Slashdot Mirror


TCP Vulnerability Published

Bob Slidell writes "According to Yahoo!, there is a critical flaw in TCP that affects everyone and everything. The article is scant on details and long on fear, hopefully someone will post more details on this." The advisory has more information, and is long on details but only moderate on fear.

193 of 676 comments (clear)

  1. OpenBSD is safe? by Anonymous Coward · · Score: 5, Informative

    This just hit the misc@openbsd mail list:
    Date: Tue, 20 Apr 2004 12:57:12 -0600
    From: Theo de Raadt <deraadt@cvs.openbsd.org>
    [snip]

    In the OpenBSD case, this is something not to worry about. For what
    they discuss, OpenBSD handles this extremely well.

    We'll explain more in a week or so.
    It sounds (again) like proactive security auditting saves the day!
    1. Re:OpenBSD is safe? by Anonymous Coward · · Score: 5, Funny

      What about proactive spelling auditing?

    2. Re:OpenBSD is safe? by shatfield · · Score: 5, Funny

      Great, I guess Microsoft will just have to copy the BSD TCP/IP code again to ensure that their customers are safe ;-)

      --
      "To make a mistake is only human; to persist in a mistake is idiotic." Cicero
    3. Re:OpenBSD is safe? by GoofyBoy · · Score: 4, Funny

      >For what
      they discuss, OpenBSD handles this extremely well. We'll explain more in a week or so.

      Is the margin of the page too small to explain the wonderful reason why it handles this so well?

      --
      The surprise isn't how often we make bad choices; the surprise is how seldom they defeat us.
    4. Re:OpenBSD is safe? by thedillybar · · Score: 4, Insightful
      It sounds (again) like proactive security auditting saves the day!

      It doesn't save anything. When someone exploits this and takes out 90% of the Internet's routers, you're screwed no matter what.

      It definitely makes a good argument for both OpenBSD and proactive security auditting. But it doesn't save the day.

    5. Re:OpenBSD is safe? by AndyBusch · · Score: 4, Insightful

      Good and funny :) but I think what they mean is that more details would give more info for exploits, so their sitting mum til things can get solidified a little more.

    6. Re:OpenBSD is safe? by Jeremiah+Cornelius · · Score: 5, Informative
      Yeah. The biggest problem here is the ease with which one could DoS the BGP-4 protocol.

      The Internet BGP tables are ricketey enough these days - they don't need every other route to "flap"!

      --
      "Flyin' in just a sweet place,
      Never been known to fail..."
    7. Re:OpenBSD is safe? by Anonymous Coward · · Score: 5, Funny

      It doesn't save anything. When someone exploits this and takes out 90% of the Internet's routers, you're screwed no matter what.

      But it saves the day for my network of 3 linux boxen in my basement which are s0 K3wl, they r0x! While the Internet burns to the ground I can route packets back and forth with impunity between my 486 laptop and my Pentium II Server!! WooHoo!

    8. Re:OpenBSD is safe? by hatrisc · · Score: 4, Funny

      LONG LIVE THE INTRANET!

      --
      I write code.
    9. Re:OpenBSD is safe? by paul_pick1 · · Score: 3, Informative
      When someone exploits this and takes out 90% of the Internet's routers, you're screwed no matter what.

      Unless your business really doesn't care if most of the "internet's routers" are having trouble. My workplace can live very well with reduced internet access/functionality. When they get their troubles sorted out, we'll still be here (and be quite "un-screwed").

      --
      http://www.switch2firefox.com/
    10. Re:OpenBSD is safe? by pyros · · Score: 5, Funny

      I guess they were smart enough to implement the new Evil Bit added to TCP last April. Those OpenBSD folks sure are forward thinking.

    11. Re:OpenBSD is safe? by binaryzone · · Score: 2, Informative
    12. Re:OpenBSD is safe? by Jeremiah+Cornelius · · Score: 4, Interesting
      Some genius modded my post as a Troll. I guess it's because they know so much about this vulnerability, and how the exposure goes up as one increases TCP window-size. ;-)

      Really, though. If you need to calculate a valid offset from the ISN, big TCP-window sizes are of advantage to the attacker.

      To quote from the announcement:

      In a TCP session, the endpoints can negotiate a TCP Window size. When this is taken into account, instead of attempting to send a spoofed packet with all potential sequence numbers, the attacker would only need to calculate an valid sequence number that falls within the next expected ISN plus or minus half the window size. Therefore, the larger the TCP Window size, the the larger the range of sequence numbers that will be accepted in the TCP stream.

      BGP-4 relies on persistent connections, with huge window sizes.

      --
      "Flyin' in just a sweet place,
      Never been known to fail..."
    13. Re:OpenBSD is safe? by denis-The-menace · · Score: 2, Interesting

      Let's say we ALL did over night. Given its new-ness you'll have 20 bugs to kill in under 18 months. I prefer the gradual approach.

      --
      Obama's legacy: (N)othing (S)ecure (A)nywhere and (T)error (S)imulation (A)dministration
    14. Re:OpenBSD is safe? by ForsakenRegex · · Score: 2, Informative

      I'd love to use OpenBSD. I've wanted to use it for years, but all my servers that mean anything to me are multi-processor boxes and the last time I checked OpenBSD still didn't support SMP.

      I didn't run out and check before writing this, so I apologize if things have changed since the last time I looked into OpenBSD.

      --
      "A man talking sense to himself is no madder than a man talking nonsense not to himself."
    15. Re:OpenBSD is safe? by Simon+Lyngshede · · Score: 5, Insightful

      Now I what read up on TCP/IP and my memory isn't that good, but isn't it the TCP part which a problem, mening that switching to a different IP protocol won't help you at all. IPv6 is as far as I understood it, only adressing, the TCP stuff is the same... maybe not.

    16. Re:OpenBSD is safe? by rbgaynor · · Score: 4, Funny

      ...in my basement...

      err um, don't you mean your parent's basement :)

      --
      "Good things don't end with eum, they end with mania or teria." - H. Simpson
    17. Re:OpenBSD is safe? by iabervon · · Score: 2, Insightful

      More likely they want to make sure they're understanding the issue correctly and write up a good explanation.

    18. Re:OpenBSD is safe? by Have+Blue · · Score: 3, Funny

      You just wait until the stock market is driven crazy by all those dotlocals with impossible business plans.

    19. Re:OpenBSD is safe? by JPriest · · Score: 5, Interesting

      As a side note, all the major sites with several BGP peering points have recently started using MD5 authentication. We have been updating all of our peering sessions over the last week or so.

      --
      Saying Java is nice because it works on all OS's is like saying that anal sex is nice because it works on all genders.
    20. Re:OpenBSD is safe? by netwiz · · Score: 3, Informative

      Or it might be that you just read the article, and more or less parroted what a more experienced individual said. Especialy given that anyone who deals w/ BGP on a regular basis knows (or better know) how to secure peering links against this kind of vulnerability.

      It's actually quite trivial to do. ebgp-multihop and using the remote host loopback address as the neighbor IP, along with a few small architectural configuration tricks are all that's needed to completely prevent this kind of attack, or, at the very least, minimize it significantly.

      Are _you_ going to scan, not only the entire range of source ports, but all those ports times the entire RFC1918 address space? Good luck killing my systems, buddy, 'cause that's what you're in for.

      Oh, even with the large window sizes, once you've found all the above, you've still got to find my sequence numbers.

    21. Re:OpenBSD is safe? by photon317 · · Score: 2, Informative


      What it means is that OpenBSD's tcp stack by default has some of the neccesary protections to slow down or stop this attack, like randomized source ports, randomized TCP ISNs, etc.

      --
      11*43+456^2
    22. Re:OpenBSD is safe? by lcde · · Score: 4, Informative

      Theo Wrote:
      Let me be more clear.

      This entire thing is being "sold" as `cross-vendor problem'. Sure.
      Some vendors have a few small issues to solve in this area. Minor
      issues. For us, those issues are 1/50000 smaller than they are for
      other vendors. Post-3.5, we have fixes which make the problem even
      smaller.

      But one vendor -- Cisco -- has an *UTTERLY GIGANTIC HUGE* issue in
      this regard, and as you can see, they have not yet made an
      announcement see..

      You are being told "lots of people have a problem". By not seperating
      out the various problems combined in their notice, or the impact of
      those problems, you are not being told the whole truth.


      More Theo:
      OpenBSD (and I am sure other systems too) have for some time contained
      partial countermeasures against these things.

      OpenBSD has one other thing. The target port numbers have been random
      for quite some time. Instead of the Unix/Windows way of
      1024,1025,1026,... adding 1 to the port number each time a new local
      socket is established... we have been doing random for quite some
      time. That means a random selection between 1024 and 49151. This
      makes both these attacks 48,000 times harder; unless you already know
      the remote port number in question, you must now send 48,000 more
      packets to effect a change.

      At least one other free operating system incorporated our random port
      selection code today..

      We've made a few post-3.5 changes of our own, since we are
      uncomfortable with the ACK-storm potention of the solutions being
      proposed by the UK and Cisco people; in-the window SYN or RST's cause
      ACK replies which are rate limited.

      At least one other free operating system today incorporated the same
      changes......


      --
      :%s/teh/the/g
    23. Re:OpenBSD is safe? by illumin8 · · Score: 2, Insightful

      Yeah. The biggest problem here is the ease with which one could DoS the BGP-4 protocol.

      Actually, if any backbone providers are getting a BGP feed and not doing any type of ingress/egress filtering they are asshats and deserve to be knocked offline, if only so that their Cisco engineers can be fired and they can get some compentent help to fix the problem.

      Really, this issue is not going to take the internet backbone down. Most of the major backbone providers are smart enough to know that you don't just accept BGP traffic on any interface that claims to be from the IP address of your peer.

      --
      "When the president does it, that means it's not illegal." - Richard M. Nixon
    24. Re:OpenBSD is safe? by g-san · · Score: 2, Insightful

      one part of the problem is looking glass sites. they are great for admins, but they do tend to leak out some information that could be used to do just this sort of attack. go check these sites and look at the 'bgp summary' pages and you will see the source and destination IP pairs for the peering sessions. no source or destination tcp ports, but you know one is 179. That's still alot of combinations to try but NetSky-AJ.bis could have a field day with this type of DDoS. If the viruses have room for messages in 6 languages, you can bet they can store plenty of 4 byte IP addresses to lauch this kind of attack. You know how long it takes to flush 125k+ routes and reload them? Propagating all those updates to other peers would quickly make things worse, and dampening would exacerbate things further.

      better double check those ingress and egress filters. :)

    25. Re:OpenBSD is safe? by Silvers · · Score: 3, Informative

      If you are using MD5 encryption that is built into BGP4 that won't help you. That merely will stop route poisoning and such. As long as your underlying TCP/IP implementation isn't authenticating source/destination you can still get hosed.

    26. Re:OpenBSD is safe? by Anonymous Coward · · Score: 2, Informative

      The fact is, with IPv6 you can prevent man in the middle attacks like using encryption. Since the communication will be encrypted and both ends authenticated, any packet from a third party will simply be dropped by the IPv6 stack and won't even reach the TCP layer.

    27. Re:OpenBSD is safe? by fox8118 · · Score: 2, Informative

      Correct me if I am wrong, but Cisco posted the security advisories with some fixes on this subject.

      http://www.cisco.com/warp/public/707/cisco-sa-2004 0420-tcp-ios.shtml

      and

      http://www.cisco.com/en/US/products/products_secur ity_advisory09186a008021ba2f.shtml

    28. Re:OpenBSD is safe? by Eivind · · Score: 2, Interesting
      Sure. But randomized source-port only helps when BSD is the client, makes no difference at all when BSD is the server as is much (as in orders of magnitude) more common. (because most services run on, and must run on, well-published ports)

      So, those 20 people who use bsd as a network *client* are somewhat less likely to have their tcp-connections successfully attacked as those who use predictable source-ports. (still not 48000 times safer as Theo writes, predictable does not typically equate "100% guessable with 1 try")

      This "vulnerability" is kinda lame really. Previously, people who didn't think about it very much, assumed that since to reset a TCP-connection you need to guess the sequence-number, the chance of successfully doing so would be no higher than 1 in 2^32.

      This "vulnerability" only points out that infact tcp-implementations will accept as valid any sequence-number between $CURRENT and $CURRENT+$WINDOW_SIZE.

      So, instead of needing to try 2^32 times, you need "only" to try (2^32)/$WINDOW_SIZE times. Still fairly hard under typical conditions.

      Window-size is however typically proportional to bandwith and inversely proportional to delay, so it'll be easiest to exploit on a tcp-connection that has high bandwith, and high ping-times. For example any connection that goes over satelite. (those of you that knee-jerk and think that high bandwith and high ping can't coexist should go reread first-year networking-curriculum.)

