|
A serious security
vulnerability in the fundamental computer protocol
TCP has been found by the UK's National Infrastructure
Security Co-Ordination Centre (NISCC).
The hole exists in all implementations of TCP that
comply with the IETF's spec. By exploiting the holes,
malicious hackers could cause TCP sessions to end
prematurely, creating a denial of service attack. The
TCP vulnerability could also disrupt communications
between routers on the Internet by interrupting BGP
(Border Gateway Protocol) sessions that use TCP, NISCC
said.
The US-CERT Coordination Center has issued a warning
about the vulnerability. It cites an almost
three-year-old advisory and said that sustained
exploitation of the hole could lead to denial of service
affecting "portions of the Internet community."
BGP is the most commonly used routing protocol used
by major external routers on the Internet. Major ISPs
use BGP to configure redundant high-speed connections
and to coordinate with other ISPs and other peers, said
Dan Ingevaldson, research director at Internet Security
Systems (ISS). "It's the protocol that handles the big
pipes on the Internet," he said.
NISCC and US-CERT issued their advisories after a
security researcher, Paul Watson, described the problem
in a paper called "Slipping in the Window: TCP Reset
Attacks." Watson will be presenting the paper at the
CanSecWest 2004 security conference in Vancouver,
Canada, this week.
Watson discovered that the current TCP standard
allows a malicious hacker to easily guess a unique
32-bit number needed to reset an established TCP
connection because the standard allows sequence numbers
in a range of values to be accepted rather than just
exact matches.
By spoofing the source IP address and the TCP port,
then randomly guessing the unique sequence number, an
attacker could cause an active TCP session to terminate.
Networking experts have known about the potential for
such attacks for almost 20 years. However, as Internet
use and the use of broadband Internet connections has
grown over the years, ISPs and others have gradually
increased the size of the "window", or range of
acceptable sequence numbers that they permit to reset a
connection, making a successful DoS attack more
plausible, Ingevaldson said.
BGP sessions are particularly vulnerable to such
attacks because they are longer, more predictable
connections that often take place between two devices
with published IP addresses, he said. "Attackers know
where they are and where they're going, they know the
ports on either side that are being used and the
window," he said.
ISS notified its customers about the hole and said
that network infrastructure providers and enterprises'
internal networks are the most vulnerable to DOS attacks
that use the vulnerability.
Leading networking equipment vendors Cisco and
Juniper are already on the case, and Cisco has released
an extensive advisory
for its customers that explains the risk in terms of its
products.
But despite the dire warnings, the impact of the TCP
hole will probably be small, Ingevaldson said. Leading
networking vendors have probably been in conversation
with US-CERT and the NISCC far in advance of the news
becoming public, giving those companies time to prepare
a patch. Also, the BGP protocol was designed to be
resistant to attack and to support digital signatures
using algorithms such as MD5 that can prevent spoofing,
he said.
"This is a serious issue because it's widespread, but
there probably won't be a widespread impact," he said.
| 
.gif)
.gif){kind=spacer}
.gif)
.gif)
previous.gif)
