way I read it you basically run the TCP attack against a BGP peering router, causing it to drop one or more of it's peering relationships. Do that enough and you can cause the routes being advertised by that router (and also TO that router from the peering connections you're breaking) to be 'dampened' - a protective mechanism in BGP to prevent a flapping route from making all the peers recalculate their routes nonstop.

It's kind of like one peer putting the other one's routes in "time-out" until he plays nice.

Re:Mostly Related to BGP? (1)

beh (4759) | more than 10 years ago | (#8920520)

Well - if BGP gets seriously hit by this, this might wreak *quite* massive havoc on the net...

BGP (Border Gateway Protocol) is one of the core routing protocols - one of those protocols used to make redundant routing (and hence error tolerance) work... The question is, whether any similar protocols (e.g. OSPF) are also vulnerable...

Re:Mostly Related to BGP? (1)

rewt66 (738525) | more than 10 years ago | (#8920613)

How scared should the rest of us be?

I don't know. Do you receive any packets via a BGP router?

Re:Mostly Related to BGP? (4, Insightful)

LostCluster (625375) | more than 10 years ago | (#8920615)

Well, that means our home PCs aren't likely to get exploited by this. However, if our ISP's router gets exploited, we're knocked offline and our PC isn't as useful as it used to be.

The threat here is a DOS aimed at a few things that we don't want to see go down.

Re:Mostly Related to BGP? (2, Informative)

sgifford (9982) | more than 10 years ago | (#8920636)

While you may not use BGP directly, your ISP almost certainly does, and probably their ISP too. It's also used in the Internet core for communication between ISPs. The reason a problem with BGP is a big deal is that it can drastically affect entire ISPs, essentially knocking them offline until their routers are upgraded.

FS! (0, Funny)

Anonymous Coward | more than 10 years ago | (#8920460)

First SYN!!!

zap! (-1, Offtopic)

Anonymous Coward | more than 10 years ago | (#8920467)

In a letter to The New England Journal of Medicine on Thursday, three Swiss doctors reported the case of a 52-year-old man with a pacemaker who was experiencing sporadic bouts of dizziness.

The doctors were puzzled. But a detailed history revealed that the patient had been using a little-known alternative medicine device called a Zapper, which generated electrical impulses when held in both hands. Each time the patient tried to use it, the doctors said, his pacemaker would stop working and start up again only when the man fainted and dropped the device.

"This went on for several months," said Dr. Osmund Bertel, a cardiologist at Triemli Hospital in Zurich and one of the authors of the letter. "The modern environment is full of these things that people don't realize can interfere with their pacemakers. But it's important to be aware of them."

Another little-known menace to people with pacemakers, some doctors say, is a popular treatment for pain relief called PENS, or percutaneous electrical nerve stimulation. Often used for lower back pain, the treatment, which is akin to acupuncture with electric current, has been shown to affect some pacemakers, said Dr. Sergio Pinski, a cardiologist at the Cleveland Clinic in Weston, Fla.

"Pretty much any device that delivers current to the body has the potential to cause problems," Dr. Pinski said [wilmingtonstar.com]

On hu-man folly... (-1, Offtopic)

Anonymous Coward | more than 10 years ago | (#8920541)

I guess I should have stressed this more:

"This went on for several months"!!!

Work (5, Funny)

somethinghollow (530478) | more than 10 years ago | (#8920470)

As a web designer, taking advantage of this could get me off work faster than a snow storm. I don't know if I'm afraid or enthused. ;)

The time has come (5, Funny)

MrRuslan (767128) | more than 10 years ago | (#8920480)

to switch over to IPX

Armageddon Is Here (1)

ryan1106 (689609) | more than 10 years ago | (#8920483)

Everyone cower under their tinfoil hats..

The Real Question is: (2, Funny)

negacao (522115) | more than 10 years ago | (#8920486)

How can we blame this on Microsoft?

pssst, hey mods - it's a joke....

Scene from Ghostbusters (1, Funny)

airrage (514164) | more than 10 years ago | (#8920493)

Dr. Peter Venkman: This city is headed for a disaster of biblical proportions.
Mayor: What do you mean, "biblical?"
Dr. Raymond Stantz: What he means is Old Testament, Mr. Mayor, real wrath-of-God type stuff. Fire and brimstone coming down from the sky. Rivers and seas boiling.
Dr. Egon Spengler: Forty years of darkness. Earthquakes, volcanoes...
Winston Zeddemore: The dead rising from the grave.
Dr. Peter Venkman: Human sacrifice, dogs and cats living together - mass hysteria.

