Secret Repairs Preceded TCP Flaw Release

efranco cuts and pastes: "Only the math had changed. But the emergence of a workable exploit for an old TCP security hole prompted a secret initiative to fix the Internet, giving network operators a week to secure vulnerable routers. The clandestine repair effort livened an already intense period for security pros already juggling a bevy of Windows security patches." We ran a story on a this a few days ago.

Cisco Fix

[thebra]

is here as posted from an article on the register.

Re:Cisco Fix

[robslimo]

When the previous /. story was posted about the TCP flaw, I checked out the NANOG mailing list.

There was plenty of discussion about it, including various vendor issues (Cisco and Juniper) & fixes, as well as some ISPs dragging their feet on implementing MD5 over peer links. I could tell from some of the things mentioned there that they (the network ops) had advance knowledge of the vulnerability.

Most interesting was this about looking glasses being too free with info that would allow a TCP reset in one try.

Looks like this is the way it's gonna be...

[pointbeing]

These days it's risky to release information about a security vulnerability without having a patch in place first. Look at Blaster - I believe that the author *used a security bulletin* to write the worm and then just targeted unpatched machines.

I think we're gonna see a lot more of this. If you release information before you fix it these days you're just inviting people to test your shiny new vulnerability ;-)

Re:Looks like this is the way it's gonna be...

[burtman007]

This poses an interesting dilema then: Is it better to release information on a discovered vulnerability if you know about it, or should you not release it and hope you can patch it before anyone else discovers it?

Re:Looks like this is the way it's gonna be...

[WwWonka]

I think the scary thing is the average shrinking time period between published vulnerability and working published exploit/worm.

In the past it was well over thirty days, but recently that has dramatically decreased to less than that. With Microsoft's new policy of new patches every thirty days (if there is a need for them) it more than widens that window of oppurtunity for mass system compromising prior to a patch.

Re:Looks like this is the way it's gonna be...

[adrianbaugh]

You could always release it to the company whose product is affected and give them $suitable_time to fix the vulnerability before you post on Bugtraq. That way it isn't just you that's working on a fix, and you look like you've tried to be a responsible netizen when, having failed to fix the problem in $reasonable_time, their shit gets cracked to pieces. That has always been the responsible way of announcing vulnerabilities; I don't see that this changes the situation.

Re:Looks like this is the way it's gonna be...

Yes, "script kiddies" and amateur hackers will definitely continue exploiting already-widely-known vulnerabilities, and automated worm tools will make it easier for them to do it quickly.

However, moderately talented hackers will still be able to find and exploit vulnerabilities before they are widely known (i.e. when they are known only to a handful of hackers and possibly the software vendor, but no public disclosure has been made). This latter group makes fewer headlines but is far more dangerous.

Already, the industry is making noises that details about the nature of the exploit should not be made available--that the vendor should just release a patch and announce to their customers "Install this. We can't tell you why." As a customer, you don't know what component you're touching, you don't know what's changing, and you don't know how to test to see if the bug was actually fixed. Blindly installing unlabelled patches is the end result of this "disclosure creates exploits" discussion.

Disclosure does not create exploits, however. Disclosure increases the ability of amateurs to add their exploits to the pile of existing exploits. Pros, generally speaking, don't write worms that hit the whole internet. Pros break into single systems and steal data. They don't make the news, but the damage they do is much worse.

Don't buy the Microsoft-Symantec party line. Full disclosure helps more people than it hurts. The day you become vulnerable is the day you start using software with bugs, not they day the vendor is finally convinced to make a vulnerability announcement.

Re:Looks like this is the way it's gonna be...

[dubdays]

That is an interesting question. I guess it would depend on where the vulnerability resides. For example, if the TCP problem could be fixed at routers of the internet backbone, then would it be beneficial for the public to have specific knowledge of the vulnerability? No, because it would lead to attacks before all equipment/software could be fixed.

However, I can see how it would definitely be beneficial to release data to he public in other circumstances. Think about any/all OS specific threats. If those aren't released to the public, no one would even have the opportunity to fix them.

Ultimately, I would say that vulnerabilities that lie within the realm of the end user should be made public. Those threats that would undermine the entire internet infrastructure are probably best left in the hands of those who can be trusted (as much as possible) with the knowledge, because publicly documented threats do not only go into the hands of those who are benevolent.

Re:Looks like this is the way it's gonna be...

[RealityMogul]

Are you talking from a customers standpoint, or a vendor?

