Posted on 04/21/2004 9:38:57 AM PDT by stainlessbanner
A serious problem with the most commonly used internet communications protocol has been revealed by computer experts.
Experts say the flaw in the Transmission Control Protocol (TPC) could be used to knock out many brands of router - the machines that direct traffic between computer networks on the internet.
Details were revealed in an advisory issued by the UK government's National Infrastructure Security Co-Ordination Centre (NISCOC) on Tuesday. The advisory rates the issue as "critical" but states that different hardware and software will be affected to different degrees. Roger Cumming, director of NISCOC says exploitation of this vulnerability could affect the 'glue' that holds the internet together.
The US government's Homeland Security Department also issued a statement which says attacks using the flaw "could affect a large segment of the internet community."
Remote reset
The TPC manages the flow of data packets across the internet. It includes a design feature that allows a TCP communications session to be reset remotely across a network.
Sending a reset command depends upon using the correct communications "port", which is set at random by the router beforehand. Previously, the odds of simply guessing this port were thought to be unrealistically high - about one in four billion.
But Paul Watson, an independent computer security consultant based in the US, discovered that just a portion of the correct number will work. This means a valid reset command could be sent in just a few tries. And repeatedly sending reset commands to carefully chosen routers could prevent network traffic from being forwarded, leaving computers unable to communicate.
A number of router makers, including the world's largest manufacturer Cisco, have confirmed that their products are vulnerable to the exploit. Some systems can be protected through careful configuration, while others require a software fix.
Details of the flaw will be presented by Watson in a paper entitled Slipping In The Window: TCP Reset Attacks at the CanSecWest 2004 conference in Vancouver, Canada, which is held between 21 and 23 April.
The evil doers know how to do it before the techies do.
Groan.
In a TCP session, the endpoints can negotiate a TCP Window size. When this is taken into account, instead of attempting to send a spoofed packet with all potential sequence numbers, the attacker would only need to calculate a valid sequence number that falls within the next expected ISN plus or minus half the window size. Therefore, the larger the TCP Window size, the the larger the range of sequence numbers that will be accepted in the TCP stream. According to Paul Watson's report, with a typical xDSL data connection (80 Kbps, upstream) capable of sending of 250 packets per second (pps) to a session with a TCP Window size of 65,535 bytes, it would be possible to inject a TCP packet approximately every 5 minutes. It would take approximately 15 seconds with a T-1 (1.544 Mbps) connection. These numbers are significant when large numbers of compromised machines (often called "botnets" or "zombies") can be used to generate large amounts of packets that can be directed at a particular host.
To protect against such injections, RFC 2385 provides a method of using MD5 signatures on the TCP Headers. If this form of verification is supported and enabled between two peers, then an attacker would have to obtain the key used to transmit the packet in order to successfully inject a packet into the TCP session. Another alternative would be to tunnel BGP over IPSec. Again, this would provide a form of authentication between the BGP peers and the data that they transmit. The lack of authentication when using TCP for BGP makes this type of attack more viable.
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.