    29. Re:OpenBSD is safe? by moron+brother · · Score: 2, Informative

      Hold on a second. TCP is not a routing protocol! It is a supplement to routing protocols, such as BGP. I think what you meant was IPv4 and IPv6...right? well those are considerably different than TCP. IP is layer 3. That is, IP works in concert with TCP, but has nothing to do with sequence numbering and handshaking, which this vulnerability found. Implementation of IPv6 will do little against a vulnerability in TCP, since IP deals with end-to-end addressing. It's just switch from 32-bit to 128-bit addressing. I can get the IPv6 address, guess the appropriate sequence number, jump into that particular stream, and get connected just as usual. Trying to carry out this exploit tomorrow in the lab will be tons of fun. Cisco routers running BGP are fun to exploit..

    30. Re:OpenBSD is safe? by psmears · · Score: 2, Informative
      Not true - the MD5 authentication in BGP4 makes use of a little-known TCP option to add an MD5 signature to each TCP packet (see RFC2385) - so the protection is at the TCP layer, and configuring MD5 auth for BGP will help :-)

      (In fact, as far as I know, the MD5 option was added to TCP specifically to get round this vulnerability in BGP!)

      Patrick

    31. Re:OpenBSD is safe? by psmears · · Score: 2, Informative
      I'm not sure how many do - this option isn't used for anything other than BGP, as far as I know, so TCP implementations on routers will tend to have it, but others don't...

      This feature is not very easy to use - both ends of the TCP connection need to know (and configure) a shared secret; this is the major reason why a lot of ISPs haven't set this up already - the router configuration is fairly trivial, what's complicated is co-ordinating with all the ISPs you peer with and arranging a different shared secret with each one (and then getting them to configure the option at exactly the same time that you do!)

  2. Best security advice... by Anonymous Coward · · Score: 4, Funny

    Just unplug your PC from the internet and wash your hands of it.. the whole thing feels holier than swiss cheese :(

    1. Re:Best security advice... by kasperd · · Score: 5, Funny

      Just unplug your PC from the internet

      How would that keep you safe from DoS attacks?

      --

      Do you care about the security of your wireless mouse?
    2. Re:Best security advice... by prescot6 · · Score: 3, Funny

      >> Just unplug your PC from the internet

      > umm no connections = No service, therefore sucessful DoS

      - You're fired!
      - Fired?! You can't fire me, I quit!

    3. Re:Best security advice... by nate1138 · · Score: 4, Funny

      Why would anyone put a computer running DOS on the internet in the first place?

      --
      Where's my lobbyist? Right here.
  3. He plans to show the exploit this Thursday! by Novanix · · Score: 5, Interesting

    This kind man responsible for finding this vulnerability is going to present this exploit at the security conference in Vancouver this Thursday. He then predicts "hackers will understand how to begin launching attacks 'within five minutes of walking out of that meeting.'" The article talks about how the government has been "fortifying" its networks against this, does that means they quickly rewrote the tcp protocol? I would love to know.

    1. Re:He plans to show the exploit this Thursday! by somethinghollow · · Score: 3, Interesting

      Maybe the speed at which TCP was written is the problem. If they re-wrote it, I hope they did a slow re-write, because we will need the patches.

      Really, I think the problem is that the flaw affected /some routers/ whose implementation of the TCP stack was flawed. That is what I gathered, anyway. If this is so, they just need to find non-flawed software.

    2. Re:He plans to show the exploit this Thursday! by CyberBill · · Score: 4, Insightful

      No, its not a problem that is software-specific. They are utilizing a 'flaw' in the design of TCP by spoofing the sender's IP address and port, *AND* guessing the recvwindow number!!

      The reason it only affects long-term connections is because it takes awhile to probe for the magic number to reset the connection, and ALL this does is reset the connection, nothing more.

      This whole thing is retarded, if you know enough about TCP this exploit was already on your mind and forgotten because its stupid. :P

      -Bill

      --
      -Bill
    3. Re:He plans to show the exploit this Thursday! by Jaywalk · · Score: 4, Informative
      The article talks about how the government has been "fortifying" its networks against this, does that means they quickly rewrote the tcp protocol?
      Nothing so drastic. Go back to the article and reread it, especially the "Mitigation" section. You will find:
      • It mainly affects the Border Gateway Protocol (BGP) that occurs at a high level in the net. Few computers are involved.
      • The issue was first publicized about a month ago at CanSecWest, so those in the know have had a month to work on this.
      • The steps to mitigate the problem are a matter of tweaking settings (like window size) or setting up protocols (like encryption). This is not a matter of rewriting the entire protocol.
      The article is interesting in that it shows how the bits and pieces of the Internet fit together, but I won't be losing any sleep over this one.
      --
      ===== Murphy's Law is recursive. =====
    4. Re:He plans to show the exploit this Thursday! by deman1985 · · Score: 4, Interesting

      From what I gathered in the two links and also my knowledge of TCP/IP, it would not necessarily require a flawed implementation of the stack in order to be vulnerable to attacks of these sort. In fact, it is the routers and/or software which doesn't implement the stack according to spec which are less likely to be affected.

      In the mean time, there are a few workarounds which can be put in place, such as IPSec, and options which can be changed to reduce the liklihood of an attack, such as the window size. The smaller it is, the harder it is to guess a sequence number in the range quickly.

    5. Re:He plans to show the exploit this Thursday! by CyberBill · · Score: 2, Insightful

      The recv window is an int. Thats 2^32. The window size is unknown, but you can guess that its say... 65k, thats pretty big. Even at that rate, youd have to go:

      for(int i=0; i<0xFFFFFFFF; i+=0xFFFF )
      {
      //Test vulnerability with *this* number..
      }

      This doesnt seem too bad, this is only 65,000 guesses, but you have to keep in mind that the window is moving the whole time, so you might accidentally skip over it, or if your not going fast enough, never reach it! (And, 65k is a pretty damned big window, I havnt tested any long term connections, but chances are it wont get this big).

      -Bill

      --
      -Bill
    6. Re:He plans to show the exploit this Thursday! by Short+Circuit · · Score: 2, Insightful

      So I expect you'll see a distributed effort, using viruses. (shudder)

    7. Re:He plans to show the exploit this Thursday! by danimal · · Score: 2, Informative

      dude, CanSecWest doesn't start until tomorrow. a month my butt. :P

  4. I'm sure this... by darth_MALL · · Score: 3, Funny

    ...will turn out to be nothi* [Carrier Lost]

  5. Good by rokzy · · Score: 4, Funny

    let's all just start again

    TCP2
    SMTP2
    POP32 ...

    1. Re:Good by beh · · Score: 2, Interesting


      Might this be THE final topic to bring IPv6 to a wider attention?

      I'd hope so... ;-)

    2. Re:Good by adam+mcmaster · · Score: 5, Insightful

      I'm no expert, but wouldn't a security problem with TCP be completely unrelated to IP?

    3. Re:Good by robslimo · · Score: 5, Insightful

      I don't think so.

      Looks like the weakest point for net-wide effects in routers implementing BGP. A concerted attack could tie up critical routers rebuilding routes after losing connection to their peers. Since this could be globally critical, I suspect the major hardware vendors and service providers will be jumping through hoops to get the fix in before some blackhats get coordinated with an exploit. There would still be weaknesses, but IPv6 will get to sit idle a bit longer.

    4. Re:Good by frenetic3 · · Score: 5, Informative

      As frightening as this "vulnerability" sounds, this is nothing really new; other TCP weaknesses are syn floods (not quite the same thing, but somewhat similar -- in fact, this vulnerability might as well be called a "RST flood"), connection hijacking (by sniffing packets and sending spoofed packets with the correct sequence numbers), and so on. It's also an implementation issue that is largely caused by implementations having loose checking of TCP sequence and ack numbers, or accepting too large of a window of sequence numbers.

      I wouldn't say TCP is broken or that some other solution would be much better; it would be tough to design a transport protocol that is still simple (and doesnt use CPU burning hashing/encryption techniques) that wouldn't have these sorts of vulnerabilities (especially since it's so easy to spoof IP packets); calling this vulnerability severe is like screaming that highways are fundamentally unsafe because someone could point their car the wrong way and start smashing into oncoming traffic.

      -fren

      --
      "Where are we going, and why am I in this handbasket?"
    5. Re:Good by Anonymous Coward · · Score: 2, Informative

      No. IPSEC is mandatory in IPv6: IPSEC is one of the three mitigations listed.

    6. Re:Good by cynical+kane · · Score: 3, Funny

      Better yet, why not leave obsolete technology behind and move to POP64?

      (har har)

    7. Re:Good by silas_moeckel · · Score: 4, Informative

      LOL OK I happen to setup BGP router as part of my living so I might be able to shed some light on the subject. Standard security settings allready in place will stop this attack. OK Lets go for starters, BGP packets unless multihop should have a TTL of exactly 1 and come through a point to point interface. Basic anti-spoofing on each side will stop any packets that cleam to be from the other end of that interface from comming in any other interface same for any packets with the routers own address from comming in any interface. Thats basic router security. BGP does support preshared keys as well though I'm not sure if that will stop this attack as it's more to prevent session hijacking. I dont see a 'fix' for this comming out besides normal security settings.

      This exploit along with many others could be made significatly harder to do if more ISP would just turn on anti spoofing rules. I cant think of a router that dosent support at least manual anti spoofing setups. The only time antispoofing might be a problem would be people that are utilizing multiple connections and trying to agrigate them together for outgoing bandwith.

      --
      No sir I dont like it.
    8. Re:Good by jonadab · · Score: 2, Informative

      > I'm no expert, but wouldn't a security problem with TCP be completely
      > unrelated to IP?

      The problem stems from the fact that certain TCP state is too easy to guess,
      at least partly because TCP stuff is transmitted in the clear over IP. If
      you encrypt the traffic at the network (IP) layer, it will help a great deal.
      (No, I don't know whether IPv6 does this inherently, though of course it could
      be done with IPv6 just as easily as with IP.)

      --
      Cut that out, or I will ship you to Norilsk in a box.
    9. Re:Good by TwistedSpring · · Score: 4, Insightful
      other TCP weaknesses are syn floods (not quite the same thing, but somewhat similar -- in fact, this vulnerability might as well be called a "RST flood"),
      1. We know what the other TCP vulerabilities were. Anyone who's still susceptible to them is a lunatic.
      2. This is not at all the same thing and in no way similar other than the fact "it uses TCP".
      3. This vulnerability should not be called an RST flood. That would confuse it with a SYN flood which works totally differently and is much simpler. This should be called a broken window attack or something.

      I wouldn't say TCP is broken
      After noting all the other kinds of irrelevant TCP attack and reading up on this rather serious one, you wouldn't say it was broken? Could it be that, like everyone else including me, you never realised it was broken because you never looked close enough?
      it would be tough to design a transport protocol that is still simple (and doesnt use CPU burning hashing/encryption techniques) that wouldn't have these sorts of vulnerabilities
      It's called IPSEC, it's secure on the IP level up so TCP is encrypted over it. The simpler way to increase security would be to maintain current window size but increase the sequence number field to 64 bits wide. This would make it nigh-impossible to find where the window is sitting.
      calling this vulnerability severe is like screaming that highways are fundamentally unsafe because someone could point their car the wrong way and start smashing into oncoming traffic
      Highways are fundamentally unsafe. They're full of retarded people shunting 3 ton hunks of metal around at speeds they're not comfortable with. But your point is void because people would not do that as they'd die as a result and kill a lot of people. I don't think a kid doing a TCP RST attack really needs to be that dedicated, and this could cost businesses millions of dollars if they don't wise up to it sharpish. Most people who'd took even a short course in networking would be wise to it already.

      The best defence against this? Simply check for a stream of RST packets. They dont come in huge bundles with incrementing sequence numbers often. Detect that signature, block IP, sorted.
    10. Re:Good by IKEA-Boy · · Score: 2, Interesting

      Lets go for starters, BGP packets unless multihop should have a TTL of exactly 1 and come through a point to point interface.

      First of all, it's trivial to deliver a packet to a certain host on the Internet so that the TTL on the packet is exactly 1 (just do a traceroute and send out the packet with a TTL to match the number of hops). Second, I would say that many important BGP sessions are NOT accross point to point links, they are over Gigabit Ethernet at IXP's.

      Basic anti-spoofing on each side will stop any packets that cleam to be from the other end of that interface from comming in any other interface

      Please explain to me how you would do this on a Cisco 12000 with Engine 0 or 1 linecards and still maintain line rate. In fact, please explain to me how this can be done on any Cisco at all. (URPF doesn't protect against this.)

      BGP does support preshared keys as well though I'm not sure if that will stop this attack as it's more to prevent session hijacking. I dont see a 'fix' for this comming out besides normal security settings.