At the place I work, if we find a severe bug, we personally call every company that has that version of the software and have them download an update. My company doesn't produce networking software though and we only have 50-75 companies running any given version of our product at one time. This is usually bugs that affect mathematical calculations though or cause database corruptions.

From the point of view of a customer: if I found a serious flaw in our Cisco routers, I would report it to them and ask for a way to protect myself against it until an official patch could be released. If a means of protection could not be recommended I would work on a solution myself. I would not make the information public. I would have already informed the ones that are capable of truly fixing the problem. Publicly releasing the info would not benefit me in any way unless I was a security products vendor hoping to cash in on Cisco's failure.

Re:Looks like this is the way it's gonna be...

[Slime-dogg]

I am for that. If the information is not released after a reasonable amount of time, the company may never take responsibility for it being there. We've witnessed this several times from a certain big company. Also, the moment that the vulnerability goes public, there should be a side note that says "The company was repeated informed of this vulnerability over a span of X months , but chose not to improve the quality of their product."

If massive numbers of users are infected by a virus created as a result of this announcement, then the company should be held completely responsible. They would have had months to address the issue, but chose not to.

Re:Looks like this is the way it's gonna be...

[SteveM]

Publicly releasing the info would not benefit me in any way unless I was a security products vendor hoping to cash in on Cisco's failure.

I mostly agree.

If the vendor refuses, within a reasonable time frame, to fix the problem taking it public may be the only way to force them to do so.

You might also consider that while you may have a means of protection (vendor supplied or home grown) others are still vunerable. And this may impact you. And thus it may be to your benefit to alert others.

SteveM

Re:Looks like this is the way it's gonna be...

Almost all worms based on Microsoft OS vulnerabilities were released MONTHS after the patch was made public.

Re:Looks like this is the way it's gonna be...

[innocent_white_lamb]

You could always release it to the company whose product is affected and give them $suitable_time to fix the vulnerability before you post on Bugtraq.

The obvious problem with that approach is that the fact that there is no guarantee that you, as the discoverer of the vulnerability, are the first or even the fiftieth person to discover it.

Therefore, while you're being a nice guy and letting Company X have the time to repair their software, the other 49 (or 4900) black hats are exploiting the hell out of other peoples' networks.

Tell me there is a bug and no fix available yet, I can take my systems offline or disable something or at least consider some protective action of some kind. Don't tell me there's a bug and I'm a sitting duck until someone bothers to make mention.

The first option seems better to me.

Re:Looks like this is the way it's gonna be...

[theLOUDroom]

You could always release it to the company whose product is affected and give them $suitable_time to fix the vulnerability before you post on Bugtraq. That way it isn't just you that's working on a fix, and you look like you've tried to be a responsible netizen when, having failed to fix the problem in $reasonable_time, their shit gets cracked to pieces. That has always been the responsible way of announcing vulnerabilities; I don't see that this changes the situation.

Well, let me give you a hypothetical situation where this is NOT the reasonable solution:
You discover an OS vulnerability, not by chance, but because someone exploited it to steal your online banking information. With a little reseach, you find out that the work is being done by some zombie net with thousands of nodes that will take forever to shut down.
The OS vendor has a piss-poor security record and you KNOW that they will take forever to release a patch, but you've found a temporary fix that while removing certain functionality, prevents the exploit.
Should you:
A) A post full-disclosure immediately, allowing users to quick-fix their systems and preventing countless acts of information theft.
B) Send an email to the vendor and wait when they tell you it's going to take 6 weeks to fix.

The problem with your approach is that it assumes no one but the vendor can do anything about the problem. The user always has the choice to quit using the affected product.

Re:Looks like this is the way it's gonna be...

[E-Rock]

Yea, the same users who don't install well known years old patches are going to search out and early adopt a patch from 'some guy'. Puhleeze.

Re:Looks like this is the way it's gonna be...

[theLOUDroom]

Yea, the same users who don't install well known years old patches are going to search out and early adopt a patch from 'some guy'. Puhleeze.

Those are the users who are going to ge hosed no matter what. It doesn't matter if you choose A or B they're still going to get owned.
Since you can't do anything about them, you should be worried about they people who are actually going to do something once they hear the announcement.

Re:Looks like this is the way it's gonna be...

There's a fundamental difference between your scenario and the traditional vulnerability discovery: the existance of an attack in the wild. In your case, you are not so much writing up the discovery a vulnerability as you are writing up a report on an attack that just in your scenario exploits a previously unknown vulnerability.

