Slashdot Mirror


TCP Vulnerability Published

Bob Slidell writes "According to Yahoo!, there is a critical flaw in TCP that affects everyone and everything. The article is scant on details and long on fear, hopefully someone will post more details on this." The advisory has more information, and is long on details but only moderate on fear.

19 of 676 comments (clear)

  1. Re:OpenBSD is safe? by thedillybar · · Score: 4, Insightful
    It sounds (again) like proactive security auditting saves the day!

    It doesn't save anything. When someone exploits this and takes out 90% of the Internet's routers, you're screwed no matter what.

    It definitely makes a good argument for both OpenBSD and proactive security auditting. But it doesn't save the day.

  2. Re:Good by adam+mcmaster · · Score: 5, Insightful

    I'm no expert, but wouldn't a security problem with TCP be completely unrelated to IP?

  3. Re:Good by robslimo · · Score: 5, Insightful

    I don't think so.

    Looks like the weakest point for net-wide effects in routers implementing BGP. A concerted attack could tie up critical routers rebuilding routes after losing connection to their peers. Since this could be globally critical, I suspect the major hardware vendors and service providers will be jumping through hoops to get the fix in before some blackhats get coordinated with an exploit. There would still be weaknesses, but IPv6 will get to sit idle a bit longer.

  4. Re:OpenBSD is safe? by AndyBusch · · Score: 4, Insightful

    Good and funny :) but I think what they mean is that more details would give more info for exploits, so their sitting mum til things can get solidified a little more.

  5. Re:Mostly Related to BGP? by LostCluster · · Score: 4, Insightful

    Well, that means our home PCs aren't likely to get exploited by this. However, if our ISP's router gets exploited, we're knocked offline and our PC isn't as useful as it used to be.

    The threat here is a DOS aimed at a few things that we don't want to see go down.

  6. Joe User might not notice by Percent+Man · · Score: 3, Insightful

    ... since TFA goes on to say the vulnerability explicitly affects "long-lived" TCP connections, not the POP3 / HTTP / SMTP that Joe User relies on. However, for businesses and security wonks this is a potentially big deal.

  7. Re:He plans to show the exploit this Thursday! by CyberBill · · Score: 4, Insightful

    No, its not a problem that is software-specific. They are utilizing a 'flaw' in the design of TCP by spoofing the sender's IP address and port, *AND* guessing the recvwindow number!!

    The reason it only affects long-term connections is because it takes awhile to probe for the magic number to reset the connection, and ALL this does is reset the connection, nothing more.

    This whole thing is retarded, if you know enough about TCP this exploit was already on your mind and forgotten because its stupid. :P

    -Bill

    --
    -Bill
  8. Re:OSVDB by -tji · · Score: 4, Insightful

    So, it's simply another type of denial of service. A TCP Reset packet can be faked, which will result in a legitimate open TCP connection being closed by a third party.

    It also assumes a few of things.. You would need to be in the network route, or have some other means of establishing the sequence numbers for the connection. You would also need to be in a network that does not filter out improper source addresses (which some networks do.. but more should do) to allow your spoofed packet to get through.

    So, the problem boils down to a low bandwidth method to DoS TCP connections. It does not give a method to hijack the connections, or otherwise gain access to data.

    Anyway.. Clear IP connections are very open, and completely based on trust. Any sensitive communication should be tunneled inside a VPN, where it would not be vulnerable to this type of attack. (A real IPSec tunnel would not be vulnerable - as it does not use TCP. "SSL VPNs" use TCP as a transport, so they might be open to DoS.. Stick with the security of IPSec for best results.

  9. More from Theo (was Re:OpenBSD is safe?) by Anonymous Coward · · Score: 4, Insightful
    From: Theo de Raadt <deraadt@cvs.openbsd.org>
    [snip]

    Let me be more clear.

    This entire thing is being "sold" as `cross-vendor problem'. Sure.
    Some vendors have a few small issues to solve in this area. Minor
    issues. For us, those issues are 1/50000 smaller than they are for
    other vendors. Post-3.5, we have fixes which make the problem even
    smaller.

    But one vendor -- Cisco -- has an *UTTERLY GIGANTIC HUGE* issue in
    this regard, and as you can see, they have not yet made an
    announcement see..