Re:Scene from Ghostbusters (3, Funny)

Galapas (155864) | more than 10 years ago | (#8920547)

Winston Zeddemore: Tell him about the Twinky.

-G

Re:Scene from Ghostbusters (2, Insightful)

PeteDotNu (689884) | more than 10 years ago | (#8920657)

Oh, right. Copy and paste job gets moderated +5. That's great.

More FUD? (1, Informative)

darthcamaro (735685) | more than 10 years ago | (#8920499)

O.k so how will this affect anyone other than major ISP's that can really do anything about it? Seeing at it affects BGP

The Border Gateway Protocol (BGP) is judged to be potentially most affected by this vulnerability.

Run IPSEC the advisory says..o.k so what else is new? IPv4 is inhernetly insecure, we all know that - that's why there is such a thing as packet sniffing, DoS attacks and all the other crap that net admins gotta deal with each and every day.

Re:More FUD? (0)

Anonymous Coward | more than 10 years ago | (#8920603)

that's why there is such a thing as packet sniffing

So you are saying that you cannot sniff IPv6 packets? That doesn't make any sense to me but I don't know anything about IPv6 either. So... If you could please explain this I would be most grateful.

Re:More FUD? (2, Funny)

MachineShedFred (621896) | more than 10 years ago | (#8920654)

O.k so how will this affect anyone other than major ISP's that can really do anything about it?

So I guess it wouldn't affect anyone at all if it a couple backbones that depend on BGP to get packets from point A to point B just dropped off the Internet.

Nope, that won't affect anyone at all.

How Long? (-1, Offtopic)

dolo666 (195584) | more than 10 years ago | (#8920501)

Okay so how long before someone writes a malicious virus/trojan/spyware and sends it to everyone? *sigh* What is it with these programmers that they become so disgruntled that they write malicious code, anyway? I've just been spending the last few days cleaning off my wife's computer after some really nasty spyware got lodged on it; you know the Golden Palace Casino [computercops.biz] ? Well they had dug themselves into her computer pretty much like a tick sucking on the last living thing in all of Texas! There should be some vigilante justice against anyone who would code something malicious, if you ask me. Sadly all we do is remove it and wait till the next batch... :-(

Not even Ad Aware could clean what they put on... I think I finally cleaned it, thankfully, but what a pain in the arse.

Re:How Long? (0)

Anonymous Coward | more than 10 years ago | (#8920631)

"I may be a fat nerd, Marge, but YOU have a gambling problem!!!"

Re:How Long? (0)

Anonymous Coward | more than 10 years ago | (#8920639)

I'm sorry... how does cleaning spyware have anything to do with this article? Shaddup.

Eh, checksum if you BGP and carry on (1)

Theatetus (521747) | more than 10 years ago | (#8920504)

It seems to only be really a problem if you have long-lived TCP connections and easily guessed next-hops, which is why the announcement focuses on BGP. Looks like I'll be upgrading some router firmware tonight...

we're all FUCKED !!!!!! (-1, Troll)

Anonymous Coward | more than 10 years ago | (#8920511)

apple users better declare their homosexuality before they're drafted to fight the noblest and best conceived war in modern history.

Thankfully... (0, Funny)

Anonymous Coward | more than 10 years ago | (#8920526)

...I'm running AmigaDOS.

what about slow start? (3, Interesting)

hatrisc (555862) | more than 10 years ago | (#8920529)

you can exploit slow start too. was published last year for some conference. The paper is called "The Shrew vs. the Mice and the Elephants" and is by Aleksandar Kuzmanovic and Edward W. Knightly

Warning! (5, Funny)

Disconnect (5083) | more than 10 years ago | (#8920532)

Your computer is broadcasting an IP address!

Seriously though, it doesn't look all that bad. (Nor does it look all that hard to do, but still..)

Way to go, Tony!! (1, Insightful)

Anonymous Coward | more than 10 years ago | (#8920540)

Tony had discovered this vulnerability about a year ago. Luckily it was first discovered by an intelligent and ethical IT security guy and not some unscrupulous hacker. He has quietly worked with vendors during that time helping them come up with a solution.

I, for one... (2, Funny)

Hagakure (203111) | more than 10 years ago | (#8920546)

I, for one, welcome our new.. uh.. TCP exploiting overlords?

Hmm... (1)

tai_Dasher (319541) | more than 10 years ago | (#8920556)

I bet Microsoft will use this to prove how open standarts are so evil, and why their protocol is so much better.

