Free Republic
Browse · Search
News/Activism
Topics · Post Article

Skip to comments.

Critical internet communication flaw revealed
newscientist ^ | April 21, 2004 | Will Knight

Posted on 04/21/2004 9:38:57 AM PDT by stainlessbanner

A serious problem with the most commonly used internet communications protocol has been revealed by computer experts.

Experts say the flaw in the Transmission Control Protocol (TPC) could be used to knock out many brands of router - the machines that direct traffic between computer networks on the internet.

Details were revealed in an advisory issued by the UK government's National Infrastructure Security Co-Ordination Centre (NISCOC) on Tuesday. The advisory rates the issue as "critical" but states that different hardware and software will be affected to different degrees. Roger Cumming, director of NISCOC says exploitation of this vulnerability could affect the 'glue' that holds the internet together.

The US government's Homeland Security Department also issued a statement which says attacks using the flaw "could affect a large segment of the internet community."

Remote reset

The TPC manages the flow of data packets across the internet. It includes a design feature that allows a TCP communications session to be reset remotely across a network.

Sending a reset command depends upon using the correct communications "port", which is set at random by the router beforehand. Previously, the odds of simply guessing this port were thought to be unrealistically high - about one in four billion.

But Paul Watson, an independent computer security consultant based in the US, discovered that just a portion of the correct number will work. This means a valid reset command could be sent in just a few tries. And repeatedly sending reset commands to carefully chosen routers could prevent network traffic from being forwarded, leaving computers unable to communicate.

A number of router makers, including the world's largest manufacturer Cisco, have confirmed that their products are vulnerable to the exploit. Some systems can be protected through careful configuration, while others require a software fix.

Details of the flaw will be presented by Watson in a paper entitled Slipping In The Window: TCP Reset Attacks at the CanSecWest 2004 conference in Vancouver, Canada, which is held between 21 and 23 April.


TOPICS: News/Current Events
KEYWORDS: dos; flaw; internet; paulwatson; techindex

1 posted on 04/21/2004 9:38:58 AM PDT by stainlessbanner
[ Post Reply | Private Reply | View Replies]

To: *tech_index; John Robinson
head's up
2 posted on 04/21/2004 9:39:29 AM PDT by stainlessbanner
[ Post Reply | Private Reply | To 1 | View Replies]

To: stainlessbanner
I think it is wonderful of this wizard to present a paper explaining to evil-doers how to take down the internet.
3 posted on 04/21/2004 9:45:56 AM PDT by Mind-numbed Robot (Not all things that need to be done need to be done by the government.)
[ Post Reply | Private Reply | To 1 | View Replies]

To: stainlessbanner
Maybe an editor could have fact checked this article before allowing it to make two erroneous references to "TPC".
4 posted on 04/21/2004 9:46:30 AM PDT by tdadams (If there were no problems, politicians would have to invent them... wait, they already do.)
[ Post Reply | Private Reply | To 1 | View Replies]

To: Mind-numbed Robot
I think it is wonderful of this wizard to present a paper explaining to evil-doers how to take down the internet.

The evil doers know how to do it before the techies do.

5 posted on 04/21/2004 9:49:16 AM PDT by tdadams (If there were no problems, politicians would have to invent them... wait, they already do.)
[ Post Reply | Private Reply | To 3 | View Replies]

To: tdadams
Agree with your comment of TPC vs. TCP.

Secondly, in general *routers* are just forwarding packets at the IP level and TCP is passing through as just data.

Unless the routers are actually terminating TCP sessions, this would not affect most routers. It would however, affect endpoints of communications e.g. servers.

For this reason, the article seems to me, at least, to be misleading.
6 posted on 04/21/2004 9:50:37 AM PDT by 2 Kool 2 Be 4-Gotten
[ Post Reply | Private Reply | To 4 | View Replies]

To: 2 Kool 2 Be 4-Gotten; tdadams; Mind-numbed Robot
Cert Advisory from 20-April
7 posted on 04/21/2004 9:53:55 AM PDT by stainlessbanner
[ Post Reply | Private Reply | To 6 | View Replies]

To: stainlessbanner
Is that "port", or "sequence number"? (I've done little with TCP/IP, mostly UDP/IP.)
8 posted on 04/21/2004 9:54:03 AM PDT by Eala (Sacrificing tagline fame for... TRAD ANGLICAN RESOURCE PAGE: http://eala.freeservers.com/anglican)
[ Post Reply | Private Reply | To 1 | View Replies]

To: stainlessbanner
All Internet Service Providers (ISPs) using TCP/IP or NetBios are at risk, according to the more detailed CERT Advisory issued yesterday.

Groan.

9 posted on 04/21/2004 9:54:10 AM PDT by LurkedLongEnough (Bush '04 --- in a F'n landslide.)
[ Post Reply | Private Reply | To 1 | View Replies]

To: stainlessbanner
It's Bush's fault...
10 posted on 04/21/2004 9:55:23 AM PDT by talleyman ("Fatal error - foam flaw in tap stack - drinking has been halted.")
[ Post Reply | Private Reply | To 1 | View Replies]

To: stainlessbanner
Ahhh, the vulnerability is BGP via TCP. Ack.
11 posted on 04/21/2004 9:56:10 AM PDT by 2 Kool 2 Be 4-Gotten
[ Post Reply | Private Reply | To 7 | View Replies]

To: 2 Kool 2 Be 4-Gotten
Yup. But there are fixes already identified to close this hole.

In a TCP session, the endpoints can negotiate a TCP Window size. When this is taken into account, instead of attempting to send a spoofed packet with all potential sequence numbers, the attacker would only need to calculate a valid sequence number that falls within the next expected ISN plus or minus half the window size. Therefore, the larger the TCP Window size, the the larger the range of sequence numbers that will be accepted in the TCP stream. According to Paul Watson's report, with a typical xDSL data connection (80 Kbps, upstream) capable of sending of 250 packets per second (pps) to a session with a TCP Window size of 65,535 bytes, it would be possible to inject a TCP packet approximately every 5 minutes. It would take approximately 15 seconds with a T-1 (1.544 Mbps) connection. These numbers are significant when large numbers of compromised machines (often called "botnets" or "zombies") can be used to generate large amounts of packets that can be directed at a particular host.

To protect against such injections, RFC 2385 provides a method of using MD5 signatures on the TCP Headers. If this form of verification is supported and enabled between two peers, then an attacker would have to obtain the key used to transmit the packet in order to successfully inject a packet into the TCP session. Another alternative would be to tunnel BGP over IPSec. Again, this would provide a form of authentication between the BGP peers and the data that they transmit. The lack of authentication when using TCP for BGP makes this type of attack more viable.

12 posted on 04/21/2004 10:00:10 AM PDT by Eala (Sacrificing tagline fame for... TRAD ANGLICAN RESOURCE PAGE: http://eala.freeservers.com/anglican)
[ Post Reply | Private Reply | To 11 | View Replies]

To: stainlessbanner
Thanks. That was a helpful link.
13 posted on 04/22/2004 7:34:55 AM PDT by Mind-numbed Robot (Not all things that need to be done need to be done by the government.)
[ Post Reply | Private Reply | To 7 | View Replies]

Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.

Free Republic
Browse · Search
News/Activism
Topics · Post Article

FreeRepublic, LLC, PO BOX 9771, FRESNO, CA 93794
FreeRepublic.com is powered by software copyright 2000-2008 John Robinson