Secret Repairs Preceded TCP Flaw Release

efranco cuts and pastes: "Only the math had changed. But the emergence of a workable exploit for an old TCP security hole prompted a secret initiative to fix the Internet, giving network operators a week to secure vulnerable routers. The clandestine repair effort livened an already intense period for security pros already juggling a bevy of Windows security patches." We ran a story on a this a few days ago.

Cisco Fix

[thebra]

is here as posted from an article on the register.

Re:Cisco Fix

[robslimo]

When the previous /. story was posted about the TCP flaw, I checked out the NANOG mailing list.

There was plenty of discussion about it, including various vendor issues (Cisco and Juniper) & fixes, as well as some ISPs dragging their feet on implementing MD5 over peer links. I could tell from some of the things mentioned there that they (the network ops) had advance knowledge of the vulnerability.

Most interesting was this about looking glasses being too free with info that would allow a TCP reset in one try.

Re:Cisco Fix

[dknj]

I could tell from some of the things mentioned there that they (the network ops) had advance knowledge of the vulnerability.

Yup.

-dk

Good work, Al!

Only a week? I'm impressed at the speed with which Al Gore addressed the issue.

Looks like this is the way it's gonna be...

[pointbeing]

These days it's risky to release information about a security vulnerability without having a patch in place first. Look at Blaster - I believe that the author *used a security bulletin* to write the worm and then just targeted unpatched machines.

I think we're gonna see a lot more of this. If you release information before you fix it these days you're just inviting people to test your shiny new vulnerability ;-)

Re:Looks like this is the way it's gonna be...

I agree that it's risky to release this kind of information without having a patch in place first.

But sometimes this kind o fuzz can hurry software vendors to release the patch.

Re:Looks like this is the way it's gonna be...

[burtman007]

This poses an interesting dilema then: Is it better to release information on a discovered vulnerability if you know about it, or should you not release it and hope you can patch it before anyone else discovers it?

Re:Looks like this is the way it's gonna be...

[WwWonka]

I think the scary thing is the average shrinking time period between published vulnerability and working published exploit/worm.

In the past it was well over thirty days, but recently that has dramatically decreased to less than that. With Microsoft's new policy of new patches every thirty days (if there is a need for them) it more than widens that window of oppurtunity for mass system compromising prior to a patch.

Re:Looks like this is the way it's gonna be...

[adrianbaugh]

You could always release it to the company whose product is affected and give them $suitable_time to fix the vulnerability before you post on Bugtraq. That way it isn't just you that's working on a fix, and you look like you've tried to be a responsible netizen when, having failed to fix the problem in $reasonable_time, their shit gets cracked to pieces. That has always been the responsible way of announcing vulnerabilities; I don't see that this changes the situation.

Re:Looks like this is the way it's gonna be...

[badriram]

But as with most MS patches, the vulnerability is rarely ever published before patch. But if someone does decide to, we would be in hell.

But i do agree about the shrinking time period, i am just waiting for new worms that use one of the new flaws.

Re:Looks like this is the way it's gonna be...

Yes, "script kiddies" and amateur hackers will definitely continue exploiting already-widely-known vulnerabilities, and automated worm tools will make it easier for them to do it quickly.

However, moderately talented hackers will still be able to find and exploit vulnerabilities before they are widely known (i.e. when they are known only to a handful of hackers and possibly the software vendor, but no public disclosure has been made). This latter group makes fewer headlines but is far more dangerous.

Already, the industry is making noises that details about the nature of the exploit should not be made available--that the vendor should just release a patch and announce to their customers "Install this. We can't tell you why." As a customer, you don't know what component you're touching, you don't know what's changing, and you don't know how to test to see if the bug was actually fixed. Blindly installing unlabelled patches is the end result of this "disclosure creates exploits" discussion.

Disclosure does not create exploits, however. Disclosure increases the ability of amateurs to add their exploits to the pile of existing exploits. Pros, generally speaking, don't write worms that hit the whole internet. Pros break into single systems and steal data. They don't make the news, but the damage they do is much worse.

Don't buy the Microsoft-Symantec party line. Full disclosure helps more people than it hurts. The day you become vulnerable is the day you start using software with bugs, not they day the vendor is finally convinced to make a vulnerability announcement.

Re:Looks like this is the way it's gonna be...

[dubdays]

That is an interesting question. I guess it would depend on where the vulnerability resides. For example, if the TCP problem could be fixed at routers of the internet backbone, then would it be beneficial for the public to have specific knowledge of the vulnerability? No, because it would lead to attacks before all equipment/software could be fixed.

However, I can see how it would definitely be beneficial to release data to he public in other circumstances. Think about any/all OS specific threats. If those aren't released to the public, no one would even have the opportunity to fix them.

Ultimately, I would say that vulnerabilities that lie within the realm of the end user should be made public. Those threats that would undermine the entire internet infrastructure are probably best left in the hands of those who can be trusted (as much as possible) with the knowledge, because publicly documented threats do not only go into the hands of those who are benevolent.

Re:Looks like this is the way it's gonna be...

[RealityMogul]

Are you talking from a customers standpoint, or a vendor?

At the place I work, if we find a severe bug, we personally call every company that has that version of the software and have them download an update. My company doesn't produce networking software though and we only have 50-75 companies running any given version of our product at one time. This is usually bugs that affect mathematical calculations though or cause database corruptions.

From the point of view of a customer: if I found a serious flaw in our Cisco routers, I would report it to them and ask for a way to protect myself against it until an official patch could be released. If a means of protection could not be recommended I would work on a solution myself. I would not make the information public. I would have already informed the ones that are capable of truly fixing the problem. Publicly releasing the info would not benefit me in any way unless I was a security products vendor hoping to cash in on Cisco's failure.

Re:Looks like this is the way it's gonna be...

[David+Hume]

These days it's risky to release information about a security vulnerability without having a patch in place first. Look at Blaster - I believe that the author *used a security bulletin* to write the worm and then just targeted unpatched machines.

I wonder if this is a variation of the argument regarding whether we should "Slow Down the Security Patch Cycle?"

The story you tell about Blaster is similar to the Computer World story regarding the Witty worm:

Until managed applications become the norm, however, we need a better process for distributing patches. The Witty worm, released March 19, provides a good example of why this is true. The Witty worm affects products produced by Internet Security Systems Inc. (ISS). It exploits a vulnerability in the Protocol Analysis Module software component used across the ISS product line. Affected software products included the BlackIce firewall products and RealSecure security products (see story).

* * * *

Lastly, and most importantly, once the patch was released, the exploit was released the very next day. This wasn't a coincidence where the exploiters just missed having a zero-day exploit. If the patch had been released a week earlier, the worm also would have come out a week earlier.

The patch had the specific information embedded in it that the exploiters needed, and the exploiters already had the expertise and tools required to rapidly make use of the information.

Re:Looks like this is the way it's gonna be...

[sir_cello]

It's not only risky, it's possibly actionable in a court of law (to be tested) if someone discovers a vulnerability and negligently releases it causing panic and disruption. There are precedents in copyright and confidential information that reduce or penalise the defence of "in the public interest" where the disclosure was not responsible. For example, in some cases it is better to go to the police first. If the police don't resolve the problem in adequate time, then it's justified to take it a more public stage.

In the same way, this is what happened here, and what "Limited Disclosure" is about: a small window of opportunity for vendors and operators to address the problem before it is openly released. It puts pressure on the vendors: they know that if they don't come up with a fix or workaround, then the vulnerability will be publically known, and they'll have customers screaming down their throat.

I've worked in product development and been on the recieving end of a large public newsarticle about the SNMPv1 ASN.1 problems discovered in Finland: a good percentage of customers called us up and watched a patch yesterday. Fortunately, the SNMP vendor for our third-party SNMP library had already resolved the problem in the past, and we'd included the fix in the recent release and we could tell the customers this. They were very pleased!

It's a good social contract.

Re:Looks like this is the way it's gonna be...

[Slime-dogg]

I am for that. If the information is not released after a reasonable amount of time, the company may never take responsibility for it being there. We've witnessed this several times from a certain big company. Also, the moment that the vulnerability goes public, there should be a side note that says "The company was repeated informed of this vulnerability over a span of X months , but chose not to improve the quality of their product."

If massive numbers of users are infected by a virus created as a result of this announcement, then the company should be held completely responsible. They would have had months to address the issue, but chose not to.

Re:Looks like this is the way it's gonna be...

I'd like to point something out here... When someone finds a vulnerability in windows, they run to the streets and shout it out with glee. Likely to show the world how clever they are in finding it, and also likely that they are anti-microsoft and want so spread the gospel about another alternative OS. I'd also like to point out that this type of behaviour can be used as propaganda. Let's look at the following scenario:

1.) A find a bug in our code.
2.) I fix it.
3.) I tell my boss about this nasy bug in our code.
4.) I then inform him that I have switfly found the solution and implemented it.
5.) I inform him that I ust be the solution to all of his problems.