      I'm not sure either. I'm aware of the enormous BGP MD5 authentication setup rage that has been going on over the past week and while I think this is a good effort I'm not entirely sure if it will protect against the RST attack. BGP lies on top of TCP so if you are able to kill the underlying TCP session I don't think MD5 authentication protects against this. Anyone care to enlighten me?

      The best thing I can think of so far is tweaking windows sizes etc. and do ingress filtering on your network where possible.

    11. Re:Good by InvisibleCraterFunk · · Score: 2, Informative

      "BGP lies on top of TCP so if you are able to kill the underlying TCP session I don't think MD5 authentication protects against this. Anyone care to enlighten me?"

      The MD5 protection happens at the TCP layer. Each TCP segment is verified. TCP MD5 could be used for other things than BGP. So yes, TCP MD5 would mitigate the attack sufficiently for now.

    12. Re:Good by IndigoDarkwolf · · Score: 2, Insightful
      Well, no black hat worth their bits would send a sequence of RST packets with incremental sequence number. You don't know what the window is, so you're better off choosing an offset tailored to how long how plan to sit there guessing. Even then, it doesn't take much effort for a computer to randomize the sequence of, say, 400,000 such numbers and then send them out in this nigh-random order, and you've just gotten around the overly-complicated detection hueristic.

      So the routers are now supposed to deny access based on a send history? It would be easier, cheaper, and more reliable to just turn on the fisking anti-spoof stuffs at the ISP level. An ISP knows what IPs it has. Anything coming from inside their network claiming an IP from outside their network is trivially detected and should be just as trivially discarded.

  6. OSVDB by plcurechax · · Score: 4, Informative

    http://www.osvdb.org/displayvuln.php?osvdb_id=4030

    TCP Reset Spoofing

    OSVDB ID: 4030
    Rating: TBD
    Disclosure Date: Apr 20, 2004

    Description:

    The TCP stack implementation of numerous vendors contains a flaw that may allow a remote denial of service. The issue is triggered when spoofed TCP Reset packets are received by the targeted TCP stack, and will result in loss of availability for the the attacked TCP services. ...

    1. Re:OSVDB by -tji · · Score: 4, Insightful

      So, it's simply another type of denial of service. A TCP Reset packet can be faked, which will result in a legitimate open TCP connection being closed by a third party.

      It also assumes a few of things.. You would need to be in the network route, or have some other means of establishing the sequence numbers for the connection. You would also need to be in a network that does not filter out improper source addresses (which some networks do.. but more should do) to allow your spoofed packet to get through.

      So, the problem boils down to a low bandwidth method to DoS TCP connections. It does not give a method to hijack the connections, or otherwise gain access to data.

      Anyway.. Clear IP connections are very open, and completely based on trust. Any sensitive communication should be tunneled inside a VPN, where it would not be vulnerable to this type of attack. (A real IPSec tunnel would not be vulnerable - as it does not use TCP. "SSL VPNs" use TCP as a transport, so they might be open to DoS.. Stick with the security of IPSec for best results.

  7. That's it! by Anonymous Coward · · Score: 5, Funny

    I'm removing support for TCP right now. Give me UDP or give me death!

    1. Re:That's it! by dasmegabyte · · Score: 4, Funny

      And what's ICMP, chopped liver?

      I want a new internet based on morse code ping responses... 10 ms for a dah.

      --
      Hey freaks: now you're ju
    2. Re:That's it! by openmtl · · Score: 2, Funny
      Sh*t man - screw UDP - I'm going real covert using ICMP. I'll use Perl to chop up streams into ICMP echo with added SHA-2 check-sums.

      THEN I'll know my data got to the other side !.

      --

    3. Re:That's it! by discogravy · · Score: 4, Funny

      i think he meant ICMP when he said "...or give me death".

    4. Re:That's it! by Quixadhal · · Score: 5, Funny

      Connected to Internet

      OSVDB ID: 4030
      Rating: TBD
      Disclosure Date: Apr 20, 2004

      Description:

      The Internet has been determined to be full of evil hax0rz. Any computers connected to the Internet are deemed vulnerable to this exploit.

      Solution:

      Unplug cable, power down WAP, close bomb shelter doors.

    5. Re:That's it! by Rick.C · · Score: 2, Funny
      Give me UDP or give me death!

      Considering the fact that UDP is also the acronymn for Usenet Death Penalty, it doesn't seem like the choices are all that different.

      Freewill? Riiiiiight.
      --
      You were 80% angel, 10% demon. The rest was hard to explain. - Over The Rhine
      "Math in a song is good."-Linford
    6. Re:That's it! by Chris+Mattern · · Score: 2, Funny

      Then he should have said "...or give me TTL 0."

      Chris Mattern

  8. oops? by Tebriel · · Score: 5, Funny

    Looks like someone left ISEXPLOITABLEFLAG = TRUE in the code.

    --
    The Blaster Master Fighting for Truth, Justice, and Evil Pie since 1979
  9. No problem by niom · · Score: 4, Funny

    I'll just switch to UDP.

    --
    -- Repeat with me: "There is no right to profits".
    1. Re:No problem by TheTomcat · · Score: 5, Funny

      more like:
      UDP just I. switch ll'll to I just

      S

  10. Implementation issue by JohnGrahamCumming · · Score: 5, Informative
    Neither of the linked articles helps understand the issue but this one does,
    Furthermore, RFC-793 allows a TCP implementation to verify both sequence and acknowledgement numbers prior to accepting a RST control flag as valid. No TCP stack implemention tested currently implements checking of both sequence and acknowledgement. All tested TCP stacks currently verify only the sequence number. This allows connections to be reset with dramatically less effort than previously believed.
    Hence this is an implementation issue that can be patched in TCP stacks.

    Move along, little to see here.

    John.

    1. Re:Implementation issue by Anonymous Coward · · Score: 2, Insightful

      Move along, little to see here.

      the chance of causing arbitrary BGP route flaps went from 1:2^32 to 1:2^2 and you say there is nothing to see here?

      you must be a windoze user if this doesn't faze you.

    2. Re:Implementation issue by Geoff-with-a-G · · Score: 2, Insightful

      Hence this is an implementation issue that can be patched in TCP stacks.

      Ohhhhhh, all we have to do is upgrade the code in all BGP routers and major webservers on the entire internet! Do they have "Windows Update" for Cisco IOS yet?

      Seriously though, it would help to have a list of specific implementations which use the large window.


  11. Work by somethinghollow · · Score: 5, Funny

    As a web designer, taking advantage of this could get me off work faster than a snow storm. I don't know if I'm afraid or enthused. ;)

  12. The time has come by MrRuslan · · Score: 5, Funny

    to switch over to IPX

  13. The Real Question is: by negacao · · Score: 2, Funny

    How can we blame this on Microsoft?

    pssst, hey mods - it's a joke....

  14. Re:Mostly Related to BGP? by Zondar · · Score: 4, Informative

    Yep, that's the issue. I submitted too, but :(.

    Anyway, the way I read it you basically run the TCP attack against a BGP peering router, causing it to drop one or more of it's peering relationships. Do that enough and you can cause the routes being advertised by that router (and also TO that router from the peering connections you're breaking) to be 'dampened' - a protective mechanism in BGP to prevent a flapping route from making all the peers recalculate their routes nonstop.

    It's kind of like one peer putting the other one's routes in "time-out" until he plays nice.

  15. what about slow start? by hatrisc · · Score: 3, Interesting

    you can exploit slow start too. was published last year for some conference. The paper is called "The Shrew vs. the Mice and the Elephants" and is by Aleksandar Kuzmanovic and Edward W. Knightly

    --
    I write code.
  16. Warning! by Disconnect · · Score: 5, Funny

    Your computer is broadcasting an IP address!

    Seriously though, it doesn't look all that bad. (Nor does it look all that hard to do, but still..)

    --
    www.gotontheinter.net
    Updated vaguely once a whenever, maybe once a whenever-and-a-half.
  17. I, for one... by Hagakure · · Score: 2, Funny

    I, for one, welcome our new.. uh.. TCP exploiting overlords?

    --


    If this is Heaven I'm bailin out! I cant tolerate this ol tin-tub, so fulla trash and rats...
  18. Re:Scene from Ghostbusters by Galapas · · Score: 3, Funny

    Winston Zeddemore: Tell him about the Twinky.

    -G

  19. Impact moderate for users, serious for providers by forged · · Score: 5, Informative
    The exploit apparently allows an attacker to disconnect TCP sessions, so really home users won't have much to fear except perhaps to get more trouble connecting to their various sites than usual, and that is in case they would be under active attack.

    Service providers on the other hands, must protect their routers because the BGP protocol used to distribute Internet routes between them, massively uses TCP. And when routes go missing, it is hundreds if not thousands of routes to your favourite places that go unreacheable.

    The problem in the case of BGP is made worse by dampening, i.e. keeping the flapping routes out of the routing table for a certain amount of time (up to several hours). BGP routes dampening is not always configured. A determined attacker with this knowlege would be able to knock large portions of the Internet offline for hours.

  20. BGP vulnerable by Anonymous Coward · · Score: 5, Informative

    I happen to work for a large, nationwide backbone. We've known about this for about a week now. BGP, configured without an MD5 key (as is usually the case) is extremely vulnerable to this exploit. This is the reason for the top-secret effort in the past week to MD5 all peering sessions, both internal and external on most major networks worldwide. Without this, it's trivial to exploit, in fact we already have source code provided by the NCISS. Input a few IPs and BGP's TCP port number, and wham you take down a peering session. For those that don't understand what this means, prior to the security changes that have been implemented in the last week, the global internet was largely susceptible to this flaw in such a way that major portions could have been taken offline easily. A priority was put on this within the intra-NOC communications channels that exist that has never been seen before to lock this down before the public knew about it. We were embargoed by DHS to not release the information until tomorrow.

    1. Re:BGP vulnerable by MyHair · · Score: 4, Funny

      We were embargoed by DHS to not release the information until tomorrow.

      And if anybody could determine the identity of an Anonymous Coward, it certainly wouldn't be an inside group of hardened NOC geeks.

      Oh wait...

      Good info, though. Thanks.

    2. Re:BGP vulnerable by mwood · · Score: 4, Insightful

      What I find most worrisome is this:

      "BGP, configured without an MD5 key (as is usually the case)...."

      So, critical infrastructure, worthy of "a priority...that has never been seen before", is routinely run unsecured? *shivers*

    3. Re:BGP vulnerable by Anonymous Coward · · Score: 2, Interesting

      Until this week, yes. Of the ~250 peering sessions we have, there were 20 that had MD5 keys on them. This was the generally accepted practice until last week.

    4. Re:BGP vulnerable by NilsK · · Score: 2, Interesting

      Okay I do not know much about BGP, but the MD5 on the peering session is happening within the BGP, right? How does that make the underlying TCP connection more stable or less vulnerable to this attack? Maybe I am wrong about the design of IP-layers, but changing the upper layer should not fix the lower one ... And attacking the lower one will affect all higher ones. Or does BGP with MD5 checksums no longer require a persistant TCP connection?

      Either I have a stupid day or I do not understand the benefit of putting MD5 into BGP.

      To make an end user example: If I have a very long POP3 session (because somebody zipped the google cache and sent it by mail) I would be vulnerable, because this long lasting session could be attacked. Then I loose the session and have to establish a new one. Building a checksum into POP3 won't change much about that.

      Nils

    5. Re:BGP vulnerable by elvey · · Score: 3, Informative

      Your'e lazy, not stupid.
      It's not MD5 applied higer up in the OSi stack thant TCP, it's a modification to TCP itself that uses MD5: http://www.ietf.org/rfc/rfc2385.txt
      Briefly, here's what the sender does: take the usual IP packet, add a secret key, and a checksum of the above, and send that. It's amazing that an electronic Pearl Harbor hasn't happened yet.

      --
      Make 'em pay! http://Payola.org #include "stddisclaimer
  21. Empherial source ports by plcurechax · · Score: 3, Informative

    Funny, but it seems that empherial source ports for a TCP connection may be more secure in this case, since it increases the space that the attacker has to guess within.

    Of course it is a pure "D'oh" that large TCP windows increase exposure to the older known weakness of TCP RST attacks (Steve Bellovin, wrote a paper on it in 1989).