    You are being told "lots of people have a problem". By not seperating
    out the various problems combined in their notice, or the impact of
    those problems, you are not being told the whole truth.
  10. Exactly. by FreeLinux · · Score: 4, Insightful

    It is indeed a problem with TCP but, it is in no way new. Many people have relied on this "vulnerabillity" for years. This is the technique that many firewalls implement in order to terminate undesirable sessions.

    This vulnerabillity impacts the applications that are unable to handle session interruptions. BGP is such an appilication but, its impact on BGP is critical because this attack could seriously impeed BGP and since the internet backbone relies on BGP such an attack could covceivably shut down the internet. This is a known vulnerabillity in BGP, as you said, and it is surprising to me that BGP has not been modified to prevent this from happening.

    By and large most applications will be able to deal with this and only minor annoyances such as DoS will occur.

    As for earlier posts about OpenBSD being immune, I am very eager to hear how that is possible. No matter what the implementation, it is still possible to reset TCP sessions. This means that OpenBSD is still potentially vulnerable to DoS attacks.

    Provided that BGP is modified to make it more fault tolerant, I can't see this problem with TCP being anything more than a short-lived niusance. I'm sure however that many people will try to use this as leverage to force IPv6 migration however, I believe that it too is vulnerable.

  11. bogus, depending on your OS. by JDizzy · · Score: 3, Insightful

    I read the paper, which is nothing more than a rehash of what every security person already knows about: tcp sequence guessing.

    This issue erupted on the freebsd irc chat, and I had to kill it by posting this linkage: http://lcamtuf.coredump.cx/newtcp/

    As you can see TCP sequncing is fairly random in most of the IP/TCP stacks out there in commercial use. The reasearch paper mentioned in the article only applies to the OS's in the above link that dont' have near true 32bit randomness.

    The feasability of overcoming realtime 32 sequence guessing is insane, however non-zero. just my .02c

    --
    It isn't a lie if you belive it.
    1. Re:bogus, depending on your OS. by httptech · · Score: 3, Insightful

      The randomness of the TCP ISN generator doesn't matter. The fact is, you don't need to guess the current sequence number in the connection. If you guess *any* sequence number in the window ahead of the current sequence number, it's just as good. So all you need to do is count from 0x0-0xffffffff by increments of just under the TCP window size. You can hit the right number within a few minutes if you already know the source and destination ports and you have sufficient bandwidth. Longer if you have to guess the source port.

  12. The real problem? by getnuked · · Score: 5, Insightful
    The real problem is not in TCP (although sequence number windows are a bad idea), it's in allowing in spoofed IP datagrams. If network admins locked down their routers correctly then script kiddies wouldn't be able to send forget packets, and this wouldn't be an issue.

    Note to netadmins and sysadmins: block packets with source IPs that are not valid for the interface they came from! Geesh!

  13. Re:OpenBSD is safe? by Simon+Lyngshede · · Score: 5, Insightful

    Now I what read up on TCP/IP and my memory isn't that good, but isn't it the TCP part which a problem, mening that switching to a different IP protocol won't help you at all. IPv6 is as far as I understood it, only adressing, the TCP stuff is the same... maybe not.

  14. Re:BGP vulnerable by mwood · · Score: 4, Insightful

    What I find most worrisome is this:

    "BGP, configured without an MD5 key (as is usually the case)...."

    So, critical infrastructure, worthy of "a priority...that has never been seen before", is routinely run unsecured? *shivers*

  15. Re:Neither forgotten nor stupid by Tackhead · · Score: 5, Insightful
    > A recently published I-D (here) claims 200 seconds is sufficient time for a broadband sub to successfully attack a TCP session, provided their ISP doesn't use egress filtering (and way too few do so).

    Maybe it's about fucking time ISPs started using egress filtering. At the very least, there'd be an order of magnitude less crap (smurfage, etc) if ISPs dropped spoofed source IP packets before they got to the backbone.

    OK, so the ability of any skript kiddie to spoof and insert a BGP update is a pretty fucking huge mess. But "pretty fucking huge" it may be the only kind of mess that motivates the clueless fucktards pretending to be "ISPs" these days.