Apply this to the open source world. Find a bug, fix it, tell the community, patch it. Look how great open source is, the patch is available immediately after the bug report. Is open source really better, or is the perception better?

In the non so open sorce world. The following strategey would be applied.

1.) find a bug.
2.) fix it.
(skip telling anyone)
3.) patch all customer base

The people running your software, wether it be open source, proprietary, or whatever, don't care what bugs you find, all they care about is what bugs they find. Now if security is compromised because of a defect, then certainly they found it, they just may not know they found it.

Re:Looks like this is the way it's gonna be...

[arkanes]

I agree with the social contract aspect, but you're way off base with it being actionable to report flaws, at least in the US. The "precedents" you're talking about are where theres an existing contract, like an NDA in place. You could _possibly_ be liable if you caused a panic and the exploit wasn't real. You ARE, of course, susceptible to scare tactics like DMCA and libel suits, where there's no real case but they want to pressure you to shut up.

Re:Looks like this is the way it's gonna be...

[SteveM]

Publicly releasing the info would not benefit me in any way unless I was a security products vendor hoping to cash in on Cisco's failure.

I mostly agree.

If the vendor refuses, within a reasonable time frame, to fix the problem taking it public may be the only way to force them to do so.

You might also consider that while you may have a means of protection (vendor supplied or home grown) others are still vunerable. And this may impact you. And thus it may be to your benefit to alert others.

SteveM

Re:Looks like this is the way it's gonna be...

Almost all worms based on Microsoft OS vulnerabilities were released MONTHS after the patch was made public.

Re:Looks like this is the way it's gonna be...

[innocent_white_lamb]

You could always release it to the company whose product is affected and give them $suitable_time to fix the vulnerability before you post on Bugtraq.

The obvious problem with that approach is that the fact that there is no guarantee that you, as the discoverer of the vulnerability, are the first or even the fiftieth person to discover it.

Therefore, while you're being a nice guy and letting Company X have the time to repair their software, the other 49 (or 4900) black hats are exploiting the hell out of other peoples' networks.

Tell me there is a bug and no fix available yet, I can take my systems offline or disable something or at least consider some protective action of some kind. Don't tell me there's a bug and I'm a sitting duck until someone bothers to make mention.

The first option seems better to me.

Re:Looks like this is the way it's gonna be...

[RealityMogul]

Very true. If an upstream router is comprimised it could screw up my services even though I am not vulnerable.

Maybe the department of homeland security could put some pressure on the vendor to fix the problem. But I'm a little paranoid and would have reservations about discussing a security hole that I found with the current government without being labelled a terrorist.

Re:Looks like this is the way it's gonna be...

[theLOUDroom]

You could always release it to the company whose product is affected and give them $suitable_time to fix the vulnerability before you post on Bugtraq. That way it isn't just you that's working on a fix, and you look like you've tried to be a responsible netizen when, having failed to fix the problem in $reasonable_time, their shit gets cracked to pieces. That has always been the responsible way of announcing vulnerabilities; I don't see that this changes the situation.

Well, let me give you a hypothetical situation where this is NOT the reasonable solution:
You discover an OS vulnerability, not by chance, but because someone exploited it to steal your online banking information. With a little reseach, you find out that the work is being done by some zombie net with thousands of nodes that will take forever to shut down.
The OS vendor has a piss-poor security record and you KNOW that they will take forever to release a patch, but you've found a temporary fix that while removing certain functionality, prevents the exploit.
Should you:
A) A post full-disclosure immediately, allowing users to quick-fix their systems and preventing countless acts of information theft.
B) Send an email to the vendor and wait when they tell you it's going to take 6 weeks to fix.

The problem with your approach is that it assumes no one but the vendor can do anything about the problem. The user always has the choice to quit using the affected product.

Re:Looks like this is the way it's gonna be...

[Garak]

Ofcourse a worm can be written much faster than a patch. A worm's test is its release, you don't have to write any documentation or be slowed by a development team, and you don't care about any side effects it may have(the more the better).

Re:Looks like this is the way it's gonna be...

[j3110]

Man, I watched a guy write an exploit for this one. They're incredibly simple to write, and had he actually knew C or just wrote it in Perl, he would have had it done in less than 4 hours. He didn't release it obviously, but anyone worthy of the title "coder" or "software developer" can do it probably in a matter of minutes with a respectable library of code that makes template packets for you to fill in the fields and takes command line arguements. The hardest part seems to be working around the little quirks of C and tcp/ip libraries, which I helped him with for a while.

He does this as proof of concept and to test a fix... how else are you going to know if a machine is secure if you don't at least knock on the door a little? Sometimes he sends them up the corperate chain so they can know how serious the issue is and how can test various ways to fix the problem.

Exploits are probably easier to write than patches, and it's always been this way. The big deal is that it's a lot easier to exploit than distribute the patches.

Until the internet and software in general is redesigned by a group of people that weren't trained by baboons who prize speed above security, this kind of thing is going to plague the computing world. Code signing fixes a set of problems, and IPSec fixes another. Cryto-technology is the only real weapon there is against these kinds of things. Drop anything that isn't signed by someone you trust, and you'll never have a virus or exploit that doesn't involve the physical layer (looking over someone's shoulder, key loggers in the keyboard, untrustable users, etc.). If it's not signed by someone you trust, then you can't trust it.

Re:Looks like this is the way it's gonna be...

[E-Rock]

Yea, the same users who don't install well known years old patches are going to search out and early adopt a patch from 'some guy'. Puhleeze.

Re:Looks like this is the way it's gonna be...

[theLOUDroom]

Yea, the same users who don't install well known years old patches are going to search out and early adopt a patch from 'some guy'. Puhleeze.

Those are the users who are going to ge hosed no matter what. It doesn't matter if you choose A or B they're still going to get owned.
Since you can't do anything about them, you should be worried about they people who are actually going to do something once they hear the announcement.

Re:Looks like this is the way it's gonna be...

[adrianbaugh]

If the company has a long record of being useless, of course, that would suggest that giving them time to fix the problem is wasted time, in which case full disclosure is probably the best option. That's probably also the case in the situation you describe, where you know for sure that a vulnerability is being exploited in a potentially serious or widespread way; in that case there isn't time for the niceties of advance warning and obviously admins need to be warned ASAP. But it's still good form to get word to the company first, or at least at the same time, so that they can try to fix the problem as soon as possible.

Re:Looks like this is the way it's gonna be...

There's a fundamental difference between your scenario and the traditional vulnerability discovery: the existance of an attack in the wild. In your case, you are not so much writing up the discovery a vulnerability as you are writing up a report on an attack that just in your scenario exploits a previously unknown vulnerability.

Why is this important? Most people have this dualistic view of the world that tends to come down to the concept of inevitability. See, in your scenario, the attack is already out there, that is, it is inevitable there will be an attack because an attack already exists. Releasing an immediate writeup of workarounds is considered a good thing because you will be protecting people from an attack in the wild. Of course, informing the vendor and the antivirus/personal firewall crowds at the same time would be a good thing. Not only will this increase the likelyhood of your workarounds being implemented while the vendor works on the patch (by being recommended on "reputable" sites), but it could provide increased protection against the attack if the AV vendors could incorporate signatures into their products.

Now compare this to a vulnerability report about a new vulnerability without any attacks in the wild. In this case, most people don't see the attacks as inevitable. In fact, thanks to certain minor propoganda that occurs these days, they see the report as precipitating the attack. Thus if you release the report without reasonable effort to contact the vendor for a patch, they see you as the "evil" one for "telling" the malware writers a new way into their system. In their minds, if you hadn't of released the report then the inevitability would be that there would be no attack (let's not get into how this isn't technically correct, we're talking about Joe Public here, not security experts). That's why most vulnerability discovers should work with the vendor on patches or mitigations before releasing the report. Otherwise people will really start to make the false assumption that it's the vulnerability discovery that's the problem, instead of the vendor's flaws.

Re:Looks like this is the way it's gonna be...

[theLOUDroom]

If the company has a long record of being useless, of course, that would suggest that giving them time to fix the problem is wasted time, in which case full disclosure is probably the best option. That's probably also the case in the situation you describe, where you know for sure that a vulnerability is being exploited in a potentially serious or widespread way; in that case there isn't time for the niceties of advance warning and obviously admins need to be warned ASAP. But it's still good form to get word to the company first, or at least at the same time, so that they can try to fix the problem as soon as possible.

I can understand that viewpoint, but the are some key flaws in the whole "notify the vendor only" approach. Personally I wish things in the security business went this way:

1. Flaw is discovered and vendor is notified immediately
2. Flaw is posted to a weekly full-disclosure list
3. Admins pull affected software off the net until a fix is released
4. Admins wait for a fix or put the service back up using different software

Another possibility would be to have a trusted third party that gets notified at the same time as the vendor. The resaon for this:
In my example I theoretically found out there were thousands of zombies. Let's say I didn't do all that research. What if an exploit is rampant in the wild, but people are only reporting it to the vendor?

I think that's a key failing of the "only tell the vendor" method. You could have 500 people complaining to the vendor, and vendor probably wouldn't warn anyone else because they don't want the bad PR.

Re:Looks like this is the way it's gonna be...

[theLOUDroom]

There's a fundamental difference between your scenario and the traditional vulnerability discovery: the existance of an attack in the wild. In your case, you are not so much writing up the discovery a vulnerability as you are writing up a report on an attack that just in your scenario exploits a previously unknown vulnerability.

But here's the tricky thing:

What if I notice a successful attack, but only report it to the vendor, because I don't think it's "widespread" and then 500 people do the exact same thing?

The cat is clearly out of the bag and the info needs to be disclosed ASAP, but the vendor will probably sit on it until they get around to fixing it and then downplay it because they don't want bad PR.

The only way to really know if something is actually being exploited is full-disclosure. Telling a trusted third party might be a possible solution, but a consensus on a trusted third party would never be reached. Organizing hackers is like herding cats.

Re:Looks like this is the way it's gonna be...

Again, you are talking about an attack, something that is already "out there" in the minds of the general public. There's nothing preventing you from knocking at CNN's (or any other media resource) proverbial door and go "hey, I was attacked and the vendor did nothing, want to have a story about it".

In the minds of the public, this falls under the pervue of consumer protection because the vendor failed to act on an actual attack. The general public cannot abstract how this is the same as the vendor not acting on a vulnerability that MIGHT become an attack. I'm not saying that technically the two problems share the same root. I'm saying the public as a whole (which has very few security saavy people) doesn't see the connection between the two. In the attack case, they see concrete evidence of an attack. In the vulnerability case, they see the nebulous possibility of a future threat that, in their propogandized minds, is actually made worse by your report of it. Again, technically not correct, but we aren't dealing with technical people here.

It's the court of public opinion we're dealing with, and if you want to keep that from turning like rabid dogs on the innocent security researchers, responsible disclosure should be practiced in cases were there is no active attack circulating. This means informing the vendor via multiple channels (if it's vital, don't just count on email to some generic address), giving them reasonable time to work on the issue, prompting them multiple times if you don't get a response, and basically making a "good faith" effort to give the vendor ample time to fix the problem (and document your efforts extremely carefully). If the vendor doesn't respond to your issue within a reasonable time frame (give them at least a couple weeks), then you can disclose, but make sure to include your documentation of your efforts to contact the vendor. Don't just go posting the issue immediately based on the past performance of the vendor. Always give the vendor an opportunity, then it is absolutely clear that the vendor dropped the ball. It reflects badly on all of us when one discloses a vulnerability that doesn't have an active attack without informing the vendor.

Re:Looks like this is the way it's gonna be...

The MS fix for the RPC DCOM 'sploit, when applied to a computer, killed Autodesk files for Viz and I believe 3D studio Max. So many of us who work with Autodesk products couldn't install the patch.

Also. Right now four of my servers are not patched for a specific vulnerability because they have Compaq SMART RAID arrays and installing Microsofts patch on them kills the RAID arrays and makes the systems unbootable. Microsoft even tells you as much before you download that specific patch.

So WTF am I supposed to do? Until FlexLM, Viz and Max run on something other than Windows I am stuck with microsoft. Do I patch my stuff thus killing it all and losing my job or do I leave it unpatched? Well, I leave it unpatched.

Re:Looks like this is the way it's gonna be...

[subterfuge]

Your approach is fatally flawed.

Consider this:

I work for a medical insurance company whose claims processing front-end is an application which is only available on a certain GUI-centric OS. An earlier episode of proactive-geekitude is now paying off in the form of email bullitins indicatiing that #s 1 and 2 in your scenario have taken place and this app and/or OS is effected (it does not matter which).

Now assume step #4 takes 'only' 6 months to arrive. If I followed step #3 the result is that approximately US$2 billion of medical bills will not have been paid. Yes, that is a 'B' and represents only my company - there are many more using the same software/OS and doing multiples more in annnual pay-out. Presumably, they would also have been down until patched.

It is simply not possible to do what you suggest in the real world. The cost of your approach makes it undoable [is that a real word?]. I'm in day 1 of a 2 day 'upgrade' to the aforementioned app. We spent 4 months in prep work and testing the get to a 99.99someodd% certainty that we will have less than 48 hrs downtime. Early planning started in '02. And this is only a point release. Less than 2 hours after the DBA pressed the enter key to kick off the database conversion script I was approached by the Project Manager who inquired about per seat cost to upgrade the GUI-centric OS and its evil sibling office suite to the current version as it is a requirement for the full version upgrade he is planning for Q1/'05...

It is simply not an option to take down a mission critical app [and certainly not >7k instances of the GUI-centric OS and therfore ALL apps] until patched/repaired/replaced. It is barely possible to do so even if the purpose IS to patch/repair/upgrade the system(s).

Re:Looks like this is the way it's gonna be...

[toby]

You could always release it to the company whose product is affected and give them $suitable_time to fix the vulnerability before you post on Bugtraq. ... you look like you've tried to be a responsible netizen ... That has always been the responsible way of announcing vulnerabilities; I don't see that this changes the situation.

That used to be the procedure. But now that security research is illegal (DMCA), what can (and does) happen is the vendor calls the Feds on your ass instead. Nobody wins and the wrong guy goes to jail. "Brave new world..."

Re:Looks like this is the way it's gonna be...

[ichimunki]

If it takes six months for your vendor to deliver a critical patch for your critical systems or to issue some sort of advisory with useful advice on mitigating the risk pending an actual patch, I think you had better look at that approach to your systems infrastructure as fundamentally broken.

If you have a vulnerable system sitting around online six months after someone has discovered a flaw, that's six months that you could lose a lot more than your quoted dollar amount. You could lose your whole system to an attacker. You could lose every byte worth of customer data through that security hole.

Now, I'm not sure what kind of legal remedies there are for careless handling of this kind of data, but I think leaving a vulnerable system online in such a critical environment smells like a very expensive class action lawsuit waiting to happen.

Re:Looks like this is the way it's gonna be...

How you got moderated as insightful is beyond me. You spout a bunch of bullshit. A mob of script kiddies are far more dangerous than the lone asshole (who, according to you, "steals data", oooo, I guess script kiddies just wet their pants, huh?). And getting something fixed before disclosing a bug is a good thing. Disclosure should be for after there has been a chance to fix a problem.

As far as your statement that "Disclosure does not create exploits...", HA! Liar. Disclosure sometimes comes with exploits. We need a "Ignorant" moderation for the likes of you.

But you parroted the party line for /. and you were rewarded. Too bad you didn't post under a username and too bad /. doesn't have a killfile.

--posting anonymously as I am not parroting the party line

The Internet's broken?

When will I be able to download a fixed version?

Re:The Internet's broken?

[lukewarmfusion]

I'll have a copy on your desk by morning.

I once had a woman ask me if I could speed the Internet up for her presentation. I told her I'd open the valve up a little bit, just for her. *big smile* I love helping customers.

Re:The Internet's broken?

[dijjnn]

call your AOL customer service hotline. OR, you can talk to Al Gore, i'm sure that he's invented a better interweb.

Re:The Internet's broken?

[the+MaD+HuNGaRIaN]

As soon as we remove all the SCO code, we'll release a new version.

Re:The Internet's broken?

[clintp]

You forgot the obligatory *clickety-click* in there somewhere. And then offer to help with her disk space...

Re:The Internet's broken?

[jxs2151]

Go ahead and leave your password here and I'll get right on it.

Re:The Internet's broken?

Doesn't Microsoft release their patches on the first Tuesday of every month?

Re:The Internet's broken?

Ha!! I have you beat on that. I once finished upgrading the net in a bank. The receptionist comes up to me and tells me that the network is too fast her word processor is scrolling too fast. So I tie a knot in the network cable and plug it back into her net card. I AM, the king of customer satisfaction.

Re:The Internet's broken?

[Narkov]

You work for AOL don't you?

riiight...

"The clandestine repair effort livened an already intense period for security pros already juggling a bevy of Windows security patches."

Thank god there were NO linux security problems in that 'period' eh?.

Secret repairs!

The best kind!

"What are you doing?"

"Can't tell you."

"When will you be done?"

"Can't say."

"Is there anything you can tell me?"

"This will save your life."

"Really?"

"No."

Re:Secret repairs!

[thelenm]

... "Okay, then you're fired."

Re:Secret repairs!

[Discussing the fate of the Ark]
Maj. Eaton: We have top men working on it now.
Indiana: Who?
Maj. Eaton: Top... men.

Re:Secret repairs!

Reminds me of a job interview in the Bay Area...

Me: What does your company do?
Interviewer: It's a secret
Me: When do you plan to release something?
Interviewer: It's a secret
Me: What will I be doing?
Interviewer: It's a secret

Interviewer: When can you start?
Me: It's a secret

secret?

[oPless]

... Isn't.

TCP Vuln is a well known attack, way before '98.

MD5 authenticated BGP Sessions have been around for ages, it's just *lazyness* of peering vendors to implement it.

Re:secret?

*lazyness*

Despite wishful thinking, there is in fact an "I" in lazyness...

Re:secret?

MD5 authenticated BGP Sessions have been around for ages, it's just *lazyness* of peering vendors to implement it.

Since you're so smart, you can explain to the rest of us, uninitiated, how does security feature of layer 5 protocol (BGP) avoid security problem on layer 4 (TCP). This is like claiming that you have patched the linux TCP/IP stack so it isn't affected by somebody cutting your cable.

Sheesh! Informative my a**. TCP packet with R flag validated by MD5... Not reading articles is excusable, being technology challenged isn't.

Anonymous Cowards Unite

Re:secret?

[psmears]

The explanation is simple - the so-called "BGP security feature" is in fact a security feature at the *TCP* level (which puts MD5 signatures on each TCP packet): it tends to get called a "BGP" feature because network operators need to enable it in their BGP configuration (not to mention the fact that BGP is the only common protocol for which this TCP option is ever used).

It's not necessarily fair to accuse the operators of laziness though; the trouble with this fix is that both ends of a BGP peering session need to know the same "secret" (password), and it needs to be configured on both ends at the same time. So if you're a "good" ISP who wants to secure their network against this attack, you can't unless all the ISPs that you peer with will co-operate... this is largely the reason why it has not been implemented up till now...

(It's also the reason why this option can't be turned on by default in BGP...)

Re:secret?

[divisionbyzero]

What a troll. Yes, because everyone who doesn't setup MD5 is obviously lazy or stupid, unlike you and your smart friends. Please. There is obviously overhead with doing MD5 and it is reasonable not to use it for performance reasons. Anyway, as someone already mentioned, the vulnerability is in TCP which means the MD5 solution works for BGP, which is the most vulnerable, but does nothing for anything else built on TCP (e.g. DNS).

Re:secret?

dns is not built on tcp

Re:secret?

[oPless]

As someone else posted, one of the other problems is ISPs allowing spoofed packets out of their networks ... again due to lazyness.

MD5 isn't that hard for a BGP-capable device to generate :)

Re:secret?

[divisionbyzero]

In most cases it uses UDP, however, when doing a zone transfer it uses TCP.

Re:secret?

[divisionbyzero]

Sure, if it isn't doing anything else. Anyhow, it depends on the processor and the router, but in any case it will negatively impact performance. The question is whether the trade-off is worth it.

"super" exploits

[millahtime]

"super" exploits

What is a "super" exploit??? Not jsut an exploit but a "super" one. Are there any of these "super" exploits on any non-windows systems?

Re:"super" exploits

[The+Angry+Mick]

What is a "super" exploit???

It's the one with the red "S" on its chest . . .

Ba dum bump.

Re:"super" exploits

[Beatbyte]

no Linux is still working on the implementation of TCP... its not well documented enough so they have to reverse engineer it

(-:

Re:"super" exploits

[DR+SoB]

It's an exploit that could affect the core routers of the internet. This one could technical reset 100% of webtraffic going through a particular router, in theory. Of course, this won't make a lick of difference to your average webserver, as they handle many connection resets a day. It would only affect those sites that traffic is so large that if all connections were reset it would cause a flood of re-connects thereby socking bandwidth. This is more directed at always up type connections, such as Telnet, SSH (as the article points out), credit card traffic, etc.. HTTP is constantly dropping and connecting anyways..

Re:"super" exploits

[twbecker]

I don't know that it could really reset 100% of traffic going through a router. As the article states, most TCP connections don't last long enough for such an attack to be executed. BGP, one of the core routing protocols however, relies on relatively long TCP connections, and hence the exploit could seriously screw up internet routing.

Re:"super" exploits

[richard_willey]

What dinkleberries modded this up to a 5???

Let's make a few things clear:

The attack in question is a method to reset a TCP connection. The TCP reset is launched against one of the two end nodes participating in the TCP connection. The router has NOTHING to do with this. In theory, if an intermediate system like a router goes down, IP will simply find a new path arround the outtage.

The reason that routers feature prominently in this discussion is that Border Gateway Protocol uses very long lives TCP connections. In turn, this means that routers are very vulnerable to this attack. However, the vulnerability effects routers in their roles as an end nodes (sending or recieving data) rather than their role as an intermediate system (forwarding traffic)

Re:"super" exploits

--Are there any of these "super" exploits on any non-windows systems?

Yes, log on to your linux system as root and issue the following commands:

cd /
rm -f -r *

Consider yourself super exploited.

Re:"super" exploits

[DR+SoB]

And if a router is routing traffic between to end points it can't be targeted to close the session? What about a NAT router..? Proxy??

Re:"super" exploits

[cain]

Try the waitresses. And don't forget to tip the veal.

--
Cain.

Re:"super" exploits

[the+morgawr]

It can't be targeted unless the vendor has both an unsecure BGP protocal and a crappy TCP implementaion.

This isn't a TCP problem, it's just being billed that way because a bunch of vendors have crappy implementations of the above protocals. Yes, in theory this could affect everyone, but the difficulty of doing this type of attack on a system with a good TCP implementation is next to nothing.

Basically, the attack takes advantage of certain predictable behaviors that arn't in the spec but that most of the TCP implementations have to reduce the possible space of packets to something that is reasonably tryable.

Re:"super" exploits

[Gilk180]

And hence, the routing is screwed up and possibly 100% of the traffic through that router is dropped or routed inappropriately.

Re:"super" exploits

You mod's are so stupid sometimes... I think you take what's said on /. more seriously then anyone else, and think everyone is an expert. The parent was modded to +5 then down to +2 because someone questioned his accuracy? Umm, hello?? Why is it that Cisco clearly states that _ALL_ of their routers are effected?? I wish they're was a better modding system (ie., regular post or troll, and nothing in between) it sure would save us from having people take everything at face value.

It's the users' fault!

[heironymouscoward]

Any user without the technical competence to inspect and repair TCP/IP packets on the fly should not be allowed to use the Internet. Such vulnerabilities only exist because people too lazy and ignorant to download the patches for their Cisco routers!

Re:It's the users' fault!

[DR+SoB]

I don't really know what to make of what your saying, okay sentence one must be a joke right? Sentence two, are you aware _many_ network technicians have to look after upwards of 100 routers?

(It would be physically impossible to do what your saying, you can't inspect and repair a "Tcp/ip" packet? Block it maybe, although blocking ACK packets would fundamentally break TCP.IP? Even if you could don't'cha think you'd timeout the socket before you could re-transmit?)

Re:It's the users' fault!

[the_mad_poster]

Yes, you COULD "inspect and repair" packets on the fly by becoming the TCP/IP stack yourself and mangling them appropriately before acting on them.

I can only imagine what that would do to network speeds, however...

Re:It's the users' fault!

[DR+SoB]

And you think that TTL would be okay? LOL!!

Re:It's the users' fault!

you can't inspect and repair a "Tcp/ip" packet?

OpenBSD's PF has an option to "scrub" maligned packets on the fly. It's not perfect but it keeps machines that are susceptible to these packets safe.

Re:It's the users' fault!

That's BSD's program doing it, not the user.

Re:It's the users' fault!

[twbecker]

I know this is a joke, but isn't TTL based in hops? In which case it wouldn't affect it at all.

Re:It's the users' fault!

[5E-0W2]

TTL is (or should be) decremented for each second a packet spends in a router's queue or each hop. The TTL bounds the number of seconds a packet can live on the network, hence the name "Time To Live" instead of "Hops To Live".

Re:It's the users' fault!

[the_mad_poster]

Yea, but after a while you'd get so backed up that by the time you got done handling each packet, you'd have to decrement the entire remaining TTL and drop it. God help you if you've configured yourself to also send back an ICMP packet to let the other end know what happened.

Re:It's the users' fault!

[DR+SoB]

TTL = Time to Live and yes, it's based on hops, if you take a packet and forward it to a router it has a TTL to get to the next hop, so if you intercept it and start to re-code it, then the TTL would expire. (Unless your data, from Star Trek that is..).

Re:It's the users' fault!

[duffbeer703]

Tools exist to manage 100's of network devices.

In any case, whether you have 1 or 1000 routers, it is your responsibility to make them interact correctly with public networks.

Re:It's the users' fault!

[DR+SoB]

No it's not, I don't manage any routers anymore. :P

Re:It's the users' fault!

[t0shstah]

Actually, its got nothing to do with time - TTL is simply a hop counter. If a packet goes through five routers, the TTL is reduced by five. This is used to prevent circular (ie broken) routing from stopping traffic from ever arriving. Now, timeouts on sessions are a completely different matter, and do rely on actual time elapsed. But they aren't the same as the TTL.

Paradox

[Prince+Vegeta+SSJ4]

The TCP issue publicized yesterday was publicly known as early as 1998

Yesterday was 1998? Whew, I thought it was 2004 and 6 years of my life were wasted

Re:Paradox

[Ira+Sponsible]

You are correct. It IS 2004. And the last six years of your life WERE wasted.

Old News

[ErichTheWebGuy]

This was reported three days ago by another reader.

Yawn.

Re:Old News

Why do you waste everyones time posting that something is "old news". You sir are an ASSHAT! why did you read this thread if you already are such an expert.

Hooray for editing!

[consolidatedbord]

"We ran a story on a this a few days ago." What's a "this" ?

Re:Hooray for editing!

[s20451]

It's a pointer to self. Useful for creating dupe stories:

story_type dupe = this->return_story();

Re:Hooray for editing!

[prescot6]

"We ran a story on a this a few days ago." What's a "this" ?

It makes more sense if you read it like Mario would.

Re:Hooray for editing!

Wouldn't it then be:

"We ran a story on a this a few a days ago."

;-)

Re:Hooray for editing!

[mph]

"We ran a story on a this a few days ago."

I just figured that the Italian Chef from The Simpsons had been demoted to Slashdot Editor.

Re:Hooray for editing!

base64_decode("SXQncyBvdmFsdGluZSwgeW91IGR1bWJhc3M uCg==")

Re:Hooray for editing!

Geez, no wonder the internet isn't secure:

assert (this);
story_t dupe = this->return_story ();
assert (dupe);

Re:Hooray for editing!

[Geoffreyerffoeg]

assert(this) might be helpful, in case you're running a member function on a null pointer (!?). assert(dupe) will return either true or operator bool(dupe), since dupe is an object, not a pointer. What you probably meant is:

if (!this) throw logic_error("Help me, I'm null!");
else {
story_t dupe;
try {
dupe = this->return_story();
} catch (runtime_error r) {
cerr << r.what() << endl;
exit(1);
}
...
}

Re:Hooray for editing!

[Geoffreyerffoeg]

Actually, this->function() is redundant in a member function, and invalid elsewhere. You only use this if you actually need a pointer, a reference, or a copy of the current object, such as:

story_type makeDupe() {
return *this;
}

IPv6

[Abjifyicious]

Does anyone know if this affects IPv6? I wonder if this situation could somehow be leveraged to promote it...

Re:IPv6

[DR+SoB]

It would affect TCP/IP V6, but have no fear, UDP/IP is immune!!!

Re:IPv6

[leerpm]

No. TCP is a different layer than IPv6. It has no effect on IPv6 or IPv4.

Re:IPv6

IPv6 is a layer below, thats why its called TCP/IP. IPv6 is only an addressing scheme for bit packing, and how many bits in a reference. Tcp is above it, they are independent of each other. For more information google "OSI Network Layer Model".

Re:IPv6

[jwbozzy]

Why are you advocating leveraging anything to promote a standard you clearly do not fully understand? At the risk of inciting a flamewar, I tire quickly of the over-zeal exhibited by people for a technology or some other such thing THEY DON'T EVEN REMOTELY UNDERSTAND. How can you offer an opinion or a recommendation when you DON'T HAVE A CLUE WHAT YOU ARE TALKING ABOUT?

</rant>

Re:IPv6

[Wicked187]

IPv6 is more than a drop in replacement for IPv4 at Layer 3 of the OSI model. Everyone just assumes that since things map best to a model, that it is 100% accurate. TCP/IP is represented best by it's own model, the DoD Model. In this model IP falls into layer 2... TCP and UDP is layer 3. This really doesn't make much of a difference though. In a layered communication model, each layer has to be aware of the layers directly above and below in order to properly pass the information on. Ethernet has to know if it needs to give information to the IP stack, or perhaps you are using IPX instead. IP is not completely "layer 3," and it cannot do its job alone. IP has many helper protocols that straddle various layers. One example is ARP, it gives it the ability to determine which MAC address it should forward a packet to. If it didn't know, then layer 2 couldn't address it properly (it could broadcast, but do not look too far into this).

The point is, IPv6 does not just replace the IP "proper," but many of the helper protocols as well. The interaction it has with layer TCP and UDP could be slightly different, but I have not looked into this...

Another food for thought... why do you have to have IPv6 enabled Application layer services? Because things are not so cut-and-dry as the layered model theory suggest, in practice.

Re:IPv6

[tbaggy]

IPv6 could be used to alleviate this by using Ipv6 network layer encryption. Still, it would be easier to just MD5 your BGP tcp sessions or fix the tcp stack with a patch vs. move to IPv6

Re:IPv6

[sevensharpnine]

IPv6 is immune, and in a grand display of irony, IPX/SPX is also safe.

Re:IPv6

[ticktockticktock]

So to sum it up, one layer only has to worry about the layer directly above it and the layer directly below it. Right?

Net threat overstated, says Paul Watson

[Bimo_Dude]

according to this article on C|net.

From the article:
"The actual threat to the Internet is really small right now," Watson said on Wednesday. "You could have isolated attacks against small networks, but they would most likely be able to recover quickly."

Re:Net threat overstated, says Paul Watson

[AndroidCat]

The assumption seems to be that someone would use this to take down sites or other disruption. Haven't there been cases of IP block hijacking using lax BGP security in the past? (Wasn't that how one company rerouted root DNS for a while several years back?)

There have been cases of "fossil" IP blocks being hijacked in the last few years by spammers. (Sometimes as simple as registering an expired domain that an ancient contact email address points to.) They seem to be paying for malware to be written. Don't think that spammers and other net-vermin won't take a look at this exploit for their uses.

Security through Obscurity proves itself again

It's effective when used as the external skin of a layered approach.

Some would say it should be disposed of entirely, in favor of the bugtraq, etc. totally-open approach.

That approach is IMO foolish. Why throw away a useful layer of security? In 1992 it was debatable; the interim years have shown without a doubt that the totally-open approach produces more script kiddies than it does patched systems.

Re:Security through Obscurity proves itself again

When was this "totally open" approach widely used? Sometime after 1992 I guess, right? Must have missed it.

I think the whole reason the "totally open" approach exists, and will always exist, is to deal with unresponsive vendors. If a software vendor (who shall remain nameless) sits on a major security bug for six months, there is a problem with the "security through obscurity" model, and it's this--there is no profit motive to fix security bugs nobody knows about. If customers think they're safe, that's exactly the same as having them actually be safe, but a lot less work (from a profit-motive point of view). Happy uninformed customers are just as good as happy informed customers.

"Security through obscurity" is, and always has been, step 1. Found a bug? Tell the vendor. "Totally open" is step 2. Vendor has shown no action to fix the bug in a week or two? Make the information public.

You can't have a system of just one or the other. We absolutely must have a "totally open" option to hold over software vendors.

(Interesting side-note: "totally open" isn't necessary for open-source software. The discoverer of the bug can patch the software and release the fix themselves. It's only where we rely on the vendor for fixes where this is necessary)

Re:Security through Obscurity proves itself again

[aug24]

Rot. Non-full-disclosure has generally meant that we didn't have any progress at all cos the vendors typically wouldn't do jack till they had to.

For instance, there was a mail on BugTraq not too long ago about a bug that the finder chased with whichever company it was for about six weeks. No reply. No acknowledgement, no fix. He gave up and went open - they fixed it in a week.

Now, how many other people had found that bug and were trying to make an exploit out of it? What if he had kepy schtum and the black-hats had got in?

That's what full-disclosure is for, to force vendors to fix stuff they could otherwise ignore.

Justin.

Re:Security through Obscurity proves itself again

[jmv]

This has nothing to do with security through obscurity since the protocols and everything were open. The fact of publicly disclosing flaws is a different topic, not security through obscurity. For example, you could decide to publicly disclose a Windows security hole, while not disclusing a Linux one (until it's fixed).

Re:Security through Obscurity proves itself again

[DarkOx]

The problem is that, there is no reason to think that these things are not know before they are published. There are networks of black hats out that that know things and keep them quiet. By not publising an expoit as soon as its know we increase the time these people have to use these exploits totally unchecked. At least if a vulnerability gets published then the responsible parties are forced to fix the problem due to constant harrassment and the marginalization of their products. In the mean time where truely sensetive stuff is concerned there is the short term workaround of shutting down the box or stopping the vulnerable service.

The question is which would you rather have, constant minor service interruptions due to having to shut stuff off untill its pached and dissruptions by script kiddes or would you rather have a North Korea takeing their time to develop a super worm the exploit an unkown bug and catching losts of admin running really key systens complete y off gaurd all at the same time, portentially creating utter pandamonium.

I don't know about the rest of you but I would rather swat script kiddies then be knifed in the back in a dark room.

Re:Security through Obscurity proves itself again

You're demonstrating an utter lack of understanding in regards to the technologies involved and what the seriousness of the situation could have been. Full disclosure is great when you're you're talking about a problem with your email client that allows the propagation of worms. We're talking about something that could have been far more serious. This TCP/BGP vulnerability doesn't affect just the Internet. Think about some of the "private" networks out there. Think, fire/life safety, Dept. of Defense, etc...

Further, as the security director for a major backbone, I can tell you that exploit code for this existed prior to the announcement -- it was supplied along with the NISCC initial pre-public release to hardware vendors and major backbones. This was a very real threat that could have been exploitable immediately had the initial disclosure not been kept to those that needed to correct certain issues.

I'm of 2 minds on this

[platypibri]

Yes, I would prefer to know immediately if I was vulnerable. However, the vast majority of defense is against script kiddies who wait to have exploits handed to them so they can copy and paste some malicious code together to prove what "hackers" they are. Why should we tell them before there's a patch? I dunno. Hopefully someone smarter than me is working on it.

Re:I'm of 2 minds on this

[vericgar]

What we need is a not-for-profit organization with a team of researchers finding secuirty holes in common software, with a pay-to-subscribe list where the security holes can be released to those that need the information before the script kiddies. Script kiddies probably wouldn't pay to get on this list and thus get the proof of concepts. There are other issues as well though... like what happens when some script kiddy does pay to get on and then leaks all the informaiton to other script kiddies. Or when some company sues the not-for-profit for pointing out a hole in thier software.

I don't think there can be any solution and we just have to conitinue on how we have been - patch ASAP when new patches come out (with proper testing of course) and hope you don't get exploited in the time that takes, and if you do get hacked take the box offline and rebuild (or replace with a backup if you have one available).

Re:I'm of 2 minds on this

[iabervon]

You're not vulnerable, because this only affects TCP connections with easily guessed source ports and known hosts that last for a significant amount of time and where things can't be restarted efficiently. This matters primarily for BGP which you don't use unless you're running a backbone (which is why they contacted the backbone providers first). The main other possibility is that if you have an SSH connection going for a long time, another user on either of the machines (who can get netstat info) who has root on some other machine which can reach one of them can break your connection. So, if you are constantly monitoring logs on a machine by sending them offsite, someone could break your connection before using a local root exploit that would appear in those logs, thus preventing you from knowing what happened.

this is not uncommon

[quelrods]

Usually people take it upon themselves to notify vendors of bugs and give them time to work on patches or workarounds before releasing the information. For anyone that reads full disclosure lists such as bugtraq this is very commoon. Also, when the bug affects key internet infrastructure, the admins of big isps/colos/routers are informed and given time to patch. This is good for the internet and good for vulnerability researches instead of looking like malicious people who just want to destroy the internet.

Re:this is not uncommon

[Jeff+DeMaagd]

One thing I find funny is that there were many people that used due diligence to report flaws to the vendor, and said vendor doesn't bother to fix it.

One must wonder why such companies don't assume that there may be dozens of other people that have independently discovered the exploit and are USING it rather than reporting it.

Re:this is not uncommon

[figment]

One thing I find funny is that there were many people that used due diligence to report flaws to the vendor, and said vendor doesn't bother to fix it.

Not to single you out, but it seems a really lot of people bring up this (generally true) generalization, but fail to realize that in most cases Cisco and the like are not one of these types of vendors, definitely not for their upper-level model lines.

My general experience with cisco is if there's some sort of bug/exploit/problem in one of their current IOS's, i call them up and generally they'll get a new ios build to me before the week is over. Cisco doesn't bullshit about serious problems, even if the problem is unique to my situation.

Re:Nice work!

[Adam9]

RTFA, he copy & pasted the first paragraph from the article for the summary. Go blame "richm" at netcraft for that.

still on topic, troll

[bodrell]

You're naive if you think a TCP vulnerability and Windows security problems have nothing to do with each other. There are people who use Windows boxes as routers or servers. And I think the point was that admins are already swamped fixing the existing Windows exploits, thereby making this new flaw an even bigger deal.

Trolls like to play the martyr--"You're trying to cover up what I'm saying because it's true; reply to my posts instead of modding me down." Well here's your reply, bitch. When Micro$oft's crappy software allows vulnerable machines to act as spam relays, or spread worms around the internet, everyone suffers. No matter what OS they use.

Re:still on topic, troll

[mustangsal66]

There are people who use Windows boxes as routers

Now that's scary...

Imagine the techsupport on that mess...
... Now right click, select BGP... Click peer...
... That's correct sir... it's probably not a good idea to run IIS on your core router...

Re:still on topic, troll

But you only proved that yourself is one of the slashdot monkies or bitches who cries all the time like a bitch.

Re:still on topic, troll

[aberant]

what is it that makes people think that the routers responsible for these huge backbones are like a simple windows machine?.. atleast spend 3 seconds and look up BGP or something... educate yo self foo!

Fixing the internet...

[Eagle5596]

Dilbert is in the Boss's office.

Dilbert: I discovered a hole in our internet security.

Boss: What?!!

Boss: Good grief, man! How could you put a hole in our internet?

Dilbert, angry: I didn't PUT it there, I FOUND it.. and it's not...

Boss: It's your job to fix that hole. I want you to work 24-7!

Dilbert: Actually, that's NOT my job. But I'll inform our network management group.

Boss, yelling: PASSING THE BUCK!!! YOU'RE A BUCK PASSER!!!

Dilbert: Forget it! There's no hole! It got better!

Boss: That's more like it.

Last panel, the boss is sitting alone smiling.

Boss thinks: I fixed the internet.

Re:Fixing the internet...

That sounds like the last conversation I had with Management about network security...... ugh!

Re:Fixing the internet...

[shad0w47]

You have no idea how close to reality this just was to me....

Re:Fixing the internet...

[maximilln]

My boss not only fixed the internet but he decided it would be funny to get everyone else to label me as a buck passer.

Paranoia?

[dawg+ball]

Is this just a case of paranoia reigning supreme? From what I understand of this problem (And it is very possible that I don't know all the details) it only poses a risk under a very specific set of circumstances and that this set of circumstances is very common. Are we becoming ParaNET?

RedHat or Linux Kernel Fix?

[osewa77]

Many networks used home-grown routers based on Linux, FreeBSC, user-space TCP/Firewall/VPN implementations, or even windows. However, the vendor list only includes commercial router manufacturers. This seems to me like a serious problem waiting to happen; the would-be exploiter now know what systems would remain unpatched for a long time.

Re:RedHat or Linux Kernel Fix?

[stratjakt]

The problem affects mainly huge peering sessions between big routers, the kind that last for days. You can essentially trick the routers into dropping the peering sessions, leading to route flapping and other hassles.

Big backbone providers don't generally use home-grown linux routers.

It has no real bearing on some home/office router running linux made out of an old 486.

Re:RedHat or Linux Kernel Fix?

[anticypher]

Big backbone providers don't generally use home-grown linux routers.

Some do. Not the really big ones, like uunet, but medium sized ones that have grown up using Zebra on Linux or BSD as a route reflector. Just this week, I've seen at least 3 networks (thousands to tens of thousands of customers) get knocked off the internet because someone decided to patch a kernel and reboot the Linux Zebra box. A few hours here and there, but it adds up. When they come back up, there has been a lot of silly and chastising emails about it between other carriers in the RIPE region.

At least my Foundry iron comes back from BGP fsckups in about 10 seconds. The Ciscos take about 2 to 3 minutes. The poor Zebra boxes, once the kernel is working, require 10 to 30 minutes to rebuild their BGP peering sessions. This is why you have some hard coded routes, which normally sit at a low enough priority to be ignored until the routing protocols die.

the AC

Re:RedHat or Linux Kernel Fix?

[mumpster]

Ya gotta Be kidding?;-)
Our PC-router on Linux starts up fully with all BGP appropriate routes in place from 3 to 6 minutes (exact number depends on external factors).
Either something totally screwed in your Zebra config or you just have less bandwidth for Zebra cf. with Cisco if your Zebra router gets up for a half of hour.
Though I'd note we make use Bird ( http://bird.network.cz/ ), not Zebra/Quagga.

RTFA

[metalhed77]

maybe you should read the article.

It addresses this. I promise you. :)

Isn't BGP an open protocol

[grahamsz]

The whole TCP window thing seems entirely obvious to me, i just hadn't realised that windows were sufficiently big to be guessed. As we start to see faster and faster transfers we'll need larger and larger windows and this will just get easier.

However I cant see why BGP needs to implement a large window - in fact in a device which needs to run as fast as possible it's surely disadvantageous.

I've seen TCP RST attacks in the mid nineties actually used on IRC - only the application of the exploit to bgp is new.

Re:Isn't BGP an open protocol

[the+morgawr]

ummm....

you do realize that the window on OSes like BSD and Linux isn't anywhere near as big as it is on some of these routers. This has nothing to do with the bandwidth.

This exploit takes advantage of the fact that the router vendors have very predictable TCP implementations.

Re:Applause

[cheekyboy]

When the BBC is faster at reporting geek stories than sloshdot, u know someones smocking 1oz of green a day there in the office at sd.

Just a question

[bonch]

How come the editors don't go back and fix their typos? Taco, Michael, and company must genuinely not a care.

(yes that was on purpose)

Irony detected

I suspect ye comment was intended as ironic reflection on habitual remarks about "lusers" being responsible when PCs get hit by latest worm.

"All you have to do is update your virus database regularly, not click on any attachments, disable your MSIE Java runtime, avoid clicking on popups shown by websites, disable the following services on your PC, and... bingo! You'll be safe".

For the average user that is as useful advice as saying "scrub your own damn packets".

irony, and well placed.

/Becoming/ Paranoid?

[aug24]

Hell man, I've been actively working on my paranoia and tin-foil-hat persona since I started writing code!

In fact, these days I believe Bill Hicks was killed by the Beiderbeck Group using carcinogenic material supplied by the CIA under the orders of undead vampire George Bush Snr!

Justin.

"Secret Repairs Preceded TCP Flaw Release"

And now you blew it! Thanks a lot.

Now if you'll all step this way please...

Diversity

[MachineShedFred]

Hey! He has an Italian typing accent, you insensitive clod!

Why is BGP maintaining persistent connections

[0x0000]

This is more directed at always up type connections, such as Telnet, SSH (as the article points out), credit card traffic, etc.

... Which brings up something I was wondering about when the /. article was posted the other day: Why is BPG a persistent connection? From an architectural perspective? That seems like a weak design decision, to me, but perhaps I just don't know enough about BGP....

Also, it was my understanding the credit card transaction processing was "aperiodic", intentionally not holding open a connection? It was my understanding that this, too, was for security reasons. Certainly either always up or periodic operation of a connection would seem to weaken the design from a security standpoint. It was my understanding of basic security procedures (both offline and online) that unpredictible behaviour of the potential target was considered a Good Thing(tm).

Re:Why is BGP maintaining persistent connections

[DR+SoB]

I have no idea about BGP, or the decisions made, but I can speak from the credit card standpoint. It used to be that credit card transactions (not a-sync, TCP only.), would connect, send transaction, wait 10-30 seconds, then disconnect. This has changed over the past 5 years or so for many vendors, who have now switched to an "always up" state. The reason before was bandwidth was an expensive commodity, but with the prices now, it's better to have a connection stay always online so that as soon as there is a connection issue it can be detected by the host server, the thinking there is you can correct many incidents before the customer/store is even aware there is an issue. Security is not a concern for either of the formats as the link must be encrypted, and private.

Re:Why is BGP maintaining persistent connections

[0x0000]

Okay, thanks. That just goes to show how out-of-date my knowledge of these things is, I guess. I presume that when you say "private" you mean not over the public networks, which is re-assuring from the standpoint of being someone who makes a credit card transaction occassionally, too...

Re:Why is BGP maintaining persistent connections

[DR+SoB]

Actually many vendors use the internet for communications, by private I meant either a private network or tunneling protocol (VPN).

Re:Why is BGP maintaining persistent connections

[0x0000]

Would a persistent or periodic VPN connection be more vulnerable than one that connects e.g. on-demand at unpreditcable intervals?

Re:Why is BGP maintaining persistent connections

[DR+SoB]

Umm, I never said it was? (Although if you consider key exchanges, based on VPN software it could be more vulnerable, but I would never try and make that argument.) I said that persistent was used more and more because it was easier (quicker) to diagnose a connection problem, if any node drops, you instantly know there is an issue.

Re:Why is BGP maintaining persistent connections

[0x0000]

Yes, I understand. I wasn't trying to argue any particular point, simply checking my assumptions. I do understand the utility of the persistent model providing quicker, easier diagnosis of connectivity problems, yes. Not trying to put words in your keyboard...

Re:Why is BGP maintaining persistent connections

[DR+SoB]

Sorry, I misread your post the first time around.

The arguement can be made that persistent connections are more secure since they don't have to exchange keys as often, and was a secure channel is established it's less likely to get "hi-jacked" although I find these arguements futile. I've never heard of a major attack taking place because of keys being comprimised (although I will admit, theoritically it is possible) there is just too much to it, for it to work (time(outs) being the key factor).

There are other bonuses for always-up from a credit card stand-point, such as response times are quicker, since you don't have to establish a session. Also, maintence is easier, you can access the POS at any time since it is always connected. EOD Polling times are better since you can poll at any time. Email works in real-time, (this is of course for chain-based retailers), trickle polling can be elimated (the most hated polling by any network tech. that has had to deal with it!). Price modifications can be done real-time, customer based loyality programs work _much_ better (I've heard of some dumb-ass programs where you could buy a store card in one store and it won't work in another until the EOD polling has been completed), etc.. I'm sure there are many other reasons I'm missing, but you get the idea..

MD5 doesn't solve the problem

[thegameiam]

As discussed on the NANOG-list (http://www.nanog.org), and admitted by Cisco, the MD5 hash is calculated BEFORE determining whether the source IP or TCP window checks are performed. Thus, instead of just resetting a session, you can wipe out a whole router just by pointing MD5 garbage at an IP address which is listening for it. A typical core router (7500/GSR/etc) can generally accept about 10mbps or so of MD5. It's not that hard to generate that much traffic w/zombies...

Re:MD5 doesn't solve the problem

[lhand]

the source IP or TCP window checks are performed

Ah! So it's a windows problem. I knew it! I knew it! I knew it! It's always their fault!

Wha... ?

[MachineShedFred]

Memo to moderators: This is not offtopic. As a matter of fact, it is squarely ON topic, as this person is asking about the scope of the issue that this topic is about.

However, this rant IS offtopic. Kill me now.

Why is everyone freaking now?

[fremen]

This attack vector has been known for years, and the TCP windowing nonsense has too. Programs like tcpkill have used the RST trick in conjunction with TCP INS windows for a while and have seen quite a bit of use. What's new with this attack that wasn't already in the wild?

Re:Why is everyone freaking now?

What's new is that someone found an efficient
way to exploit it. Before, it was inefficient
to exploit it.

Re:Why is everyone freaking now?

No, no, no! The referenced tool specifically uses the entire available window to throw RST packets at. This is an old tool, using the "recently announced" efficiency. Mod parent down.

An answer you don't want...

[adamofgreyskull]

Reminds me of when I asked my brother "WTF is a Super Saiyan?"

Now, as then, I think it's just best not to ask :o)

trap?

[mabu]

I'm wondering why all the hooplah about this, especially after steps were taken to deal with it before publicizing it... unless at the same time, systems were put in place to ID attempts to exploit the vulnerability.

That would make a lot more sense. Protect against the exploit, publicize it, then watch what happens to determine which groups are most adept at quickly exploiting published vulnerabilities and raid their location. Neat idea for a large-scale honeypot.

Although, most of us know that the majority of exploits are now being deployed by spammers. They don't have any incentive to take major backbones down so this effort might just reveal a few more script kiddies that aren't really the problem.

Re:trap?

[Carnildo]

That would make a lot more sense. Protect against the exploit, publicize it, then watch what happens to determine which groups are most adept at quickly exploiting published vulnerabilities and raid their location. Neat idea for a large-scale honeypot.


The exploit depends on a spoofed source IP address. There's no way of tracing it back to the true source.

Re:trap?

[Garak]

If you have access to all the routers along the way its no problem to trace it back with a few proformace degrading modifications. Once you have solved the problem you could monitor all the interfaces along the way looking for the packets that exploit the flaw. This would take a massive undertaking, every major router on the net would have to be envolved to trace it back interface by interface. It would likely be somewhere in the far east on some rooted irix box or something. And that still dosn't really get you anywhere.

And Rudolph is jealous

[slittle]

Woah, that herring of yours is glowing in the fucking dark...

TCP info was on www.dilby.com site

Hey,

I heard of this site www.dilby.com and I looked on it after hearing about this TCP scare and it had some information about it. It was weird and hard to explain.

For some reason they removed the link within minutes.

OpenBSD is not vulnerable

[chrysalis]

No, everyone is not vulnerable to the recently published vulnerability in the TCP protocol that allows to shut down BGP routers. Because Cisco hardware is, stupid writers yell that the whole internet is vulnerable. Come on, Cisco is not the internet.

As stated by Theo de Raadt and Henning Brauer, OpenBSD is not vulnerable because (quoting Henning) :

Even without TCP MD5, bgpd on OpenBSD is not affected, because:

we use random emphereal ports
we do not use insanely hughe window sizes as Cisco does
we require the RST sequence number to be right on the edge of the window

(quoting Theo) :

That is right. If you have a Cisco, you can tear down BGP sessions by spoofing:

64K of

SYN?s or RST?s sent to #.#.#.#:179 -> #.#.#.#:{1024,+512,+512,...}

The SYN and RST methods are different, but the end effect is that a tiny little burst of packets will cause a flap.

OpenBSD (and I am sure other systems too) have for some time contained partial countermeasures against these things.

OpenBSD has one other thing. The target port numbers have been random for quite some time. Instead of the Unix/Windows way of 1024,1025,1026,... adding 1 to the port number each time a new local socket is established? we have been doing random for quite some time. That means a random selection between 1024 and 49151. This makes both these attacks 48,000 times harder; unless you already know the remote port number in question, you must now send 48,000 more packets to effect a change.

We?ve made a few post-3.5 changes of our own, since we are uncomfortable with the ACK-storm potention of the solutions being proposed by the UK and Cisco people; in-the window SYN or RST?s cause ACK replies which are rate limited.

It will have the most impact on vendors who do BGP over poor TCP stacks. In particular, Cisco.

Cisco has not been teaching engineers to block SYN?s coming in; they have only been teaching them to block SYN-ACK?s from going out in return. And? well, you?ll see.

Ehm, actually OpenBSD is vulnerable. To quote Mike Frantzen : The exploit has a one in 206,703,891,006,465 chance of succeeding. An exhaustive search would require 11,162,010,114,349,110 bytes of traffic which would take 962 days at a saturated gigabit per second. Or two hundred years on a T1. :)

Re:OpenBSD is not vulnerable

[shostiru]

Come on, Cisco is not the internet.

Well, no, and technically, the transformer substations aren't the power grid, and the switches aren't the phone network. But whether you're susceptible or not, it's not going to matter if your upstreams' routes dampen because they (like just about everyone) are using susceptible Cisco or Juniper routers.

Re:OpenBSD is not vulnerable

[necro2607]

No, everyone is not vulnerable to the recently published vulnerability in the TCP protocol that allows to shut down BGP routers.

I think what you meant is "not everyone is vulnerable", not "everyone is not vulnerable"... Unless you're trying to say that not one system is vulnerable to this ... vulnerability.

Re:OpenBSD is not vulnerable

[El+Volio]

Yes, and OpenBSD routers run a large portion of the backbone, too.

Or not...

Does it really matter if OpenBSD routers aren't vulnerable if they aren't used in most of the backbone because, well, they don't exactly have the capacity needed? It's great that OpenBSD doesn't have the underlying vulnerability as it could lead to other problems, not just BGP, but for crying out loud, this is about as useless as it gets.

Smithsonian's Storage

[Gunfighter]

Funny you should mention that scene. I've been to the Smithsonian's storage facilities in Silver Hill, MD on numerous occasions. The final scene of the Ark rolling down an aisle with unknown treasures stacked floor to ceiling on either side isn't too far from the truth. The individual football field-sized containers are called "pods". They're highly guarded and environmentally controlled.

My favorite resident of the pods was the stuffed black rhino that the Smithsonian didn't want to put on display because the animal is extinct and they didn't want any controversy over it.

The scary thing is that if you took the time to look at every individual item on display in the Smithsonian for a few seconds, it would take you several years. If they actually had their entire collection displayed (they have crap tucked everywhere, not just in the Silver Hill storage facility), it would probably take you several lifetimes. There's no telling what they have stashed away.

The Smithsonian's "Secret Repairs" are handled by the Smithsonian Center for Materials Research and Evaluation (http://www.si.edu/scmre/index.asp). SCMRE is, conveniently enough, primarily located at the Silver Hill storage facility.

Re:Smithsonian's Storage

[AndroidCat]

Now I'm thinking of Lazlo in Real Genius, who lived in the steam tunnels, and only came out at night.

Imagine the security guards closing up for the night, switching off the lights, and suddenly hordes of tattered hermit researchers emerging from everywhere to get to work on it all. :^)

Re:Smithsonian's Storage

[tgd]

In most of the movie Lazlo was out during the day, not at night. Mitch sees him in the morning first, and on campus, etc.

Thoughts from CanSecWest

We here at cansec have voted this the lamest exploit ever since there are already dozens of TCP reset flooders that use this.

MD5 isnt enough

[Alan+Cox]

The MD5 auth hack unfortunately fixes only some of the issues here. There is a second way to disrupt streams involving shrinking the MTU to a stupid level, and the "aim for the window" tricks observed in the other attack apply here too.

Going back to 199x it was known that you could hit long lasting streams with ICMP must-fragment mtu = 80 and similar values and basically stall the stream. Some stacks correctly turn off MTU discovery faced with such a claim others ignore it (and break on low mtu links), and others believe it (and break spectacularly). The routters in the middle of the stream have no knowledge of the MD5 or other secrets so can only reply in untrusted form. It is possible to do some checking from the reply data but not full checks.

To make it more fun the proposed fix seems to open a new exploit path that may be worse. Fortunately there is a trivial fix for this case if the problem is confirmed real.

The ultimate problem though is ISPs not filtering packet source addresses. If the governments want to pass one sane bit of 'cybersecurity' law then filtering end users to stop source address spoofing would be it, and require they only used their legitimate assigned addresses (or other addresses properly owned by one way downlinks like satellite etc)

Alan

Re:MD5 isnt enough

[oPless]

The ultimate problem though is ISPs not filtering packet source addresses

Abso-fucking-lutly.

unless they decide...

[zogger]

... you are trying to blackmail or extort them. they might think that, no matter how you word your missive to them.Your word against their word then if anything happens. Then it might be better that you release your information publically,as soon as you have it, but you won't know about how the former way would work out until you tried it, and you might get burned by the "shoot the messenger of bad news" philosophy. I garner from reading here and there sometimes-not always but random chance sometimes- companies just plain don't like having flaws pointed out to them. Consider the history of back orifice for instance.

Quick! Better patch this now!

[megarich]

On a kinda related note, I just heard about a high risk security flaw in the "Hello World" program. The hacker can take the output and use it as a ddos attack to break into your flawed system. No patches are available to date.

Security through obscurity works...

[Kjella]

1. If you know who to keep in the loop, and who not to. If the blackhats get it early, you're even worse off than before because then people think they have more time to fix it. Obviously OSS is rarely a good candidate, since it's trivial to join mailing lists and such.

2. If the company actually is responsive and bothers to fix it. Given time, black hats will find it and have a new and unknown exploits. If they in addition cover their tracks well, it could do considerable damage before found and fixed. So unless they fix it in a timely manner, you're better off releasing it anyway to put pressure on them to fix it.

3. With the current patch rate of most machines (sigh) they may write an exploit based on the patch, rather than a security bulletin and still catch a large percentage off guard. Not that full disclosure does any better, just that either solution can't fully solve the problem of exploits made on basis of the patching process

Kjella

Open/Obscuring The Wrong Things?

[EXTomar]

What you desribe isn't "security through obscurity" complaint many close vendors try to get away with. After all most username/password creditial security schemes depend on this: you keep your password a secret (and if you can your username too!).

However in actual code and software systems, security through obscurity is weak and fallacious. Just because the general user base doesn't know a system is exploitable means the system is still secured. The exploit there whether or not the users realize it. Operating under a blanket of secrecy for algorithms and code is dangerous and bad practice.

Bugtraq is a good thing because ignoring bugs in code is akin to sticking your head in the sand. A vendor being very open with bugs in their software is a very good thing.

Keeping security network topology and interconnects a secret is a good thing. Keeping passwords a secret is a good thing.

So please never confuse these two. No one on Bugtraq is going to be interested about my passwords or how my networks are laid out. I can keep that a secret. However if I release software that deals with security that effects many users then Bugtraq has every initiative expose problems.

As for this specific problem, I'm glad people where open about this. Now that people know that long term connections are vulnerable they can take action to either start working on fixes or work arounds. Hiding the problem wouldn't have helped one bit.

OLD NEWS

[IO+ERROR]

OK, this vulnerability is not new. It's been around for years, in fact. I recall exploits being used as early as 1996-1997. I'd have to do some heavy digging to find them, and I don't even think I have a hard drive or tape that old around anymore, so no clue if I've got one backed up somewhere..

So basically...

[rixstep]

The clandestine repair effort livened an already intense period for security pros already juggling a bevy of Windows security patches.

So basically if the Internet falls apart we can still blame Microsoft.

Oh good.

10 minutes?

> The Ciscos take about 2 to 3 minutes. The poor
> Zebra boxes ... require 10 to 30 minutes to
> rebuild their BGP peering sessions.

Ya gotta Be kidding?;-)
Our PC-router on Linux starts up fully with all BGP appropriate routes in place from 3 to 6 minutes (exact number depends on external factors).
Either something totally screwed in your Zebra config or you just have less bandwidth for Zebra cf. with Cisco if your Zebra router gets up for a half of hour.
Though I'd note we make use Bird ( http://bird.network.cz/ ), not Zebra/Quagga.