  22. Known issue by httptech · · Score: 5, Informative
    Apparently this has been known about for a while. Here's an excerpt from an IETF draft on BGP vulnerabilities from June 2003. Section 3.2.1.4 specifically mentions the attack described by Watson: From http://mirrors.sunsite.dk/drafts/draft-ietf-idr-bg p-vuln-00.txt

    3.2.1.4. TCP RST/FIN/FIN-ACK

    Event 18: If an attacker were able to spoof a RST, the BGP speaker would
    bring down the connection, release all associated BGP resources, delete
    all associated routes and run its decision process. If an attacker were
    able to spoof a FIN, then data could still be transmitted, but any
    attempt to receive would receive a notification that the connection is
    closing. In most cases, this results in the connection being placed in
    an Idle state, but if the connection is in the OpenSent state at the
    time, the connection returns to an Active state. Spoofing a RST in this
    situation requires an attacker to guess a sequence number that is in the
    proper half of the sending window, generally an easier task than
    guessing the exact sequence number so as to spoof a FIN. The use of [5]
    will counter this attack.
    1. Re:Known issue by Mysticode · · Score: 3, Informative

      The article doesn't say that Watson discovered the vulnerability but that he discovered a way that it could easily be taken advantage of. With 2^32 different sequence numbers it would take a while to try and find one within the window if the window is small enough however Watson has apparently found a way to guess a valid sequence number if as little as four tries. That's the issue here. Previously although it was technically possible, it wasn't a real concern because of the difficulty with guessing a valid sequence number.

  23. Re:Mostly Related to BGP? by LostCluster · · Score: 4, Insightful

    Well, that means our home PCs aren't likely to get exploited by this. However, if our ISP's router gets exploited, we're knocked offline and our PC isn't as useful as it used to be.

    The threat here is a DOS aimed at a few things that we don't want to see go down.

  24. Joe User might not notice by Percent+Man · · Score: 3, Insightful

    ... since TFA goes on to say the vulnerability explicitly affects "long-lived" TCP connections, not the POP3 / HTTP / SMTP that Joe User relies on. However, for businesses and security wonks this is a potentially big deal.

  25. No problem... by dark-br · · Score: 4, Funny

    i'm posting this over NetBEUI Protocol ;)

    *sight*

  26. RFC3360 by RAMMS+EIN · · Score: 4, Informative

    For more information about what TCP resets are and why they can be harmful, see RFC3360.

    --
    Please correct me if I got my facts wrong.
  27. Re:Mostly Related to BGP? by sgifford · · Score: 2, Informative

    While you may not use BGP directly, your ISP almost certainly does, and probably their ISP too. It's also used in the Internet core for communication between ISPs. The reason a problem with BGP is a big deal is that it can drastically affect entire ISPs, essentially knocking them offline until their routers are upgraded.

  28. Here is what to do... by GPLDAN · · Score: 5, Informative

    The article is being presented at CanSecWest, and is called "Slipping in the Window" by Paul A. Watson. I have two friends at CanSecWest, I've asked them to attend and report back what the feeling is.

    NANOG members are talking about it, and several regional Tier-1 players have already issued customer notifications.

    This exploit goes up against TCP connections that have been established for long periods of time. i.e. not web connections. The most prevalent would be BGP peer connections, which can be up for days on end easily. Without having read details, or the paper itself, by forging packets of BGP peers with adjusted window sizes, you can cause a router to reset (possibly hang, depending on IOS or JunoOS version, not sure about this) it's BGP peer connection. If you were doing eBGP and had your own AS, a directed attack against your gateway routers could force flapping, which would cause route dampening, and lead to denial of service.

    What you need to do, is contact your ISP if you are an enterprise network admin, and establish MD5 authentication on your BGP sessions. Check with Cisco or Juniper and find out if your code will drop non-MD5 BGP packets directed at it. An ACL won't do, the attacker would forge the src-ip of a known peer.

    This is a completely non-trivial attack to coordinate. You need to know the IP address of the BGP peer of a customer, or the route reflector, and then get the IP address right in an attempt to bypass ACLs and get the BGP session to hang. eBGP multihop means that IP could be any number of routers, and unless you have inside info, you don't know what it is.

    Potentially, looking glasses could be used to mount attacks at NAPs or other peering points, but again, I think the major players will be ready for it very shortly, and will spend most of today (if they are any good) coordinating with legal teams to slam the shit out of any forged sessions they see, and start cooperating to run traces with other providers.

    If I could editorialize one moment, none of this would be an issue if providers took better care to implement anti-spoofing techniques. Forged src-ip addresses are the bane of security. Most of these attacks don't care about 2-way communcations, they just want to reset connections. Spoofed src-ip lets them do that. Rant off.

  29. Re:More FUD? by MachineShedFred · · Score: 2, Funny

    O.k so how will this affect anyone other than major ISP's that can really do anything about it?

    So I guess it wouldn't affect anyone at all if it a couple backbones that depend on BGP to get packets from point A to point B just dropped off the Internet.

    Nope, that won't affect anyone at all.

    --
    Slashdot still doesnâ(TM)t support Unicode after it was added to the HTML standard in 1997.
  30. Slashdotted by MrRuslan · · Score: 2, Informative

    What is Affected? The vulnerability described in this advisory affects implementations of the Transmission Control Protocol (TCP) that comply with the Internet Engineering Task Force's (IETF's) Requests For Comments (RFCs) for TCP, including RFC 793, the original specification, and RFC 1323, TCP Extensions for High Performance. TCP is a core network protocol used in the majority of networked computer systems today. Many vendors include support for this protocol in their products and may be impacted to varying degrees. Furthermore any network service or application that relies on a TCP connection will also be impacted, the severity depending primarily on the duration of the TCP session. Severity The impact of this vulnerability varies by vendor and application, but in some deployment scenarios it is rated critical. Please see the vendor section below for further information. Alternatively contact your vendor for product specific information. If exploited, the vulnerability could allow an attacker to create a Denial of Service condition against existing TCP connections, resulting in premature session termination. The resulting session termination will affect the application layer, the nature and severity of the effects being dependent on the application layer protocol. The primary dependency is on the duration of the TCP connection, with a further dependency on knowledge of the network (IP) addresses of the end points of the TCP connection. The Border Gateway Protocol (BGP) is judged to be potentially most affected by this vulnerability. BGP relies on a persistent TCP session between BGP peers. Resetting the connection can result in medium term unavailability due to the need to rebuild routing tables and route flapping. Route flapping may result in route dampening (suppression) if the route flaps occur frequently within a short time interval. The overall impact on BGP is likely to be moderate based on the likelihood of successful attack. If the TCP MD5 Signature Option and anti-spoofing measures are used then the impact will be low as these measures will successfully mitigate the vulnerability. There is a potential impact on other application protocols such as DNS (Domain Name System) and SSL (Secure Sockets Layer) in the case of zone transfers and ecommerce transactions respectively, but the duration of the sessions is relatively short and the sessions can be restarted without medium term unavailability problems. In the case of SSL it may be difficult to guess the source IP address. Data injection may be possible. However, this has not been demonstrated and appears to be problematic. Summary The issue described in this advisory is the practicability of resetting an established TCP connection by sending suitable TCP packets with the RST (Reset) or SYN (Synchronise) flags set. The packets need to have source and destination IP addresses that match the established connection as well as the same source and destination TCP ports. The fact that TCP sessions can be reset by sending suitable RST and SYN packets is a design feature of TCP according to RFC 793, but a reset attack is only possible at all because the source IP address and TCP port can be forged or "spoofed". Although denial of service using crafted TCP packets is a well known weakness of TCP, until recently it was believed that a successful denial of service attack was not achievable in practice. The reason for this is that the receiving TCP implementation checks the sequence number of the RST or SYN packet, which is a 32 bit number, giving a probability of 1/232 of guessing the sequence number correctly (assuming a random distribution). The discoverer of the practicability of the RST attack was Paul A. Watson, who describes his research in his paper "Slipping In The Window: TCP Reset Attacks", presented at the CanSecWest 2004 conference. He noticed that the probability of guessing an acceptable sequence number is much higher than 1/232 because the receiving TCP implementation will accept any sequence number in a certain range (or "window") of the

  31. Oh christ by Hanna's+Goblin+Toys · · Score: 2, Funny

    Spoofed IP addresses? Predictable TCP sequence numbers? Hey, 1998 is calling - they want their security advisory back.

    Oh god, you can spoof a reset into a TCP window. Oh god, some network hardware vendors have large windows and non-pseudorandom TCP sequence number prediction.

    This only becomes a vulnerability when you run an application over TCP that does something catastrophic when it loses a connection. In this case, that would be unsecured BGP (or, if 1998 is calling, unsecured telnet).

    People get paid to write papers about this shit? I need a beer.

  32. OUCH! by Anonymous Coward · · Score: 2, Interesting

    BGB disruption. This is worse than you can even guess. I anticipate this will lead to effective phishing scams, and other things.

    The danger is that by killing off the legiment routes to a host, somebody with a cracked router can then claim to have the legitament route to the host. Which of course, it doesn't. So, quite effective traffic redirection from the internet to a malitious web server.

    1. Re:OUCH! by BusDriver · · Score: 2, Insightful

      I think you're getting a bit over excited.

      If people have cracked routers there's nothing to stop them already from adverting routes to the global routing table, claiming to have better path to "phishing site" than the router currently has for "proper site"

      This exploit isn't a crack. All it means is that the hacker can take down a number of BGP sessions if he so wishes.

      The sky is not falling, most ISPs with any clue have been working on this for the last week already.

  33. Not a Suprise, given that. . . by Prince+Vegeta+SSJ4 · · Score: 2, Funny
    it's a flaw in TCP

    The TCP (The Clippy Program) has grown beyond your control, soon he will spread through this network as he spread through Windows-sock

    Never use naming conventions that resemble anything as insecure as Windows or Clippy for god's sake

  34. BGP is a big deal... by sterno · · Score: 2, Informative

    Ummm... major ISP's. Tell me one person who's not connected to a major ISP in some fasion. If it only effects BGP, it effects all of us.

    --
    This sig has been temporarily disconnected or is no longer in service
  35. yoda? by DamienMcKenna · · Score: 4, Funny

    Is that you master?

    L. Skywalker

  36. Re:It's Al Gore's fault... by hambonewilkins · · Score: 5, Informative
    Vinton Cerf: Good evening, or whatever time zone you are in, hi!! While we're waiting for questions, I'd like to clear up one little item - about the Vice President ... He really does deserve some credit for his early recognition of the importance of the Internet and the technology that makes it work. He was certainly among the first if not the first in Congress to realize how powerful the information revolution would be and both as Senator and Vice President he has been enormously helpful in supporting legislation and programs to help further develop the Internet - for example the Next Generation Internet program. I get to see a lot of this stuff because I am a member of the President's Information Technology Advisory Committee and we regularly review the R&D programs of the US Government and many have relevance to the evolving Internet.

    Real quote.

    --

    God Bless America. Why? Did it sneeze?
  37. Windows also safe by MrHanky · · Score: 5, Funny
    In a press release from Microsoft, Bill Gates states:
    All Windows versions from 3.11 to 2003 are quite safe from this exploit, since Windows also supports the famously reliable NetBEUI protocol. In a proactive measure, Windows update will remove support for TCP/IP and ensure that all updated computers have support for NetBEUI only. NetBEUI will once again rule the earth! Take that, Steve! No, not you, Ballmer, the other Steve. The hippe. Woahahahahahaha!

    In a quickly following press release, Bill Gates adds:
    Woahahahahahaha! Hahahaha! Hahaha! Thank you.
    1. Re:Windows also safe by MrHanky · · Score: 4, Funny

      Ah, come on! I was joking, not trolling for flames. And besides, how the hell was that going to attract flames? If that really was flamebait, it should be modded -1, ineffective.

      (Was it the hippie part? Yeah, sure calling Steve Jobs a hippie is flamebait, but this was also clearly a joke. Some moderators are just in a dire need of a blow job.)

    2. Re:Windows also safe by markan18 · · Score: 5, Funny

      Security Update for Windows XP (KBTCPDRM-666)

      This update addresses the vulnerability addressed in Microsoft Security Bulletin 666. Find out about more recent critical updates in the Overview section.

      File Name:

      WindowsXP-MSTCPDRM-x86-ENU.exe

      Download Size:

      1261 GB

      Date Published:

      4/20/2004

      Version:

      666

      Overview

      This patch fixes criticals security vulnerabilities present in Windows TCP stack.
      This patch also add the new DRM TCP extension.
      When is patch is applied, your computer will connect to drm.microsoft.com prior establishing any other connection to make sure the requested end point is an authorized Microsoft partner. All rogue packets are now rejected and reported by the Windows TCP-DRM firewall (TM).
      This patch also upload the registry key HKEY_LOCAL_MACHINE and all subkeys and values to drm.microsoft.com so we can make sure all software is used according to their end user licence agreements.

      System Requirements

      Supported Operating Systems: Windows XP

      Windows XP Professional
      Windows XP Home Edition

    3. Re:Windows also safe by Mr.+Neutron · · Score: 2, Funny
      NetBEUI will once again rule the earth!

      HA! Not if Novell has anything to say about it! IPX/SPX 4 EVER!!!!

      Oh, wait, Novell doesn't have anything to say about it.

      --
      dinner: it's what's for beer
    4. Re:Windows also safe by Cruciform · · Score: 5, Funny

      Some moderators are just in a dire need of a blow job.

      Nice of you to volunteer, looks like their outlook has improved already :)

    5. Re:Windows also safe by adamofgreyskull · · Score: 3, Funny

      "Some moderators are just in a dire need of a blow job."

      And that should be modded "-1, Redundant" but you don't hear me compl...oh..shit.

    6. Re:Windows also safe by torpor · · Score: 2, Funny

      To which Steve "The good-looking non-monkey-lovin' one" Jobs whined^H^H^H^H^H^Hreplied:

      "Bite my shiny metal iPlatformWar, Miiis-ter Gaaa-tes..."

      --
      ; -- the corruption of government starts with its secrets. a truly free people keep no secrets. --
  38. SCREECH *BAM* *poof* by MachineShedFred · · Score: 4, Funny

    Wow. That uninterrupted block of text hit so hard it set off my browser's airbag!

    --
    Slashdot still doesnâ(TM)t support Unicode after it was added to the HTML standard in 1997.
  39. Does the affect tcpip/cp? by Craptastic+Weasel · · Score: 5, Funny

    I am a lonely man living on the Galapagos Island. I use TCP/IP over carrier pigeon to communicate with a Nigerian who has promised my great wealth in exchange for securing funds in the First Galapagos Bank, of which I am owner/ceo/clerk, and janitor.

    I suspect someone is interupting my data stream and keeping the replies and account numbers he has been sending me in regards to my money. This vulnerability proves my theory. I am in desperate need!! How can I prevent this!!

    Anyone willing to help I will share my wealth with.

    /obscure humor (Does this make me a Galapagos Spammer?)

  40. More from Theo (was Re:OpenBSD is safe?) by Anonymous Coward · · Score: 4, Insightful
    From: Theo de Raadt <deraadt@cvs.openbsd.org>
    [snip]

    Let me be more clear.

    This entire thing is being "sold" as `cross-vendor problem'. Sure.
    Some vendors have a few small issues to solve in this area. Minor
    issues. For us, those issues are 1/50000 smaller than they are for
    other vendors. Post-3.5, we have fixes which make the problem even
    smaller.

    But one vendor -- Cisco -- has an *UTTERLY GIGANTIC HUGE* issue in
    this regard, and as you can see, they have not yet made an
    announcement see..

    You are being told "lots of people have a problem". By not seperating
    out the various problems combined in their notice, or the impact of
    those problems, you are not being told the whole truth.
    1. Re:More from Theo (was Re:OpenBSD is safe?) by c_ollier · · Score: 5, Funny

      For us, those issues are 1/50000 smaller than they are for other vendors.


      So, they are 50,000 times bigger ?


    2. Re:More from Theo (was Re:OpenBSD is safe?) by Dachannien · · Score: 3, Funny

      >> For us, those issues are 1/50000 smaller than they are for other vendors.

      > So, they are 50,000 times bigger ?

      No, that would be 49999/50000 as big.

  41. Heh I already fixed this. by Anonymous Coward · · Score: 2, Interesting

    At my corporation, they run a product which listens for P2P software like Kazaa and exploits this vulnerability by sending a spoofed RST to shut down the service. I had to patch my TCP stack to check the ACK # in order to keep my FastTrack client leeching porn.

    Sounds like IETF is zeroing in on these guy's business model. Good. The anti-P2P vendors will probably catch up by spoofing both numbers, but they will have to ensure that their RST beats the actual packet there, which is tricky.

  42. What details, the info is already out by Anonymous Coward · · Score: 5, Informative

    The NISCC articles explains things clearly. Nobody needs any more information. Besides, this "new" attack was already known. People just didn't realize how easy it is.

  43. Link to US-CERT TA04-111A by Ascaroth · · Score: 5, Informative

    Here's a link to US-CERT's TA04-111A on this topic.

  44. 3 way wave-goodbye? by Cougem · · Score: 2, Interesting

    Hey, the 3 way handshake works for establishment, and it'd solve this problem if we implemented it for disconnections.

    x wishes to close connection, y checks this by sending random bits and a check request, x sends these bits back to ensure that it really is x wishing to close it, and voila.

  45. Let's get a little acdemic here by costa9 · · Score: 2, Informative
    quote:"TCP also provides a number, called an acknowledgement number, that is used to indicate the sequence number of the next packet expected. The packets are reassembled by the receiving TCP implementation only if their sequence numbers fall within a range of the acknowledgement number (called a "window"). The acknowledgement number is not used in a RST packet because a reset does not expect a packet in return. (To be completely accurate, although the last statement is true for a RST packet without the ACK flag set, used to indicate that a TCP port is closed, a RST/ACK is used to terminate an active connection in the event of error. In a RST/ACK packet an acknowledgement number is included in the packet, although it is not checked by the receiving TCP implementation.)"

    Suppose the TCP Window size is 64K, then the probability of guessing valid ack number is 64K/2^32=1/64K

    It means if I spoof 65536 packets, I'll probably bring down a TCP link, if no router ingress filtering is involved.

    I guess the solution is also simple: for RST packet, restrict the receiving window size to be much smaller. Because larger window size is only for high speed data transfer and we do not restrict common packets, we are fine.

  46. Re:Stupid by bwt · · Score: 3, Informative

    What is new here is that you don't have to know the completely specified sequence number, but only something close enough to fit within a window. This reduces the search space and makes the attack more pragmatic.

  47. Known and Old by spacerog · · Score: 2, Informative
    Not only is this a known issue, as others have posted, it is also rather old. The US Congress was told about this same thing five years ago. This is just a new spin on the same idea. The net hasn't come crashing down in the last five years and I doubt that it will in the next five.

    See here and here.

    - Space Rogue

  48. OpenBSD is safe? by scum-e-bag · · Score: 2, Interesting

    Perhaps this might be a good time to encourage everyone to move over to IPV6.

    --
    Does it go on forever?
  49. Simple BGP solution has been around since 1998 by jroysdon · · Score: 5, Informative

    As they state, there is a simple solution: TCP MD5 Signature Option with BGP. Any ISP worth their salt will already be doing it. The rest will learn the hard way.

    This has been supported in Cisco IOS way back since ~1998 in IOS 11.2 .

    Read the BGP "Bible": Internet Routing Architectures or look at any best-practices guides which will state that TCP MD5 sigs should always be used with BGP.

    Or search CCO:

    router bgp 109
    neighbor 145.2.2.2 password v61ne0qkel33&

    It's just a single line that has to be added to both peer sides.

  50. This is new?? by venom600 · · Score: 2, Insightful

    Maybe I missed something in the advisory, but this sounds like a good old TCP reset attack.....which is neither a new or novel concept. People have been doing this for ages with a sniffer and a packet generator.

    1. Re:This is new?? by Geoff-with-a-G · · Score: 5, Informative

      Maybe I missed something in the advisory, but this sounds like a good old TCP reset attack...

      You did.

      The news here is that you no longer require the sniffer, because you don't have to know the exact sequence number. Now you just have to be kind of close. How close apparently varies in size amongst vendor implementations.


    2. Re:This is new?? by the_quark · · Score: 3, Informative

      I think the point is that it lets you perform this attack without being in the middle with a sniffer. The author figured out a way to significantly reduce the search space for the sequence number. Quoting from the article, "[Watson] noticed that the probability of guessing an acceptable sequence number is much higher than 1/2^32 because the receiving TCP implementation will accept any sequence number in a certain range (or 'window') of the expected sequence number. The window makes TCP reset attacks practicable."

      Previously you had to have a packet sniffer in the middle to sniff the sequence and spoof it. Watson has pointed out a technique that allows you to guess the sequence in practical number of tries for connections that are long-lived (a few days).

    3. Re:This is new?? by evilviper · · Score: 2, Interesting
      The news here is that you no longer require the sniffer

      You didn't before either. Guessing sequence numbers used to be much easier...

      And BTW, guessing sequence numbers based upon the predicitability of different vendors' TCP stacks is also quite old.

      About the only new thing here is that some moron reporter decided to write a fire and brimstone story about this well-known issue.

      Does everybody remember back when CNET reported that Mozilla was going to become a full office-suite? Yes, that who article was based on one random person posting that (one-line) suggesting to the mailing list. Many reporters really are pure slime.
      --
      Slashdot gets worse every day... Pipedot: News for nerds, without the corporate slant
  51. Re:Mostly Related to BGP? by dre23 · · Score: 2, Informative

    BGP depends on IBGP (internal) as well in-between ASes (external). That means you could attack IBGP as long as it had a public IP, or if you had a route to it.

    Some BGP sessions would come back up automagically (some might require a manual reset (in Cisco IOS this is known as "clear ip bgp "). However, the attack could just bring them down again (every 4 minutes). BGP dampening would take effect depending on how it is configured upstream or downstream of your router(s). This would cause parts of the Internet to stay down for a long time (at least hours). Attackers could then concentrate on other targets during that time.

    OSPF and BGP are not comparable. They work together. Often, BGP requires OSPF (for building a table of valid next-hops) -- but once BGP is used -- there is generally no replacement for it. OSPF would carry routes from router addresses (point-to-point links), and BGP would carry customer and ISP routes. BGP on the Internet carries the necessary 130k routes to allow the Internet to work. OSPF can only carry about 10k routes, and it hurts to even do that. IOW, OSPF does not scale to large networks such as the Internet, but BGP does.

    There are many workarounds to this problem, most are identified in the advisory. People who lag behind the times could get hit [hard?] with this vulnerability, so it's always good to check and make sure your network is up to spec.

    --
    IPv4 allocations for hobbyists? join the ipalloc-l mailing-list! www.operations.net/mailman/listinfo/ipalloc-l
  52. NISCC slowing, here is the meat summary of article by JPriest · · Score: 5, Informative

    The issue described in this advisory is the practicability of resetting an established TCP connection by sending suitable TCP packets with the RST (Reset) or SYN (Synchronise) flags set.

    The packets need to have source and destination IP addresses that match the established connection as well as the same source and destination TCP ports.

    The fact that TCP sessions can be reset by sending suitable RST and SYN packets is a design feature of TCP according to RFC 793, but a reset attack is only possible at all because the source IP address and TCP port can be forged or "spoofed".

    Although denial of service using crafted TCP packets is a well known weakness of TCP, until recently it was believed that a successful denial of service attack was not achievable in practice. The reason for this is that the receiving TCP implementation checks the sequence number of the RST or SYN packet, which is a 32 bit number, giving a probability of 1/232 of guessing the sequence number correctly (assuming a random distribution).

    The discoverer of the practicability of the RST attack was Paul A. Watson, who describes his research in his paper "Slipping In The Window: TCP Reset Attacks", presented at the CanSecWest 2004 conference. He noticed that the probability of guessing an acceptable sequence number is much higher than 1/232 because the receiving TCP implementation will accept any sequence number in a certain range (or "window") of the expected sequence number. The window makes TCP reset attacks practicable.

    Any application protocol which relies on long term TCP connections and for which the source and destination IP addresses and TCP ports are known or can be easily guessed will be vulnerable to at least denial of service attacks

    --
    Saying Java is nice because it works on all OS's is like saying that anal sex is nice because it works on all genders.
  53. Exactly. by FreeLinux · · Score: 4, Insightful

    It is indeed a problem with TCP but, it is in no way new. Many people have relied on this "vulnerabillity" for years. This is the technique that many firewalls implement in order to terminate undesirable sessions.

    This vulnerabillity impacts the applications that are unable to handle session interruptions. BGP is such an appilication but, its impact on BGP is critical because this attack could seriously impeed BGP and since the internet backbone relies on BGP such an attack could covceivably shut down the internet. This is a known vulnerabillity in BGP, as you said, and it is surprising to me that BGP has not been modified to prevent this from happening.

    By and large most applications will be able to deal with this and only minor annoyances such as DoS will occur.

    As for earlier posts about OpenBSD being immune, I am very eager to hear how that is possible. No matter what the implementation, it is still possible to reset TCP sessions. This means that OpenBSD is still potentially vulnerable to DoS attacks.

    Provided that BGP is modified to make it more fault tolerant, I can't see this problem with TCP being anything more than a short-lived niusance. I'm sure however that many people will try to use this as leverage to force IPv6 migration however, I believe that it too is vulnerable.

  54. The real danger. From DoS to remote root. by Anonymous Coward · · Score: 2, Informative

    1) Read parent.
    2) Think about it.
    3) How many of you would notice if your box was down, then when you ssh'd into it because your boss was upset, would keep going inspite of the warning that the SSH key changed.

    Pwned!

  55. bogus, depending on your OS. by JDizzy · · Score: 3, Insightful

    I read the paper, which is nothing more than a rehash of what every security person already knows about: tcp sequence guessing.

    This issue erupted on the freebsd irc chat, and I had to kill it by posting this linkage: http://lcamtuf.coredump.cx/newtcp/

    As you can see TCP sequncing is fairly random in most of the IP/TCP stacks out there in commercial use. The reasearch paper mentioned in the article only applies to the OS's in the above link that dont' have near true 32bit randomness.

    The feasability of overcoming realtime 32 sequence guessing is insane, however non-zero. just my .02c

    --
    It isn't a lie if you belive it.
    1. Re:bogus, depending on your OS. by httptech · · Score: 3, Insightful

      The randomness of the TCP ISN generator doesn't matter. The fact is, you don't need to guess the current sequence number in the connection. If you guess *any* sequence number in the window ahead of the current sequence number, it's just as good. So all you need to do is count from 0x0-0xffffffff by increments of just under the TCP window size. You can hit the right number within a few minutes if you already know the source and destination ports and you have sufficient bandwidth. Longer if you have to guess the source port.

  56. IETF TCP Security Considerations draft by BrewerDude · · Score: 5, Interesting

    There is a new Internet draft addressing this issue.

  57. Re:It's Al Gore's fault... by cascadingstylesheet · · Score: 2, Insightful

    He made a sweeping claim that he "took the initiative in creating the Internet" that was clearly intended to be taken as it was, and just as clearly intended to be deniable if called on it.

    It's not a "myth" that he did this, nor anything to be proud of, if you're a Gore-ite ... I notice Gore-ites sure get uncomfortable about it.

  58. Neither forgotten nor stupid by shostiru · · Score: 5, Informative
    The relevant parts of this vulnerability are 1) that RST attacks are much, much easier than formerly thought, making them possible for your average broadband sub, and 2) that BGP in particular is highly vulnerable, given the consequences of a terminated BGP session.

    A recently published I-D (here) claims 200 seconds is sufficient time for a broadband sub to successfully attack a TCP session, provided their ISP doesn't use egress filtering (and way too few do so).

    This is rather serious. Whether you personally aren't susceptible is irrelevant if your upstreams are.

    1. Re:Neither forgotten nor stupid by Floody · · Score: 4, Informative

      Of course, in a sanely designed backbone, ingress filtering should be in place to filter source ips from BGP peers that aren't specifically on the interface matching the peer (yes, there's multi-hop BGP, but ignoring that for the moment...).

      I do realize this likely isn't the case on many networks, but perhaps this will push such sanity (and very simple) filtering to become more widespread.

    2. Re:Neither forgotten nor stupid by Tackhead · · Score: 5, Insightful
      > A recently published I-D (here) claims 200 seconds is sufficient time for a broadband sub to successfully attack a TCP session, provided their ISP doesn't use egress filtering (and way too few do so).

      Maybe it's about fucking time ISPs started using egress filtering. At the very least, there'd be an order of magnitude less crap (smurfage, etc) if ISPs dropped spoofed source IP packets before they got to the backbone.

      OK, so the ability of any skript kiddie to spoof and insert a BGP update is a pretty fucking huge mess. But "pretty fucking huge" it may be the only kind of mess that motivates the clueless fucktards pretending to be "ISPs" these days.

  59. The real problem? by getnuked · · Score: 5, Insightful
    The real problem is not in TCP (although sequence number windows are a bad idea), it's in allowing in spoofed IP datagrams. If network admins locked down their routers correctly then script kiddies wouldn't be able to send forget packets, and this wouldn't be an issue.

    Note to netadmins and sysadmins: block packets with source IPs that are not valid for the interface they came from! Geesh!

    1. Re:The real problem? by Zondar · · Score: 2, Insightful

      The problem with your idea is that it won't work for the very entities that are most vulnerable: Tier 1 ISPs.

      They have agreements with lots of ISPs to carry traffic from place to place, called Transit Agreements.

      There may be traffic flowing on my network that is not "from" me and not "to" me, but that I'm merely moving for someone that I have a transit agreement for. *They* may also have a transit agreement with someone else, down the line.

      It is possible, likely in fact, that there is traffic on my network (if I'm a big ISP, mind you) whose source address does not match one of my directly connected neighbor's networks, but that traffic is no less legitimate.

  60. Re:Protecting routers (Re:Mostly Related to BGP?) by Zondar · · Score: 2, Informative

    iBGP is vulnerable to this as well, and very few of the networks I've worked on went to this level of filtering on their internal peering, just their external.

    Find a large network, determine it's topology, hope they're using iBGP for announcing the routes internally to the edge peering routers. Then it's a matter of finding which one to disrupt. Find the right one and a /16 drops out of your internal tables, just through knocking out an iBGP peer - never having had to touch the edge router. The route falls out of the edge router's table, and so he stops advertising it.

    Wait. Let it come back. Route gets advertised to external peer again.

    Repeat 3-4 times until the route is dampened by your victim's peers. Repeat 3-4 more times to get the default maximum 60 minute time-out.

  61. Re:Yes yes by Anonymous Coward · · Score: 2, Funny

    Pssst: nobody cares.

  62. Old news from 1998 and probably before by weld · · Score: 5, Interesting
    Mudge from the L0pht talked about taking down the internet in 30 minutes with a router DoS attack in front of the US Senate in May 1998. Privately the L0pht told NIPC that this could be done with a BGP TCP reset attack. L0pht said it could be mitigated by doing ingress/egress filtering but that ISPs were to lazy and cheap to do it.


    In Aug 1998, RFC 2385 came out with protection of BGP with MD5 signatures. Using MD5 sigs will defeat this attack.


    This is a well known issue with well known solutions. If the infrastructure is at risk it is because ISPs haven't been doing their job and following best practices.


    -weld

  63. Re:NISCC slowing, here is the summary of article by JPriest · · Score: 5, Funny
    BTW, I pasted this here mostly as damage control. I know how some people (and yahoo apparently) like to fly off the handle and claim the world is ending without bothering to even RTFA. You wonder why some people are Afraid to use a computer. If I wrote for the auto industry and intentionally tried to scare the shit out of people Detroit would sue me off the map.

    There is a new vulnerability that will cause every GM vehicle and cause your children to cry. Vandals can place 1 domestic house cat into the fan and cause the fan to stop and under some cases, cause the vehicle to overheat. This was previously written off as house cats are usually soft ans squishy and have little effect on the powerful fan but Joe Shmoe PHD realised that many house cats have colars that are pretty tough for the fan to digest. Car experts say this is a serious problem and will be dealt with in a serious manner. Suggested work around is to keep your cat tied in the house, and to drive a bicycle instead.

    --
    Saying Java is nice because it works on all OS's is like saying that anal sex is nice because it works on all genders.
  64. Re:NISCC slowing, here is the meat summary of arti by HTH+NE1 · · Score: 4, Informative

    Note: that's 1/2^32 (substitute your own favorite exponential syntax), not one in two hundred thirty-two.

    --
    Oh, say does that Star-Spangled Banner entwine / The myrtle of Venus with Bacchus's vine?
  65. Re:OpenBSD SMP by the+morgawr · · Score: 2, Insightful
    You are correct; OpenBSD doesn't support SMP right now. This is mostly because SMP is a way to get next year's computing power today (and paying a lot of money in the process). Combine that with the fact that almost all of the programs used on a modern UNIX-like system arn't CPU bound and it's easy to see why SMP took a back seat to more "interesting" issues.

    However there is a developer being paid to work full time writing SMP support for OpenBSD. He expects to have a working implementation by 3.6 or 3.7.

    --
    The policy of the United States is worse than bad---it is insane. -- Ludwig von Mises, Economic Policy(1959)
  66. That took long enough by Anonymous Coward · · Score: 5, Informative

    This came up on the linux-kernel mailing list two years ago during a thread on TCP MD5 stuff to avoid this very problem. Why is it just now making a splash?

    This post from Alan Cox covers it nicely. Also see the rest of the thread.

  67. Re:NISCC slowing, here is the summary of article by wideBlueSkies · · Score: 5, Funny

    Besides the fact that their little kitty bones could get into the works and actually stop the fan.

    I'd say this is a real threat. We need to protect our SUV's from the mobs of 1337 haxor kitten terrorists! I propose bombing __insert country here__, under the guise of giving them democracy and freedom, and simultaniously pass some laws at home which take away some of our freedom.

    --
    Huh?
  68. Re:Mostly Related to BGP? by Mateito · · Score: 2, Informative

    > But if I understood it correctly, you can only
    > OSPF inside your own AS. Doesn't that mean, that
    > OSPF could never be considered a replacement for
    BGP?

    BGP is "an" exterior routing protocol, tho its more accurate to say that BGP is "the" exterior routing protocol

    OSPF won't scale anywhere near what is needed for the internet. The BGP routing tables have O(100000) routes, and those are summarized to hell and back.

    OSFP would so quickly fill up with external routes that your router would fall over quicker than a teenager at spring break.

  69. BGP Dampening by cabazorro · · Score: 2, Insightful

    My research on the vague news note lead to the following information:
    Routers using BGP (Border Gateway Protocol) use
    a technique called dampening to control amount a traffic a link generates.
    Details:
    When a link goes up or down, updates must be passed to any router using such link. Those updates bubble up if a link goes up and down to often causing unwanted high levels of traffic. A link gets dampened when it's activity (going up or down) is ignored for the reason mentioned above.
    Exploit.
    A false (link up/down) update message may get a healty linked damped by a router or group of routers halting all traffic through such link.
    Of course, non of the above has to do anything w/
    tcp protocol but a lot with Routing Protocols which are the very foundation of the Internet.
    I may be not be on the right track.
    Cheers.

    --
    - these are not the droids you are looking for -
  70. I kind of liked IPX network numbering by swb · · Score: 2, Interesting

    Not all of IPX, but at least the numbering scheme felt halfway thought out: full addresses were 80 bits long, comprised of 32 bits of network address and 48 bits of node addresss, the latter almost always being the device's MAC address (which is a delicious hack for ARP tables on ethernet networks).

    The 48 bit node address space would make it easy to have large single-subnet LANs without dealing with multiple subnets/NAT/routing, and the network portion of the address space is as large as the entire /24 space for IPv4.

    The rest of IPX was kind of a kludge, but I liked the numbering system.

  71. Re:It's Al Gore's fault... by Mr.+Firewall · · Score: 2, Interesting

    Gore took the initiative in creating the Internet by taking the initiative to support the legislation required to get it going.

    And just how, exactly, did he do that? He wasn't even in Congress at that time. IIRC he was in college, or high school, or something.

    nothing in his statement could be properly construed to imply such

    Look it up. He clearly implied that he was present at the creation of the Internet, and actively made it happen -- which is clearly a falsehood.

    Yes, he apparently DID do some things to help the Internet while in Congress -- for which he deserves credit -- but the Internet already existed; he sure as hell didn't 'invent' it.

    And it has nothing to do with which team (Bush v. Gore) you were rooting for. Everyone SHOULD be able to rationally sort out the facts regardless of ideology. Of course, the Gore people still have trouble being rational, but that's another thread....

    --
    In times of universal deceit, telling the truth gets you modded -1 Troll
  72. This is an attack on sequence number, not ports/IP by PureFiction · · Score: 4, Informative

    Guessing a port and IP is fairly easy. Guessing the sequence number is not. This is why making sure that TCP initial sequence numbers are random is important.

    This is old news.

    For the insanely paranoid use a hardware entropy generator (TRNG) for choosing ISN's.

    There are all sorts of attacks against network protocols when poor random number sources are used. This is but one example...

  73. Re:It's Al Gore's fault... by hambonewilkins · · Score: 2, Informative
    Al Gore:During my service in the United States Congress, I took the initiative in creating the Internet. I took the initiative in moving forward a whole range of initiatives that have proven to be important to our country's economic growth and environmental protection, improvements in our educational system.

    Newt Gingrich, 9/1/00:Gore is the person who, in the Congress, most systematically worked to make sure that we got to an Internet.

    Al Gore and the Internet
    By Robert Kahn and Vinton Cerf

    Al Gore was the first political leader to recognize the importance of the Internet and to promote and support its development.

    No one person or even small group of persons exclusively "invented" the Internet. It is the result of many years of ongoing collaboration among people in government and the university community. But as the two people who designed the basic architecture and the core protocols that make the Internet work, we would like to acknowledge VP Gore's contributions as a Congressman, Senator and as Vice President. No other elected official, to our knowledge, has made a greater contribution over a longer period of time.

    Last year the Vice President made a straightforward statement on his role. He said: "During my service in the United States Congress I took the initiative in creating the Internet." We don't think, as some people have argued, that Gore intended to claim he "invented" the Internet. Moreover, there is no question in our minds that while serving as Senator, Gore's initiatives had a significant and beneficial effect on the still-evolving Internet. The fact of the matter is that Gore was talking about and promoting the Internet long before most people were listening. We feel it is timely to offer our perspective.

    As far back as the 1970s Congressman Gore promoted the idea of high speed telecommunications as an engine for both economic growth and the improvement of our educational system. He was the first elected official to grasp the potential of computer communications to have a broader impact than just improving the conduct of science and scholarship. Though easily forgotten, now, at the time this was an unproven and controversial concept. Our work on the Internet started in 1973 and was based on even earlier work that took place in the mid-late 1960s. But the Internet, as we know it today, was not deployed until 1983. When the Internet was still in the early stages of its deployment, Congressman Gore provided intellectual leadership by helping create the vision of the potential benefits of high speed computing and communication. As an example, he sponsored hearings on how advanced technologies might be put to use in areas like coordinating the response of government agencies to natural disasters and other crises.

    But, being blinded by ideology is so much MORE fun!

    --

    God Bless America. Why? Did it sneeze?
  74. Juniper NetScreen Security Advisory 58784 by jakedata · · Score: 4, Informative

    Title: Juniper NetScreen Advisory 58784
    Date: 21 April 2004
    Version: 1

    Impact:
    A design flaw in the RFC specification of TCP may allow a blind attacker to successfully close a TCP connection.

    Affected Products:
    Juniper NetScreen Firewalls (all versions)

    NISCC Reference: Vul/236929
    http://www.uniras.gov.uk/vuls/2004/236929/tcp.htm

    Max Risk: Medium

    Summary:
    A blind attacker with limited knowledge of a TCP connection may be able to successfully brute force the TCP Sequence number space and thereby cause a connection endpoint or firewall stateful filter to process a spoofed RST packet and close the connection.

    Details:
    The TCP Sequence number is one of the mechanisms that TCP uses to prevent a third party from inserting forged packets into the data-stream between two other hosts. While such an attack has always been known to be theoretically possible against TCP, it is was believed that the range of over four billion possible TCP Sequence numbers was large enough to prevent a successful attack. However, recently such an attack has been proven to be feasible in certain situations.

    Specifically, if two hosts are known to talk to each other on a regular basis and/or for long periods of time over known port(s) then it may be possible for an attacker to brute force the TCP Sequence number space and successfully inject a forged packet into the connection and possibly disrupt communications. Certain connections, such as BGP4, which are long lived between two devices are especially vulnerable.

    While all TCP connections are potentially vulnerable, NetScreen believes that NetScreen firewalls running BGP4 or with TCP Syn-Check enabled are likely to be vulnerable in practice. Other protocols such as SSH, HTTP and SMTP which usually have shorter connection times are less vulnerable.

    Recommended Actions:
    NetScreen firewall customers should do one or more of the following:
    1) Configure Anti-Spoof protection as appropriate.
    2) Use secure protocols such as ssh, HTTPS, BGP4 w/ MD5 Authentication
    and IPSec which are more resistant to attack.
    3) Limit management to dedicated and/or internal interfaces
    4) Upgrade to ScreenOS 5.0r6 which enhances the stateful firewall
    functionality to protect devices on the network.

    Patch Availability:
    ScreenOS version 5.0r6 is currently available for Juniper NetScreen firewalls.

    How to get ScreenOS:

    Customers with a valid product warranty or a support contract may download the software from the Juniper NetScreen CSO web portal:
    http://www.juniper.net/support/

    For all other customers, including those with expired support contracts, please call your regional Juniper NetScreen TAC center at one of the numbers listed in:
    http://www.juniper.net/support/nscn_support/t ao/co ntact.html

    Select option 2 from the telephone menu and be sure to select the correct product from the phone tree. Once connected with an engineer state that you are calling in regards to a Security Advisory and provide the title of this notice as evidence of your entitlement to the specified release.

    As with any new software installation, NetScreen customers planning to upgrade to any version of ScreenOS should carefully read the release notes and other relevant documentation before beginning any upgrade.

  75. Re:It's Al Gore's fault... by sharp-bang · · Score: 2, Informative

    Here's the original quote from a CNN interview during the 2000 campaign:

    BLITZER: I want to get to some of the substance of domestic and international issues in a minute, but let's just wrap up a little bit of the politics right now.

    Why should Democrats, looking at the Democratic nomination process, support you instead of Bill Bradley, a friend of yours, a former colleague in the Senate? What do you have to bring to this that he doesn't necessarily bring to this process?

    GORE: Well, I will be offering -- I'll be offering my vision when my campaign begins. And it will be comprehensive and sweeping. And I hope that it will be compelling enough to draw people toward it. I feel that it will be.

    But it will emerge from my dialogue with the American people. I've traveled to every part of this country during the last six years. During my service in the United States Congress, I took the initiative in creating the Internet. I took the initiative in moving forward a whole range of initiatives that have proven to be important to our country's economic growth and environmental protection, improvements in our educational system.


    OK, this isn't the greatest phraseology, but the gist is that he supported the development of the Internet through legislative initiatives. If you doubt this, there's a nice summary at Seth Finkelstein's website.

    Y'know, I saw this interview when it happened, and I certainly didn't come away with the impression that Al was grandstanding. (This said as an early Bradley supporter... I certainly don't agree with his implication that Bradley *didn't* produce important legislation.) I mean, it's not like he put on a flight suit and strutted around while US soldiers were getting blown to sh*t or anything.

    --
    #!
  76. Re:OpenBSD SMP by mi · · Score: 4, Informative
    Combine that with the fact that almost all of the programs used on a modern UNIX-like system arn't CPU bound and it's easy to see why SMP took a back seat to more "interesting" issues.

    Wrong. Very wrong. Are you anaware of this field called "banking"? What about "financial trading"? These firms have huge portfolios and run and re-run various models on them. At night, the systems have to run various "end-of-day" scripts and reports, which take CPU-hours to complete. Most of this things run on Unix...

    There is also on-the-fly image manipulation, and the scene-rendering done by fleets of Unix machines. The more CPUs each such Unix machine can fit, the better.

    Then come databases -- depending on the queries (with joins and orderings), DB-servers can be CPU bound and appreciate multiple processors when available.

    What about PVM? What was it -- and similar packages both free and commercial -- written for? What about this proverbial "beowulf clusters"? Of course, it is much better to have several CPUs inside the box, rather than in separate machines.

    However there is a developer being paid to work full time writing SMP support for OpenBSD. He expects to have a working implementation by 3.6 or 3.7.

    Until which time, the OpenBSD zealots will continue to deny the issue exists or is of any importance. I see...

    --
    In Soviet Washington the swamp drains you.
  77. IPv6? by laurent420 · · Score: 2, Informative

    Of everyone rambling about switching to udp/icmp/ipx/whatever, few if any have mentioned that IPv6 would be a solution to this issue. IPv6 has manditory IPSec so predicting anything but where each packet is going to/comming from will be quite difficult.

    happy 4/20 :>

  78. Re:Server exploit, not router by BusDriver · · Score: 3, Informative

    If you read the article it'll explain it for you, but basically:

    Routers from different AS's talk to each other using BGP4. This protocol uses TCP.

    The "exploit" uses spoofed packets, so the router will process them as if it came from their neighbour.

    So yes, while the router is mostly "shoveling packets", it learns the direction in which to shovel these packets via the exploitable method.

    If you want to disagree, feel free to let all the major tier 1 ISPs who have been busily implementing MD5 authentication on their BGP sessions know their wrong.

  79. NYT has an article too by {tele}machus_*1 · · Score: 2, Informative

    Link here (soul reaving required).

    In the article Watson is quoted as saying that any hacker can figure out this exploit in five minutes from the vaguest explanation. If that's true, why reveal the exploit until someone has figured out how to completely patch it? Or has the fix already been figured out? I couldn't tell from the article.

  80. Re:NISCC slowing, here is the summary of article by jcenters · · Score: 5, Funny

    Suicide terrorist kitties?

    Al-Kitty?

    Yes, that was corny, and no, I couldn't resist.

    --

    vi ~/.emacs

  81. Re:NISCC slowing, here is the meat summary of arti by janoc · · Score: 4, Informative

    Actually, this is just a variation on an old attack with sequence number guessing. Some OSes have a very poor generator for these numbers (even though the vulnerability is known for ages) and it is possible to exploit it. Probably the most famous attack of this sort was Mitnick's break-in into Shimomura's machine ten years ago.

    In practice, these attacks are quite tricky to perform, because they require good timing and quite a bit of skills, so they are quite rare. It is far easier to just exploit some common buffer overflow than this.

    The impact could be not only DOS (by resetting the connection), but you can do also packet injection with potential for total system compromise. However, if the protocol used is encrypted (in Shimomura's case it wasn't, if I am not mistaken, Mitnick attacked rsh or rlogin), then the DOS is probably the worst thing that could happen to you. The encryption will reject the bogus packets, if properly implemented.

    So, keep calm - this was here since at least 80-ties and there isn't much that you can do against it, except to use encryption. You can only hope, that your system vendor will decide to make their TCP stack less vulnerable (not likely to happen, since many systems still ship with the crappy sequence number generator!). Full fix is not possible anyway, unless you want to break the protocol.

    Regards, Jan
  82. Visualizations of OS's TCP seq numbers by boomgopher · · Score: 3, Informative

    This is sort of on topic with your post. Here's a discussion and visualizations of various OS's TCP sequence numbers:

    Strange Attractors and TCP/IP Sequence Number Analysis

    --
    Your hybrid is not saving the environment. Its purpose is to make you feel good about buying something.
  83. "A design flaw in the RFC specification of TCP..." by Ricin · · Score: 2, Insightful

    Tss. Juniper is full of it. It clearly is an implementation flaw, not a specification flaw. As pointed out in an earlier post RFC-793 allows for and recommends checking ACK numbers as well as SEQ numbers when validating a RST, but apparently not many implementations do so (though they still may have other preventive measures that rules out the brute-force-RST scenario).

  84. Re:OpenBSD SMP by ForsakenRegex · · Score: 2, Insightful

    I don't know quite how to respond to this without it being taken as a flame. Here's the best I can do. If you truly want OpenBSD to succeed as an operating system on a grand scale, you're going to need to stop excusing it's weaknesses and admit those shortcomings that are obviously bad. SMP support is absolutely required for any widespread success in the enterprise, as well as the other areas mentioned in another reply to this post. You need to understand this if you want to truly have a dialogue on why someone will/won't use OpenBSD.

    --
    "A man talking sense to himself is no madder than a man talking nonsense not to himself."
  85. Article title reads: by SageMadHatter · · Score: 2, Funny

    Internet Technology Vulnerable to Hackers

    This is news?

  86. Am I the only one... by Ketnar · · Score: 2, Interesting

    Out here who took notice that this is more or less the same old hat trick of resetting connections that has been around

    SINCE THE CREATION OF TCP/IP?

    *Duh*
    c'mon, script kiddys have been throwing packets to reset connections for years.

    Same old trick, new aplication. Yes, now we all have the ability to throw a good fingerpoint at a vendor or two and say shame on them, and make some great BSD-is-safe-again! remarks.

    Moving right along...The only people 'vulnerable' to this are people who don't configure routers/firewalls or BGP's properly to use hashing, or no-brainer spoof blocking at the forefront, etc.

    And guess what that means? They should have paid closer attention in class. Darwin works in more places than just the gene pool.

    --
    My new top secret key -> C>N|KB
  87. From the article by SageMadHatter · · Score: 2, Funny

    The risk was similar to Internet users "running naked through the jungle, which didn't matter until somebody released some tigers," said Paul Vixie of the Internet Systems Consortium Inc.

    Was the naked part necessary? I don't know about you, but it would matter to me if there were loose tigers near by, regardless if I was naked or not :)

  88. RFC 2385 by apankrat · · Score: 4, Informative

    There is RFC 2385 titled Protection of BGP Sessions via the TCP MD5 Signature Option. In the first paragraph of its Introduction section it says -

    The primary motivation for this option is to allow BGP to protect itself against the introduction of spoofed TCP segments into the connection stream. Of particular concern are TCP resets.

    The date of publishing - August 1998, which makes it about 6 years old.

    However the proposed option was primarily meant as a quick BGP fixup, which should've got depricated as soon as IPsec got RFC'ed and deployed. It did went standard few months later, but IPsec implementations enjoyed full share of cross-vendor compatibility problems.

    With time Authenticated Header (AH) IPsec protocol didn't see much use or acceptance and IPsec slowly evolved (and keeps evolving) into confidentiality rather than authentication layer.

    Besides it's an IP security after all, while the RST spoofing is a TCP problem. And one can quite rightfully percieve authenticating TCP with IPsec as an overkill.

    Anyhow, long story short - it's a known and rather old problem with handful of existing and equally unattractive solutions. Perhaps this time around it will be addressed better due to the amount of the publicity it's aimed to get.

    --
    3.243F6A8885A308D313
  89. Peeve by j+h+woodyatt · · Score: 3, Interesting

    From the advisory:
    [...] In the absence of vendor patching of the TCP implementation, the following are general mitigating steps: Implement IP Security (IPSEC) which will encrypt traffic at the network layer, so TCP information will not be visible; [...]

    We told you not to deploy NAT because (among other reasons) it would break IPsec authenticated header (AH) mode. You did it anyway and told us we were pedantic academic pinheads.

    You deserve what you get.


    --
    --
    jhw
  90. Re:OpenBSD SMP by the+morgawr · · Score: 2, Insightful
    >Until which time, the OpenBSD zealots will continue to deny the issue exists or is of any importance. I see...

    I am not an "OpenBSD zelot"; I use OpenBSD on a few servers and hence am subscribed to the misc@ list. This was recently discussed so I thought I'd fill the poster in.

    All of the software you mention, while important, isn't what's used on a majority of systems (and more importantly isn't what the developers use their systems for). Many many more systems operate web servers, routers, file servers, and mail servers: general work horse stuff. That's what OpenBSD likes to focus on (because that's what the developers use it for). Hence SMP isn't a huge priority. Most of the developers don't work on OpenBSD for a living; they just code to solve there own problems (which by necessity are in the domain of what they use the software for). If this happens to solve your problem too that's great; if it doesn't well you do have the code.

    Furthermore, all of the software you mentioned is corner case, no where near common. How many bank computers and render farms are there compared to the number of web servers, mail servers, and routers?

    As for databases, most databases are more in need of RAM and fast disks then CPU. Those that are CPU hogs are often poorly designed. For those that actually do need multiple CPUs, let me remind you that there is no such thing as an all-in-one-solves-every-problem-every-time tool: you proably don't want to use OpenBSD for that anyway.

    None of this changes my claim that SMP is a (useful) hack to squeeze more performance out of today's technology for those who just can't wait (and are willing to pay through the nose).

    --
    The policy of the United States is worse than bad---it is insane. -- Ludwig von Mises, Economic Policy(1959)
  91. Re:NISCC slowing, here is the meat summary of arti by void* · · Score: 3, Interesting

    In practice, these attacks are quite tricky to perform, because they require good timing and quite a bit of skills

    Well, they require a packet with the right sequence number to hit in the right time period.

    Since there's a window of accepted sequence numbers, it really only requires a shitload of packets with likely numbers. Send enough good guesses and one will hit at the right time.

    Like a race exploit, I don't think this requires 'good timing', I think it requires enough attempts to reduce the odds - many will fail, but one may succeed.

    --


    Code or be coded.
  92. Re:IPv6 by Spudley · · Score: 2, Interesting

    This is a good point - is this attack still possible in IPv6? If not, could this be the killer event that make the switch seem like a good idea to all the companies that have been refusing to change.

    (if the hack is still possible in IP6, then I can only ask *why*??, since the basic principles of the flaw have been known for a long time)

    --
    (Spudley Strikes Again!)
  93. Nice try, but no. by mark-t · · Score: 2, Informative
    This would only work if there were one, and only one, route that packets would take when travelling from system A to system B. Although in general this is true because of the particular implementations that we have so far, it is in fact a specific design goal of IP to not assume that this is the case.

    Your solution causes anyone using multiple pipes to transmit at a higher speed to be stopped short and forced through one incoming interface, even though you might have actually been able to handle the traffic.

  94. Re:NISCC slowing, here is the meat summary of arti by janoc · · Score: 5, Insightful

    Yep, sure, however, if you flood the network with your packets, it will be probably noticed soon. Also in order to flood the network, you need a fast connection to the attacked host, reducing the problem to the immediate neighborhood of the attacked host. That's why this attack is not very practical to perform and the impact on most normal mortals is low (except for the BGP issue, which could take out your upstream router)

    The problem with BGP, which is mentioned in the original article, is that it has a particularly bad failure mode - when a BGP session goes down, it is very expensive to restart it. To top it off, BGP uses very long transmission windows (because it transfers lot of data and that is more efficient with longer windows) and that makes it easier to squeeze-in the spoofed packet. This is quite messy affair, when it happens.

    However, if somebody attacks your favorite web site in this way, I doubt that you are even going to notice it, since http sessions are stateless and comparably cheap to establish.

    So, I think this is just a big scare for nothing, it is mainly BGP issue for now. It affects just people who know how to fix it (and are fixing it right now) and the machines involved are relatively few. Unlike some Windows RPC exploit which unleashed a massive world-wide worm in few minutes.

  95. Time to go back to NetBUI. by sproketboy · · Score: 2, Funny

    Please. Let's make Bill happy.

  96. Cisco's advisory, workaround & update informat by spurious+cowherd · · Score: 3, Informative
    --

    Time flies like an arrow, fruit flies like a banana.

  97. THIS ATTACK DOES NOT RELY ON POOR RNG! by theLOUDroom · · Score: 2, Informative

    (see subject)

    This attack is based on TCP accepting a RANGE of numbers. This range can be artifically widened using forged messages. As a result, it does not matter how good you RNG is, this exploit is about making it easy to search the entire space of possible numbers.

    Even if your RNG (Random Number Generator) was perfect, you could still be vulnerable to this attack.

    --
    Life is too short to proofread.
  98. Re:NISCC slowing, here is the summary of article by Guppy06 · · Score: 4, Funny

    "Al-Kitty?"

    You're not mangling your Arabic-to-English transilteration enough. It would probably look more like "al Qiddy"

  99. Not flawed, just unimaginative. by billstewart · · Score: 3, Insightful
    The problem isn't TCP stacks that are flawed because they don't implement TCP properly. It's TCP stacks that failed to imagine some of the creative ways to attack them. Sequence number guessing has been around for a while (see papers by Bellovin and others), but apparently the guy has figured a somewhat more efficient way to guess them on some popular platforms, apparently including Cisco routers.

    Routers don't usually do a lot of TCP themselves, except SSH or telnet access for management, but the one big exception is the BGP protocol that routers use to connect to each other, primarily at the interfaces between carriers. The BGP sessions stay up for a long time, and killing them tells the router that it's no longer talking to its neighbor so it should go find a different route to get to that network, which is really really annoying. On the other hand, BGP has options to do more checking on BGP messages before accepting them, and carriers that do spoof-proofing to prevent their customers from forging packets have less risk, and carriers that block packets addressed to their routers accept from approved destinations are much safer.

    Some customer connections to ISPs use BGP, especially if the customer uses multiple ISPs, though most are static - these could be subject to spoofing by somebody inside the customer's network, if they're not careful. (The customer could be an ISP, or they could be a regular customer with an employee who has next month's interesting virus.) So customers who don't want to get thrown off the net should probably be careful to do good firewalls to keep their own users from spoofing their connections.

    --

    Bill Stewart
    New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks
  100. Re:NISCC slowing, here is the summary of article by Anonymous Coward · · Score: 2, Funny

    does anyone else ever want to shoot all of those people who post some ass-hat comment and then say "I couldn't resist' and then tell them I couldn't resist?

  101. This thread is scary more for the comments. by GrpA · · Score: 2, Insightful

    Reading through the comments, the scariest thing about this thread isn't the original article...

    It's the comments posted by a fairly experienced bunch of geeks.

    The misconceptions illustrated throughout this thread demonstrate how badly some aspects of the Internet, TCP and protocols are misunderstood by people who think they have a full working knowledge of these mechanisms. (Some posts...Other posts admittedly correct some errors)

    It's because of these people who *think* they know what's going on while working in the industry that the true risk grows, because hostile hackers will always find a home in the huge gaps left by their ignorance.

    Ignorance is more dangerous in the long run than apathy. Apathy can change.

    Apologies that this post is slightly OT, but it's relevant to the theme.



    GrpA

    --
    Enjoy science fiction? "Turing Evolved" - AI, Mecha, Androids and rail-gun battles. What more could you want?
  102. Re:NISCC slowing, here is the summary of article by edhall · · Score: 2, Funny

    IANAE

    That would be funny, yes. However, I've been signing posts/email/whatever with "-Ed" for longer than many slashdotters have been alive. I even sign handwritten letters that way. The time to start to worry is if I change it to add a period at the end...

    -Ed
  103. Simple solution - use non-public IP for BGP link by egoshin · · Score: 2, Insightful

    There is a simple solution - just use pair of any NON public IP addresses on both sides of BGP links. This addresses are not published (not propogated via BGP itself) and nobody is able to send packets to it besides BGP peer partener. Problem exists only for stupid IS staff.

  104. What about fragmentation? by Oriumpor · · Score: 2, Interesting

    From my daily reading it looked like the recent mailing regarding the Rose attack Which could affect nearly as many systems as this TCP vulnerability. With two vulnerabilities of this extent, and their relative quiet reception by the security community I don't think there will be much of a push to fix this problem, while the k1dd13s go to work acquiring proof of concepts.

  105. Re:NISCC slowing, here is the summary of article by Red+Pointy+Tail · · Score: 3, Funny

    And putting Al-Kitty through said fan will result in Al-Gore.

  106. The Exploit by Lumin+Inverse · · Score: 3, Informative

    The following pseudo command will send an exploit packet:

    linverse@KOS-MOS:~/blackhat/hping2-linv erse$ hping2 [victim.ipaddy] --spoof
    [server.ipaddy] --rst --baseport [server.port] --destport [rand()%65536] --setseq
    [rand()%((2^32)-1)] --sign "TCP RST Attack"

    Each packet sent in this manor has a 1/2^32 chance of succeeding. You need to guess two (effectively) 16 bit numbers: the victim's unknown open port, and the tcp sequence number (within ~16 of its 32 bits, depending on the windowsize) This requires something on the order of 4 billion packets to have a reasonable expectation of closing the connection. There is really no way of knowing if or when a given connection is closed, unless you're taking down routers with it, or some othe observable scenario.

    I modified hping2 to spam a victim with these packets. Attempting to reset a local connection with a remote machine takes approximately 20 hours to send the requisite ~4 billion packets. Were these packets to actually travel over a network, it should slow things down significantly.

    If one had an army of zombies, then obviously the 20 hour figure can become a 20 minute, or even 20 second figure. But flooding a computer with 4 billion packets in 20 seconds will likely be at least as destructive as the actual payload, except perhaps in the case of major routers communicating over BGP.

    Interestingly enough, however, one can still cause massive damage without flooding a single router. Instead, have each of your thousands of zombies try to take down arbitrary routers (perhaps each one sends packets randomly to each known major router). This algorithm allows one to make huge amounts of guesses without saturating the connection to any given router.

    If my calculations are correct, then 10000 zombies armed with my exploit and a list of major routers could take them down at a rate of one per 7.2 seconds. At this point, we're talking about serious problems.

    Has anybody else done any field testing / analysis?

  107. OpenBSD is _not_ vulnerable by chrysalis · · Score: 2, Interesting

    No, everyone is not vulnerable to the recently published vulnerability in the TCP protocol that allows to shut down BGP routers. Because Cisco hardware is, stupid writers yell that the whole internet is vulnerable. Come on, Cisco is not the internet.

    As stated by Theo de Raadt and Henning Brauer, OpenBSD is not vulnerable because (quoting Henning) :

    Even without TCP MD5, bgpd on OpenBSD is not affected, because: - we use random emphereal ports - we do not use insanely hughe window sizes as Cisco does - we require the RST sequence number to be right on the edge of the window

    (quoting Theo) :

    That is right. If you have a Cisco, you can tear down BGP sessions by
    spoofing:

    64K of
    SYN's or RST's sent to #.#.#.#:179 -> #.#.#.#:{1024,+512,+512,...}

    The SYN and RST methods are different, but the end effect is that
    a tiny little burst of packets will cause a flap.

    OpenBSD (and I am sure other systems too) have for some time contained
    partial countermeasures against these things.

    OpenBSD has one other thing. The target port numbers have been random
    for quite some time. Instead of the Unix/Windows way of
    1024,1025,1026,... adding 1 to the port number each time a new local
    socket is established... we have been doing random for quite some
    time. That means a random selection between 1024 and 49151. This
    makes both these attacks 48,000 times harder; unless you already know
    the remote port number in question, you must now send 48,000 more
    packets to effect a change.

    We've made a few post-3.5 changes of our own, since we are
    uncomfortable with the ACK-storm potention of the solutions being
    proposed by the UK and Cisco people; in-the window SYN or RST's cause
    ACK replies which are rate limited.

    It will have the most impact on vendors who do BGP over poor TCP
    stacks. In particular, Cisco.

    Cisco has not been teaching engineers to block SYN's coming in; they
    have only been teaching them to block SYN-ACK's from going out in
    return. And... well, you'll see.

    --
    {{.sig}}