The Department of Homeland Security issued an alert Tuesday
warning that "a large segment of the Internet community" could
be knocked offline by a newly discovered vulnerability that
would allow attacks on a core technology behind the global
network.
Such an attack could take down whole Internet service
providers by temporarily shutting down communications between
computers on the network, said the warning from the United
States-Computer Emergency Readiness Team, a partnership
between the department and Carnegie Mellon University.
British authorities warned about the vulnerability earlier
Tuesday. ISPs have been scrambling to protect themselves
against the danger, but "the threat is ongoing," said Jeff
Havrilla, an Internet security expert with the U.S.
partnership.
However, the impact of any attacks will probably be limited
because government organizations and companies that run the
largest pipes in the plumbing of the Internet have been
applying fixes for about four weeks, said Alan Paller,
director of research at SANS Institute, a security education
organization in Bethesda, Md.
"It might have been a crisis had no one known about it and
an attack hit, " Paller said. "But because the researcher (who
discovered the problem) let DHS and (the United Kingdom
National Infrastructure Security Co-Ordination Centre) know
about it, and they acted quickly ... there will only be small
problems."
Major ISPs such as AT&T, MCI and Sprint, which provide
Internet connectivity to retail companies such as Earthlink
and America Online, moved quickly to cooperate with the
government and hardware vendors to apply patches, he said.
Small ISPs are the most likely to fall victim because they
have fewer resources and rely on a fewer connections to remain
on the Internet, Havrilla said.
Although the infrastructure technology, known as
transmission control protocol, or TCP, has long been known to
be vulnerable, the weakness has only recently been seen as
dangerous, after a security researcher revealed new
information that would make exploiting it plausible.
The researcher, Paul Watson, an employee of Milwaukee's
Rockwell Automation, is to present his findings this week at
the CanSecWest 2004 conference in Vancouver, British Columbia.
Paul Vixie of Redwood City's Internet Systems Consortium
Inc. likened the risk to Internet users "running naked through
the jungle, which didn't matter until somebody released some
tigers," according to the Associated Press.
"It's a significant risk," said Vixie, co-creator of
another Internet infrastructure technology. "The larger
Internet providers are jumping on this big time. It's really
important this just gets fixed before the bad guys start
exploiting it for fun and recognition."
TCP, developed in the 1970s, is the rulebook computers use
to connect to one another on the Internet. The weakness in TCP
allows people to impersonate others when connecting to
computers online, Havrilla said.
In the most likely attack scenario, a hacker would disguise
his computer as a computer at an Internet service provider,
link up with another ISP and then shut down that ISP's
connection, Havrilla said. Because most ISPs are connected to
the Internet via multiple outside computers, a hacker would
have to go through this routine many times to take down a
major ISP.
Malicious hackers would probably use such an attack to
target ISPs used by rival hackers, Havrilla said.
Such an attack was previously considered possible but
highly unlikely because the hacker would have to guess at a
number exchanged by the two legitimate computers in order to
impersonate one of them. But Watson showed that the number
used is a lot more predictable than previously thought, said
Mark Graff, chief cyber-security officer at Lawrence Livermore
National Laboratory.
Faster Internet connections and a more reliable network
have made the guessing game a lot easier over the years,
Havrilla said.
Using Watson's method via a T1 Internet connection, the
kind of ultra- fast broadband used by many corporations, it
would be possible to attack in 15 seconds, the U.S.
partnership said.
In a method commonly used by hackers to attack Web sites,
one person could take over many other computers, or "zombies,"
and use them all to attack one ISP over and over, keeping it
off the Internet for as long as the attack lasted.
E-mail Carrie Kirby at ckirby@sfchronicle.com.