  16. Re:Good by TwistedSpring · · Score: 4, Insightful
    other TCP weaknesses are syn floods (not quite the same thing, but somewhat similar -- in fact, this vulnerability might as well be called a "RST flood"),
    1. We know what the other TCP vulerabilities were. Anyone who's still susceptible to them is a lunatic.
    2. This is not at all the same thing and in no way similar other than the fact "it uses TCP".
    3. This vulnerability should not be called an RST flood. That would confuse it with a SYN flood which works totally differently and is much simpler. This should be called a broken window attack or something.

    I wouldn't say TCP is broken
    After noting all the other kinds of irrelevant TCP attack and reading up on this rather serious one, you wouldn't say it was broken? Could it be that, like everyone else including me, you never realised it was broken because you never looked close enough?
    it would be tough to design a transport protocol that is still simple (and doesnt use CPU burning hashing/encryption techniques) that wouldn't have these sorts of vulnerabilities
    It's called IPSEC, it's secure on the IP level up so TCP is encrypted over it. The simpler way to increase security would be to maintain current window size but increase the sequence number field to 64 bits wide. This would make it nigh-impossible to find where the window is sitting.
    calling this vulnerability severe is like screaming that highways are fundamentally unsafe because someone could point their car the wrong way and start smashing into oncoming traffic
    Highways are fundamentally unsafe. They're full of retarded people shunting 3 ton hunks of metal around at speeds they're not comfortable with. But your point is void because people would not do that as they'd die as a result and kill a lot of people. I don't think a kid doing a TCP RST attack really needs to be that dedicated, and this could cost businesses millions of dollars if they don't wise up to it sharpish. Most people who'd took even a short course in networking would be wise to it already.

    The best defence against this? Simply check for a stream of RST packets. They dont come in huge bundles with incrementing sequence numbers often. Detect that signature, block IP, sorted.
  17. Re:NISCC slowing, here is the meat summary of arti by janoc · · Score: 5, Insightful

    Yep, sure, however, if you flood the network with your packets, it will be probably noticed soon. Also in order to flood the network, you need a fast connection to the attacked host, reducing the problem to the immediate neighborhood of the attacked host. That's why this attack is not very practical to perform and the impact on most normal mortals is low (except for the BGP issue, which could take out your upstream router)

    The problem with BGP, which is mentioned in the original article, is that it has a particularly bad failure mode - when a BGP session goes down, it is very expensive to restart it. To top it off, BGP uses very long transmission windows (because it transfers lot of data and that is more efficient with longer windows) and that makes it easier to squeeze-in the spoofed packet. This is quite messy affair, when it happens.

    However, if somebody attacks your favorite web site in this way, I doubt that you are even going to notice it, since http sessions are stateless and comparably cheap to establish.

    So, I think this is just a big scare for nothing, it is mainly BGP issue for now. It affects just people who know how to fix it (and are fixing it right now) and the machines involved are relatively few. Unlike some Windows RPC exploit which unleashed a massive world-wide worm in few minutes.

  18. Not flawed, just unimaginative. by billstewart · · Score: 3, Insightful
    The problem isn't TCP stacks that are flawed because they don't implement TCP properly. It's TCP stacks that failed to imagine some of the creative ways to attack them. Sequence number guessing has been around for a while (see papers by Bellovin and others), but apparently the guy has figured a somewhat more efficient way to guess them on some popular platforms, apparently including Cisco routers.

    Routers don't usually do a lot of TCP themselves, except SSH or telnet access for management, but the one big exception is the BGP protocol that routers use to connect to each other, primarily at the interfaces between carriers. The BGP sessions stay up for a long time, and killing them tells the router that it's no longer talking to its neighbor so it should go find a different route to get to that network, which is really really annoying. On the other hand, BGP has options to do more checking on BGP messages before accepting them, and carriers that do spoof-proofing to prevent their customers from forging packets have less risk, and carriers that block packets addressed to their routers accept from approved destinations are much safer.

    Some customer connections to ISPs use BGP, especially if the customer uses multiple ISPs, though most are static - these could be subject to spoofing by somebody inside the customer's network, if they're not careful. (The customer could be an ISP, or they could be a regular customer with an employee who has next month's interesting virus.) So customers who don't want to get thrown off the net should probably be careful to do good firewalls to keep their own users from spoofing their connections.

    --

    Bill Stewart
    New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks