Slashdot Mirror


TCP Vulnerability Published

Bob Slidell writes "According to Yahoo!, there is a critical flaw in TCP that affects everyone and everything. The article is scant on details and long on fear, hopefully someone will post more details on this." The advisory has more information, and is long on details but only moderate on fear.

46 of 676 comments (clear)

  1. OpenBSD is safe? by Anonymous Coward · · Score: 5, Informative

    This just hit the misc@openbsd mail list:
    Date: Tue, 20 Apr 2004 12:57:12 -0600
    From: Theo de Raadt <deraadt@cvs.openbsd.org>
    [snip]

    In the OpenBSD case, this is something not to worry about. For what
    they discuss, OpenBSD handles this extremely well.

    We'll explain more in a week or so.
    It sounds (again) like proactive security auditting saves the day!
    1. Re:OpenBSD is safe? by Anonymous Coward · · Score: 5, Funny

      What about proactive spelling auditing?

    2. Re:OpenBSD is safe? by shatfield · · Score: 5, Funny

      Great, I guess Microsoft will just have to copy the BSD TCP/IP code again to ensure that their customers are safe ;-)

      --
      "To make a mistake is only human; to persist in a mistake is idiotic." Cicero
    3. Re:OpenBSD is safe? by Jeremiah+Cornelius · · Score: 5, Informative
      Yeah. The biggest problem here is the ease with which one could DoS the BGP-4 protocol.

      The Internet BGP tables are ricketey enough these days - they don't need every other route to "flap"!

      --
      "Flyin' in just a sweet place,
      Never been known to fail..."
    4. Re:OpenBSD is safe? by Anonymous Coward · · Score: 5, Funny

      It doesn't save anything. When someone exploits this and takes out 90% of the Internet's routers, you're screwed no matter what.

      But it saves the day for my network of 3 linux boxen in my basement which are s0 K3wl, they r0x! While the Internet burns to the ground I can route packets back and forth with impunity between my 486 laptop and my Pentium II Server!! WooHoo!

    5. Re:OpenBSD is safe? by pyros · · Score: 5, Funny

      I guess they were smart enough to implement the new Evil Bit added to TCP last April. Those OpenBSD folks sure are forward thinking.

    6. Re:OpenBSD is safe? by Simon+Lyngshede · · Score: 5, Insightful

      Now I what read up on TCP/IP and my memory isn't that good, but isn't it the TCP part which a problem, mening that switching to a different IP protocol won't help you at all. IPv6 is as far as I understood it, only adressing, the TCP stuff is the same... maybe not.

    7. Re:OpenBSD is safe? by JPriest · · Score: 5, Interesting

      As a side note, all the major sites with several BGP peering points have recently started using MD5 authentication. We have been updating all of our peering sessions over the last week or so.

      --
      Saying Java is nice because it works on all OS's is like saying that anal sex is nice because it works on all genders.
  2. He plans to show the exploit this Thursday! by Novanix · · Score: 5, Interesting

    This kind man responsible for finding this vulnerability is going to present this exploit at the security conference in Vancouver this Thursday. He then predicts "hackers will understand how to begin launching attacks 'within five minutes of walking out of that meeting.'" The article talks about how the government has been "fortifying" its networks against this, does that means they quickly rewrote the tcp protocol? I would love to know.

  3. That's it! by Anonymous Coward · · Score: 5, Funny

    I'm removing support for TCP right now. Give me UDP or give me death!

    1. Re:That's it! by Quixadhal · · Score: 5, Funny

      Connected to Internet

      OSVDB ID: 4030
      Rating: TBD
      Disclosure Date: Apr 20, 2004

      Description:

      The Internet has been determined to be full of evil hax0rz. Any computers connected to the Internet are deemed vulnerable to this exploit.

      Solution:

      Unplug cable, power down WAP, close bomb shelter doors.

  4. oops? by Tebriel · · Score: 5, Funny

    Looks like someone left ISEXPLOITABLEFLAG = TRUE in the code.

    --
    The Blaster Master Fighting for Truth, Justice, and Evil Pie since 1979
  5. Implementation issue by JohnGrahamCumming · · Score: 5, Informative
    Neither of the linked articles helps understand the issue but this one does,
    Furthermore, RFC-793 allows a TCP implementation to verify both sequence and acknowledgement numbers prior to accepting a RST control flag as valid. No TCP stack implemention tested currently implements checking of both sequence and acknowledgement. All tested TCP stacks currently verify only the sequence number. This allows connections to be reset with dramatically less effort than previously believed.
    Hence this is an implementation issue that can be patched in TCP stacks.

    Move along, little to see here.

    John.

  6. Work by somethinghollow · · Score: 5, Funny

    As a web designer, taking advantage of this could get me off work faster than a snow storm. I don't know if I'm afraid or enthused. ;)

  7. The time has come by MrRuslan · · Score: 5, Funny

    to switch over to IPX

  8. Warning! by Disconnect · · Score: 5, Funny

    Your computer is broadcasting an IP address!

    Seriously though, it doesn't look all that bad. (Nor does it look all that hard to do, but still..)

    --
    www.gotontheinter.net
    Updated vaguely once a whenever, maybe once a whenever-and-a-half.
  9. Re:Best security advice... by kasperd · · Score: 5, Funny

    Just unplug your PC from the internet

    How would that keep you safe from DoS attacks?

    --

    Do you care about the security of your wireless mouse?
  10. Re:Good by adam+mcmaster · · Score: 5, Insightful

    I'm no expert, but wouldn't a security problem with TCP be completely unrelated to IP?

  11. Re:No problem by TheTomcat · · Score: 5, Funny

    more like:
    UDP just I. switch ll'll to I just

    S

  12. Re:Good by robslimo · · Score: 5, Insightful

    I don't think so.

    Looks like the weakest point for net-wide effects in routers implementing BGP. A concerted attack could tie up critical routers rebuilding routes after losing connection to their peers. Since this could be globally critical, I suspect the major hardware vendors and service providers will be jumping through hoops to get the fix in before some blackhats get coordinated with an exploit. There would still be weaknesses, but IPv6 will get to sit idle a bit longer.

  13. Re:Good by frenetic3 · · Score: 5, Informative

    As frightening as this "vulnerability" sounds, this is nothing really new; other TCP weaknesses are syn floods (not quite the same thing, but somewhat similar -- in fact, this vulnerability might as well be called a "RST flood"), connection hijacking (by sniffing packets and sending spoofed packets with the correct sequence numbers), and so on. It's also an implementation issue that is largely caused by implementations having loose checking of TCP sequence and ack numbers, or accepting too large of a window of sequence numbers.

    I wouldn't say TCP is broken or that some other solution would be much better; it would be tough to design a transport protocol that is still simple (and doesnt use CPU burning hashing/encryption techniques) that wouldn't have these sorts of vulnerabilities (especially since it's so easy to spoof IP packets); calling this vulnerability severe is like screaming that highways are fundamentally unsafe because someone could point their car the wrong way and start smashing into oncoming traffic.

    -fren

    --
    "Where are we going, and why am I in this handbasket?"
  14. Impact moderate for users, serious for providers by forged · · Score: 5, Informative
    The exploit apparently allows an attacker to disconnect TCP sessions, so really home users won't have much to fear except perhaps to get more trouble connecting to their various sites than usual, and that is in case they would be under active attack.

    Service providers on the other hands, must protect their routers because the BGP protocol used to distribute Internet routes between them, massively uses TCP. And when routes go missing, it is hundreds if not thousands of routes to your favourite places that go unreacheable.

    The problem in the case of BGP is made worse by dampening, i.e. keeping the flapping routes out of the routing table for a certain amount of time (up to several hours). BGP routes dampening is not always configured. A determined attacker with this knowlege would be able to knock large portions of the Internet offline for hours.

  15. BGP vulnerable by Anonymous Coward · · Score: 5, Informative

    I happen to work for a large, nationwide backbone. We've known about this for about a week now. BGP, configured without an MD5 key (as is usually the case) is extremely vulnerable to this exploit. This is the reason for the top-secret effort in the past week to MD5 all peering sessions, both internal and external on most major networks worldwide. Without this, it's trivial to exploit, in fact we already have source code provided by the NCISS. Input a few IPs and BGP's TCP port number, and wham you take down a peering session. For those that don't understand what this means, prior to the security changes that have been implemented in the last week, the global internet was largely susceptible to this flaw in such a way that major portions could have been taken offline easily. A priority was put on this within the intra-NOC communications channels that exist that has never been seen before to lock this down before the public knew about it. We were embargoed by DHS to not release the information until tomorrow.

  16. Known issue by httptech · · Score: 5, Informative
    Apparently this has been known about for a while. Here's an excerpt from an IETF draft on BGP vulnerabilities from June 2003. Section 3.2.1.4 specifically mentions the attack described by Watson: From http://mirrors.sunsite.dk/drafts/draft-ietf-idr-bg p-vuln-00.txt

    3.2.1.4. TCP RST/FIN/FIN-ACK

    Event 18: If an attacker were able to spoof a RST, the BGP speaker would
    bring down the connection, release all associated BGP resources, delete
    all associated routes and run its decision process. If an attacker were
    able to spoof a FIN, then data could still be transmitted, but any
    attempt to receive would receive a notification that the connection is
    closing. In most cases, this results in the connection being placed in
    an Idle state, but if the connection is in the OpenSent state at the
    time, the connection returns to an Active state. Spoofing a RST in this
    situation requires an attacker to guess a sequence number that is in the
    proper half of the sending window, generally an easier task than
    guessing the exact sequence number so as to spoof a FIN. The use of [5]
    will counter this attack.
  17. Here is what to do... by GPLDAN · · Score: 5, Informative

    The article is being presented at CanSecWest, and is called "Slipping in the Window" by Paul A. Watson. I have two friends at CanSecWest, I've asked them to attend and report back what the feeling is.

    NANOG members are talking about it, and several regional Tier-1 players have already issued customer notifications.

    This exploit goes up against TCP connections that have been established for long periods of time. i.e. not web connections. The most prevalent would be BGP peer connections, which can be up for days on end easily. Without having read details, or the paper itself, by forging packets of BGP peers with adjusted window sizes, you can cause a router to reset (possibly hang, depending on IOS or JunoOS version, not sure about this) it's BGP peer connection. If you were doing eBGP and had your own AS, a directed attack against your gateway routers could force flapping, which would cause route dampening, and lead to denial of service.

    What you need to do, is contact your ISP if you are an enterprise network admin, and establish MD5 authentication on your BGP sessions. Check with Cisco or Juniper and find out if your code will drop non-MD5 BGP packets directed at it. An ACL won't do, the attacker would forge the src-ip of a known peer.

    This is a completely non-trivial attack to coordinate. You need to know the IP address of the BGP peer of a customer, or the route reflector, and then get the IP address right in an attempt to bypass ACLs and get the BGP session to hang. eBGP multihop means that IP could be any number of routers, and unless you have inside info, you don't know what it is.

    Potentially, looking glasses could be used to mount attacks at NAPs or other peering points, but again, I think the major players will be ready for it very shortly, and will spend most of today (if they are any good) coordinating with legal teams to slam the shit out of any forged sessions they see, and start cooperating to run traces with other providers.

    If I could editorialize one moment, none of this would be an issue if providers took better care to implement anti-spoofing techniques. Forged src-ip addresses are the bane of security. Most of these attacks don't care about 2-way communcations, they just want to reset connections. Spoofed src-ip lets them do that. Rant off.

  18. Re:It's Al Gore's fault... by hambonewilkins · · Score: 5, Informative
    Vinton Cerf: Good evening, or whatever time zone you are in, hi!! While we're waiting for questions, I'd like to clear up one little item - about the Vice President ... He really does deserve some credit for his early recognition of the importance of the Internet and the technology that makes it work. He was certainly among the first if not the first in Congress to realize how powerful the information revolution would be and both as Senator and Vice President he has been enormously helpful in supporting legislation and programs to help further develop the Internet - for example the Next Generation Internet program. I get to see a lot of this stuff because I am a member of the President's Information Technology Advisory Committee and we regularly review the R&D programs of the US Government and many have relevance to the evolving Internet.

    Real quote.

    --

    God Bless America. Why? Did it sneeze?
  19. Windows also safe by MrHanky · · Score: 5, Funny
    In a press release from Microsoft, Bill Gates states:
    All Windows versions from 3.11 to 2003 are quite safe from this exploit, since Windows also supports the famously reliable NetBEUI protocol. In a proactive measure, Windows update will remove support for TCP/IP and ensure that all updated computers have support for NetBEUI only. NetBEUI will once again rule the earth! Take that, Steve! No, not you, Ballmer, the other Steve. The hippe. Woahahahahahaha!

    In a quickly following press release, Bill Gates adds:
    Woahahahahahaha! Hahahaha! Hahaha! Thank you.
    1. Re:Windows also safe by markan18 · · Score: 5, Funny

      Security Update for Windows XP (KBTCPDRM-666)

      This update addresses the vulnerability addressed in Microsoft Security Bulletin 666. Find out about more recent critical updates in the Overview section.

      File Name:

      WindowsXP-MSTCPDRM-x86-ENU.exe

      Download Size:

      1261 GB

      Date Published:

      4/20/2004

      Version:

      666

      Overview

      This patch fixes criticals security vulnerabilities present in Windows TCP stack.
      This patch also add the new DRM TCP extension.
      When is patch is applied, your computer will connect to drm.microsoft.com prior establishing any other connection to make sure the requested end point is an authorized Microsoft partner. All rogue packets are now rejected and reported by the Windows TCP-DRM firewall (TM).
      This patch also upload the registry key HKEY_LOCAL_MACHINE and all subkeys and values to drm.microsoft.com so we can make sure all software is used according to their end user licence agreements.

      System Requirements

      Supported Operating Systems: Windows XP

      Windows XP Professional
      Windows XP Home Edition

    2. Re:Windows also safe by Cruciform · · Score: 5, Funny

      Some moderators are just in a dire need of a blow job.

      Nice of you to volunteer, looks like their outlook has improved already :)

  20. Does the affect tcpip/cp? by Craptastic+Weasel · · Score: 5, Funny

    I am a lonely man living on the Galapagos Island. I use TCP/IP over carrier pigeon to communicate with a Nigerian who has promised my great wealth in exchange for securing funds in the First Galapagos Bank, of which I am owner/ceo/clerk, and janitor.

    I suspect someone is interupting my data stream and keeping the replies and account numbers he has been sending me in regards to my money. This vulnerability proves my theory. I am in desperate need!! How can I prevent this!!

    Anyone willing to help I will share my wealth with.

    /obscure humor (Does this make me a Galapagos Spammer?)

  21. What details, the info is already out by Anonymous Coward · · Score: 5, Informative

    The NISCC articles explains things clearly. Nobody needs any more information. Besides, this "new" attack was already known. People just didn't realize how easy it is.

  22. Link to US-CERT TA04-111A by Ascaroth · · Score: 5, Informative

    Here's a link to US-CERT's TA04-111A on this topic.

  23. Simple BGP solution has been around since 1998 by jroysdon · · Score: 5, Informative

    As they state, there is a simple solution: TCP MD5 Signature Option with BGP. Any ISP worth their salt will already be doing it. The rest will learn the hard way.

    This has been supported in Cisco IOS way back since ~1998 in IOS 11.2 .

    Read the BGP "Bible": Internet Routing Architectures or look at any best-practices guides which will state that TCP MD5 sigs should always be used with BGP.

    Or search CCO:

    router bgp 109
    neighbor 145.2.2.2 password v61ne0qkel33&

    It's just a single line that has to be added to both peer sides.

  24. NISCC slowing, here is the meat summary of article by JPriest · · Score: 5, Informative

    The issue described in this advisory is the practicability of resetting an established TCP connection by sending suitable TCP packets with the RST (Reset) or SYN (Synchronise) flags set.

    The packets need to have source and destination IP addresses that match the established connection as well as the same source and destination TCP ports.

    The fact that TCP sessions can be reset by sending suitable RST and SYN packets is a design feature of TCP according to RFC 793, but a reset attack is only possible at all because the source IP address and TCP port can be forged or "spoofed".

    Although denial of service using crafted TCP packets is a well known weakness of TCP, until recently it was believed that a successful denial of service attack was not achievable in practice. The reason for this is that the receiving TCP implementation checks the sequence number of the RST or SYN packet, which is a 32 bit number, giving a probability of 1/232 of guessing the sequence number correctly (assuming a random distribution).

    The discoverer of the practicability of the RST attack was Paul A. Watson, who describes his research in his paper "Slipping In The Window: TCP Reset Attacks", presented at the CanSecWest 2004 conference. He noticed that the probability of guessing an acceptable sequence number is much higher than 1/232 because the receiving TCP implementation will accept any sequence number in a certain range (or "window") of the expected sequence number. The window makes TCP reset attacks practicable.

    Any application protocol which relies on long term TCP connections and for which the source and destination IP addresses and TCP ports are known or can be easily guessed will be vulnerable to at least denial of service attacks

    --
    Saying Java is nice because it works on all OS's is like saying that anal sex is nice because it works on all genders.
  25. IETF TCP Security Considerations draft by BrewerDude · · Score: 5, Interesting

    There is a new Internet draft addressing this issue.

  26. Neither forgotten nor stupid by shostiru · · Score: 5, Informative
    The relevant parts of this vulnerability are 1) that RST attacks are much, much easier than formerly thought, making them possible for your average broadband sub, and 2) that BGP in particular is highly vulnerable, given the consequences of a terminated BGP session.

    A recently published I-D (here) claims 200 seconds is sufficient time for a broadband sub to successfully attack a TCP session, provided their ISP doesn't use egress filtering (and way too few do so).

    This is rather serious. Whether you personally aren't susceptible is irrelevant if your upstreams are.

    1. Re:Neither forgotten nor stupid by Tackhead · · Score: 5, Insightful
      > A recently published I-D (here) claims 200 seconds is sufficient time for a broadband sub to successfully attack a TCP session, provided their ISP doesn't use egress filtering (and way too few do so).

      Maybe it's about fucking time ISPs started using egress filtering. At the very least, there'd be an order of magnitude less crap (smurfage, etc) if ISPs dropped spoofed source IP packets before they got to the backbone.

      OK, so the ability of any skript kiddie to spoof and insert a BGP update is a pretty fucking huge mess. But "pretty fucking huge" it may be the only kind of mess that motivates the clueless fucktards pretending to be "ISPs" these days.

  27. The real problem? by getnuked · · Score: 5, Insightful
    The real problem is not in TCP (although sequence number windows are a bad idea), it's in allowing in spoofed IP datagrams. If network admins locked down their routers correctly then script kiddies wouldn't be able to send forget packets, and this wouldn't be an issue.

    Note to netadmins and sysadmins: block packets with source IPs that are not valid for the interface they came from! Geesh!

  28. Old news from 1998 and probably before by weld · · Score: 5, Interesting
    Mudge from the L0pht talked about taking down the internet in 30 minutes with a router DoS attack in front of the US Senate in May 1998. Privately the L0pht told NIPC that this could be done with a BGP TCP reset attack. L0pht said it could be mitigated by doing ingress/egress filtering but that ISPs were to lazy and cheap to do it.


    In Aug 1998, RFC 2385 came out with protection of BGP with MD5 signatures. Using MD5 sigs will defeat this attack.


    This is a well known issue with well known solutions. If the infrastructure is at risk it is because ISPs haven't been doing their job and following best practices.


    -weld

  29. Re:NISCC slowing, here is the summary of article by JPriest · · Score: 5, Funny
    BTW, I pasted this here mostly as damage control. I know how some people (and yahoo apparently) like to fly off the handle and claim the world is ending without bothering to even RTFA. You wonder why some people are Afraid to use a computer. If I wrote for the auto industry and intentionally tried to scare the shit out of people Detroit would sue me off the map.

    There is a new vulnerability that will cause every GM vehicle and cause your children to cry. Vandals can place 1 domestic house cat into the fan and cause the fan to stop and under some cases, cause the vehicle to overheat. This was previously written off as house cats are usually soft ans squishy and have little effect on the powerful fan but Joe Shmoe PHD realised that many house cats have colars that are pretty tough for the fan to digest. Car experts say this is a serious problem and will be dealt with in a serious manner. Suggested work around is to keep your cat tied in the house, and to drive a bicycle instead.

    --
    Saying Java is nice because it works on all OS's is like saying that anal sex is nice because it works on all genders.
  30. Re:This is new?? by Geoff-with-a-G · · Score: 5, Informative

    Maybe I missed something in the advisory, but this sounds like a good old TCP reset attack...

    You did.

    The news here is that you no longer require the sniffer, because you don't have to know the exact sequence number. Now you just have to be kind of close. How close apparently varies in size amongst vendor implementations.


  31. That took long enough by Anonymous Coward · · Score: 5, Informative

    This came up on the linux-kernel mailing list two years ago during a thread on TCP MD5 stuff to avoid this very problem. Why is it just now making a splash?

    This post from Alan Cox covers it nicely. Also see the rest of the thread.

  32. Re:More from Theo (was Re:OpenBSD is safe?) by c_ollier · · Score: 5, Funny

    For us, those issues are 1/50000 smaller than they are for other vendors.


    So, they are 50,000 times bigger ?


  33. Re:NISCC slowing, here is the summary of article by wideBlueSkies · · Score: 5, Funny

    Besides the fact that their little kitty bones could get into the works and actually stop the fan.

    I'd say this is a real threat. We need to protect our SUV's from the mobs of 1337 haxor kitten terrorists! I propose bombing __insert country here__, under the guise of giving them democracy and freedom, and simultaniously pass some laws at home which take away some of our freedom.

    --
    Huh?
  34. Re:NISCC slowing, here is the summary of article by jcenters · · Score: 5, Funny

    Suicide terrorist kitties?

    Al-Kitty?

    Yes, that was corny, and no, I couldn't resist.

    --

    vi ~/.emacs

  35. Re:NISCC slowing, here is the meat summary of arti by janoc · · Score: 5, Insightful

    Yep, sure, however, if you flood the network with your packets, it will be probably noticed soon. Also in order to flood the network, you need a fast connection to the attacked host, reducing the problem to the immediate neighborhood of the attacked host. That's why this attack is not very practical to perform and the impact on most normal mortals is low (except for the BGP issue, which could take out your upstream router)

    The problem with BGP, which is mentioned in the original article, is that it has a particularly bad failure mode - when a BGP session goes down, it is very expensive to restart it. To top it off, BGP uses very long transmission windows (because it transfers lot of data and that is more efficient with longer windows) and that makes it easier to squeeze-in the spoofed packet. This is quite messy affair, when it happens.

    However, if somebody attacks your favorite web site in this way, I doubt that you are even going to notice it, since http sessions are stateless and comparably cheap to establish.

    So, I think this is just a big scare for nothing, it is mainly BGP issue for now. It affects just people who know how to fix it (and are fixing it right now) and the machines involved are relatively few. Unlike some Windows RPC exploit which unleashed a massive world-wide worm in few minutes.