Why is this important? Most people have this dualistic view of the world that tends to come down to the concept of inevitability. See, in your scenario, the attack is already out there, that is, it is inevitable there will be an attack because an attack already exists. Releasing an immediate writeup of workarounds is considered a good thing because you will be protecting people from an attack in the wild. Of course, informing the vendor and the antivirus/personal firewall crowds at the same time would be a good thing. Not only will this increase the likelyhood of your workarounds being implemented while the vendor works on the patch (by being recommended on "reputable" sites), but it could provide increased protection against the attack if the AV vendors could incorporate signatures into their products.

Now compare this to a vulnerability report about a new vulnerability without any attacks in the wild. In this case, most people don't see the attacks as inevitable. In fact, thanks to certain minor propoganda that occurs these days, they see the report as precipitating the attack. Thus if you release the report without reasonable effort to contact the vendor for a patch, they see you as the "evil" one for "telling" the malware writers a new way into their system. In their minds, if you hadn't of released the report then the inevitability would be that there would be no attack (let's not get into how this isn't technically correct, we're talking about Joe Public here, not security experts). That's why most vulnerability discovers should work with the vendor on patches or mitigations before releasing the report. Otherwise people will really start to make the false assumption that it's the vulnerability discovery that's the problem, instead of the vendor's flaws.

The Internet's broken?

When will I be able to download a fixed version?

Re:The Internet's broken?

[lukewarmfusion]

I'll have a copy on your desk by morning.

I once had a woman ask me if I could speed the Internet up for her presentation. I told her I'd open the valve up a little bit, just for her. *big smile* I love helping customers.

Secret repairs!

The best kind!

"What are you doing?"

"Can't tell you."

"When will you be done?"

"Can't say."

"Is there anything you can tell me?"

"This will save your life."

"Really?"

"No."

Re:Secret repairs!

[thelenm]

... "Okay, then you're fired."

It's the users' fault!

[heironymouscoward]

Any user without the technical competence to inspect and repair TCP/IP packets on the fly should not be allowed to use the Internet. Such vulnerabilities only exist because people too lazy and ignorant to download the patches for their Cisco routers!

Re:It's the users' fault!

[DR+SoB]

I don't really know what to make of what your saying, okay sentence one must be a joke right? Sentence two, are you aware _many_ network technicians have to look after upwards of 100 routers?

(It would be physically impossible to do what your saying, you can't inspect and repair a "Tcp/ip" packet? Block it maybe, although blocking ACK packets would fundamentally break TCP.IP? Even if you could don't'cha think you'd timeout the socket before you could re-transmit?)

Paradox

[Prince+Vegeta+SSJ4]

The TCP issue publicized yesterday was publicly known as early as 1998

Yesterday was 1998? Whew, I thought it was 2004 and 6 years of my life were wasted

Re:Paradox

[Ira+Sponsible]

You are correct. It IS 2004. And the last six years of your life WERE wasted.

Old News

[ErichTheWebGuy]

This was reported three days ago by another reader.

Yawn.

Hooray for editing!

[consolidatedbord]

"We ran a story on a this a few days ago." What's a "this" ?

Re:Hooray for editing!

[s20451]

It's a pointer to self. Useful for creating dupe stories:

story_type dupe = this->return_story();

Re:Hooray for editing!

[prescot6]

"We ran a story on a this a few days ago." What's a "this" ?

It makes more sense if you read it like Mario would.

IPv6

[Abjifyicious]

Does anyone know if this affects IPv6? I wonder if this situation could somehow be leveraged to promote it...

Re:IPv6

[leerpm]

No. TCP is a different layer than IPv6. It has no effect on IPv6 or IPv4.

Re:IPv6

IPv6 is a layer below, thats why its called TCP/IP. IPv6 is only an addressing scheme for bit packing, and how many bits in a reference. Tcp is above it, they are independent of each other. For more information google "OSI Network Layer Model".

Re:IPv6

[Wicked187]

IPv6 is more than a drop in replacement for IPv4 at Layer 3 of the OSI model. Everyone just assumes that since things map best to a model, that it is 100% accurate. TCP/IP is represented best by it's own model, the DoD Model. In this model IP falls into layer 2... TCP and UDP is layer 3. This really doesn't make much of a difference though. In a layered communication model, each layer has to be aware of the layers directly above and below in order to properly pass the information on. Ethernet has to know if it needs to give information to the IP stack, or perhaps you are using IPX instead. IP is not completely "layer 3," and it cannot do its job alone. IP has many helper protocols that straddle various layers. One example is ARP, it gives it the ability to determine which MAC address it should forward a packet to. If it didn't know, then layer 2 couldn't address it properly (it could broadcast, but do not look too far into this).