They don't have one?

Well, bugger.

NYTIMES ARTICLE (1, Informative)

Anonymous Coward | more than 10 years ago | (#8920560)

A little more info...actually has a link to www.terrorist.net (im sure the feds love that...)

The flaw affecting the Internet's "tranmission control protocol," or TCP, was discovered late last year by a computer researcher in Milwaukee, Paul ``Tony'' Watson, 36, who said he identified a method to reliably trick personal computers and routers into shutting down electronic conversations by resetting the machines remotely

respect to the hometown hero in finding this...

http://nytimes.com/aponline/technology/AP-Intern et -Threat.html

It's Al Gore's fault... (0, Funny)

negacao (522115) | more than 10 years ago | (#8920561)

After all, he invented the internet, right?

Obviously... (1, Funny)

illuminatedwax (537131) | more than 10 years ago | (#8920569)

This was bound to happen:
"The operation timed out attempting to connect to www.uniras.gov.uk"

oh, the irony,
--Stephen

Critical flaw in their server... (1, Interesting)

advocate_one (662832) | more than 10 years ago | (#8920578)

NISCC slashdotted so fast... what would happen in a real emergency??? when everybody really wants to know...

Impact moderate for users, serious for providers (5, Informative)

forged (206127) | more than 10 years ago | (#8920589)

The exploit apparently allows an attacker to disconnect TCP sessions, so really home users won't have much to fear except perhaps to get more trouble connecting to their various sites than usual, and that is in case they would be under active attack.

Service providers on the other hands, must protect their routers because the BGP protocol used to distribute Internet routes between them, massively uses TCP. And when routes go missing, it is hundreds if not thousands of routes to your favourite places that go unreacheable.

The problem in the case of BGP is made worse by dampening [cisco.com] , i.e. keeping the flapping routes out of the routing table for a certain amount of time (up to several hours). BGP routes dampening is not always configured. A determined attacker with this knowlege would be able to knock large portions of the Internet offline for hours.

BGP vulnerable (5, Informative)

Anonymous Coward | more than 10 years ago | (#8920592)

I happen to work for a large, nationwide backbone. We've known about this for about a week now. BGP, configured without an MD5 key (as is usually the case) is extremely vulnerable to this exploit. This is the reason for the top-secret effort in the past week to MD5 all peering sessions, both internal and external on most major networks worldwide. Without this, it's trivial to exploit, in fact we already have source code provided by the NCISS. Input a few IPs and BGP's TCP port number, and wham you take down a peering session. For those that don't understand what this means, prior to the security changes that have been implemented in the last week, the global internet was largely susceptible to this flaw in such a way that major portions could have been taken offline easily. A priority was put on this within the intra-NOC communications channels that exist that has never been seen before to lock this down before the public knew about it. We were embargoed by DHS to not release the information until tomorrow.

Empherial source ports (3, Informative)

plcurechax (247883) | more than 10 years ago | (#8920596)

Funny, but it seems that empherial source ports for a TCP connection may be more secure in this case, since it increases the space that the attacker has to guess within.

Of course it is a pure "D'oh" that large TCP windows increase exposure to the older known weakness of TCP RST attacks (Steve Bellovin, wrote a paper [att.com] on it in 1989).

Known issue (5, Informative)

httptech (5553) | more than 10 years ago | (#8920604)

Apparently this has been known about for a while. Here's an excerpt from an IETF draft on BGP vulnerabilities from June 2003. Section 3.2.1.4 specifically mentions the attack described by Watson: From http://mirrors.sunsite.dk/drafts/draft-ietf-idr-bg p-vuln-00.txt [sunsite.dk]

3.2.1.4. TCP RST/FIN/FIN-ACK

Event 18: If an attacker were able to spoof a RST, the BGP speaker would
bring down the connection, release all associated BGP resources, delete
all associated routes and run its decision process. If an attacker were
able to spoof a FIN, then data could still be transmitted, but any
attempt to receive would receive a notification that the connection is
closing. In most cases, this results in the connection being placed in
an Idle state, but if the connection is in the OpenSent state at the
time, the connection returns to an Active state. Spoofing a RST in this
situation requires an attacker to guess a sequence number that is in the
proper half of the sending window, generally an easier task than
guessing the exact sequence number so as to spoof a FIN. The use of [5]
will counter this attack.

