Slashdot Mirror


TCP Vulnerability Published

Bob Slidell writes "According to Yahoo!, there is a critical flaw in TCP that affects everyone and everything. The article is scant on details and long on fear, hopefully someone will post more details on this." The advisory has more information, and is long on details but only moderate on fear.

6 of 676 comments (clear)

  1. He plans to show the exploit this Thursday! by Novanix · · Score: 5, Interesting

    This kind man responsible for finding this vulnerability is going to present this exploit at the security conference in Vancouver this Thursday. He then predicts "hackers will understand how to begin launching attacks 'within five minutes of walking out of that meeting.'" The article talks about how the government has been "fortifying" its networks against this, does that means they quickly rewrote the tcp protocol? I would love to know.

    1. Re:He plans to show the exploit this Thursday! by deman1985 · · Score: 4, Interesting

      From what I gathered in the two links and also my knowledge of TCP/IP, it would not necessarily require a flawed implementation of the stack in order to be vulnerable to attacks of these sort. In fact, it is the routers and/or software which doesn't implement the stack according to spec which are less likely to be affected.

      In the mean time, there are a few workarounds which can be put in place, such as IPSec, and options which can be changed to reduce the liklihood of an attack, such as the window size. The smaller it is, the harder it is to guess a sequence number in the range quickly.

  2. IETF TCP Security Considerations draft by BrewerDude · · Score: 5, Interesting

    There is a new Internet draft addressing this issue.

  3. Re:OpenBSD is safe? by Jeremiah+Cornelius · · Score: 4, Interesting
    Some genius modded my post as a Troll. I guess it's because they know so much about this vulnerability, and how the exposure goes up as one increases TCP window-size. ;-)

    Really, though. If you need to calculate a valid offset from the ISN, big TCP-window sizes are of advantage to the attacker.

    To quote from the announcement:

    In a TCP session, the endpoints can negotiate a TCP Window size. When this is taken into account, instead of attempting to send a spoofed packet with all potential sequence numbers, the attacker would only need to calculate an valid sequence number that falls within the next expected ISN plus or minus half the window size. Therefore, the larger the TCP Window size, the the larger the range of sequence numbers that will be accepted in the TCP stream.

    BGP-4 relies on persistent connections, with huge window sizes.

    --
    "Flyin' in just a sweet place,
    Never been known to fail..."
  4. Old news from 1998 and probably before by weld · · Score: 5, Interesting
    Mudge from the L0pht talked about taking down the internet in 30 minutes with a router DoS attack in front of the US Senate in May 1998. Privately the L0pht told NIPC that this could be done with a BGP TCP reset attack. L0pht said it could be mitigated by doing ingress/egress filtering but that ISPs were to lazy and cheap to do it.


    In Aug 1998, RFC 2385 came out with protection of BGP with MD5 signatures. Using MD5 sigs will defeat this attack.


    This is a well known issue with well known solutions. If the infrastructure is at risk it is because ISPs haven't been doing their job and following best practices.


    -weld

  5. Re:OpenBSD is safe? by JPriest · · Score: 5, Interesting

    As a side note, all the major sites with several BGP peering points have recently started using MD5 authentication. We have been updating all of our peering sessions over the last week or so.

    --
    Saying Java is nice because it works on all OS's is like saying that anal sex is nice because it works on all genders.