Stupid (1, Interesting)

afay (301708) | more than 10 years ago | (#8920607)

This is really just trying to get someone's name out on the security sites. Currently, in a decent TCP/IP implementation, you have to know the source and destination IP's, the source and destination ports, and the sequence number. Now, some of those are fairly easy to determine, but others like the source port (assuming connecting to a server) and the sequence number are not. (BTW, I do realize that in some crappy implementations the source port is easy to guess, but whatever) You would need to be able to sniff the actual connection. And in all honesty, if you can sniff the connection, there are much easier ways to cause a DOS (for example, bringing down the interface).

Here's a first.... (-1)

jonnystiph (192687) | more than 10 years ago | (#8920608)

One of the bigger news breaks in a while, and /. is quiet. However, the article is /.ed, does this mean that the /.ers are actually reading the article? My god, it is the end of the world....

They just couldn't stand it. (0, Flamebait)

platypibri (762478) | more than 10 years ago | (#8920609)

My Mac was so lacking in serious vulnerability, they had to threaten the whole dang internet just to get to me! Now I have TWO reasons not to download mp3s!!!

Joe User might not notice (3, Insightful)

Percent Man (756972) | more than 10 years ago | (#8920630)

... since TFA goes on to say the vulnerability explicitly affects "long-lived" TCP connections, not the POP3 / HTTP / SMTP that Joe User relies on. However, for businesses and security wonks this is a potentially big deal.

No problem... (4, Funny)

dark-br (473115) | more than 10 years ago | (#8920632)

i'm posting this over NetBEUI Protocol ;)

*sight*

RFC3360 (4, Informative)

RAMMS+EIN (578166) | more than 10 years ago | (#8920634)

For more information about what TCP resets are and why they can be harmful, see RFC3360 [faqs.org] .

Simpsons (0)

Anonymous Coward | more than 10 years ago | (#8920642)

"Professor, without knowing precisely what the danger is, would you say it's time for our viewers to crack each other's heads open and feast on the goo inside?"

"Yes I would, Kent."

Here is what to do... (5, Informative)

GPLDAN (732269) | more than 10 years ago | (#8920648)

The article is being presented at CanSecWest, and is called "Slipping in the Window" by Paul A. Watson. I have two friends at CanSecWest, I've asked them to attend and report back what the feeling is.

NANOG members are talking about it, and several regional Tier-1 players have already issued customer notifications.

This exploit goes up against TCP connections that have been established for long periods of time. i.e. not web connections. The most prevalent would be BGP peer connections, which can be up for days on end easily. Without having read details, or the paper itself, by forging packets of BGP peers with adjusted window sizes, you can cause a router to reset (possibly hang, depending on IOS or JunoOS version, not sure about this) it's BGP peer connection. If you were doing eBGP and had your own AS, a directed attack against your gateway routers could force flapping, which would cause route dampening, and lead to denial of service.

What you need to do, is contact your ISP if you are an enterprise network admin, and establish MD5 authentication on your BGP sessions. Check with Cisco or Juniper and find out if your code will drop non-MD5 BGP packets directed at it. An ACL won't do, the attacker would forge the src-ip of a known peer.

This is a completely non-trivial attack to coordinate. You need to know the IP address of the BGP peer of a customer, or the route reflector, and then get the IP address right in an attempt to bypass ACLs and get the BGP session to hang. eBGP multihop means that IP could be any number of routers, and unless you have inside info, you don't know what it is.

Potentially, looking glasses could be used to mount attacks at NAPs or other peering points, but again, I think the major players will be ready for it very shortly, and will spend most of today (if they are any good) coordinating with legal teams to slam the shit out of any forged sessions they see, and start cooperating to run traces with other providers.

If I could editorialize one moment, none of this would be an issue if providers took better care to implement anti-spoofing techniques. Forged src-ip addresses are the bane of security. Most of these attacks don't care about 2-way communcations, they just want to reset connections. Spoofed src-ip lets them do that. Rant off.

Another impending duct tape shortage (1, Funny)

tbase (666607) | more than 10 years ago | (#8920656)

I'm glad I stocked up on duct tape after they told us too. I have plenty to seal off my NICs.

Apparently terrorist.net's router has already been attacked.

"Watson, who runs the www.terrorist.net Web site, predicted that hackers will understand how to begin launching attacks 'within five minutes of walking out of that meeting.'"

He went on to say that you can expect to see the first Spam offering a software patch for $19.95 within 60 seconds of walking out of that meeting.
Load More Comments
Slashdot Login

Need an Account?

Forgot your password?