The point is, IPv6 does not just replace the IP "proper," but many of the helper protocols as well. The interaction it has with layer TCP and UDP could be slightly different, but I have not looked into this...

Another food for thought... why do you have to have IPv6 enabled Application layer services? Because things are not so cut-and-dry as the layered model theory suggest, in practice.

Re:IPv6

[tbaggy]

IPv6 could be used to alleviate this by using Ipv6 network layer encryption. Still, it would be easier to just MD5 your BGP tcp sessions or fix the tcp stack with a patch vs. move to IPv6

Re:IPv6

[sevensharpnine]

IPv6 is immune, and in a grand display of irony, IPX/SPX is also safe.

Re:"super" exploits

[The+Angry+Mick]

What is a "super" exploit???

It's the one with the red "S" on its chest . . .

Ba dum bump.

Net threat overstated, says Paul Watson

[Bimo_Dude]

according to this article on C|net.

From the article:
"The actual threat to the Internet is really small right now," Watson said on Wednesday. "You could have isolated attacks against small networks, but they would most likely be able to recover quickly."

Re:Net threat overstated, says Paul Watson

[AndroidCat]

The assumption seems to be that someone would use this to take down sites or other disruption. Haven't there been cases of IP block hijacking using lax BGP security in the past? (Wasn't that how one company rerouted root DNS for a while several years back?)

There have been cases of "fossil" IP blocks being hijacked in the last few years by spammers. (Sometimes as simple as registering an expired domain that an ancient contact email address points to.) They seem to be paying for malware to be written. Don't think that spammers and other net-vermin won't take a look at this exploit for their uses.

Security through Obscurity proves itself again

It's effective when used as the external skin of a layered approach.

Some would say it should be disposed of entirely, in favor of the bugtraq, etc. totally-open approach.

That approach is IMO foolish. Why throw away a useful layer of security? In 1992 it was debatable; the interim years have shown without a doubt that the totally-open approach produces more script kiddies than it does patched systems.

Re:Security through Obscurity proves itself again

When was this "totally open" approach widely used? Sometime after 1992 I guess, right? Must have missed it.

I think the whole reason the "totally open" approach exists, and will always exist, is to deal with unresponsive vendors. If a software vendor (who shall remain nameless) sits on a major security bug for six months, there is a problem with the "security through obscurity" model, and it's this--there is no profit motive to fix security bugs nobody knows about. If customers think they're safe, that's exactly the same as having them actually be safe, but a lot less work (from a profit-motive point of view). Happy uninformed customers are just as good as happy informed customers.

"Security through obscurity" is, and always has been, step 1. Found a bug? Tell the vendor. "Totally open" is step 2. Vendor has shown no action to fix the bug in a week or two? Make the information public.

You can't have a system of just one or the other. We absolutely must have a "totally open" option to hold over software vendors.

(Interesting side-note: "totally open" isn't necessary for open-source software. The discoverer of the bug can patch the software and release the fix themselves. It's only where we rely on the vendor for fixes where this is necessary)

Re:Security through Obscurity proves itself again

[aug24]

Rot. Non-full-disclosure has generally meant that we didn't have any progress at all cos the vendors typically wouldn't do jack till they had to.

For instance, there was a mail on BugTraq not too long ago about a bug that the finder chased with whichever company it was for about six weeks. No reply. No acknowledgement, no fix. He gave up and went open - they fixed it in a week.

Now, how many other people had found that bug and were trying to make an exploit out of it? What if he had kepy schtum and the black-hats had got in?

That's what full-disclosure is for, to force vendors to fix stuff they could otherwise ignore.

Justin.

I'm of 2 minds on this

[platypibri]

Yes, I would prefer to know immediately if I was vulnerable. However, the vast majority of defense is against script kiddies who wait to have exploits handed to them so they can copy and paste some malicious code together to prove what "hackers" they are. Why should we tell them before there's a patch? I dunno. Hopefully someone smarter than me is working on it.

Re:I'm of 2 minds on this

[vericgar]

What we need is a not-for-profit organization with a team of researchers finding secuirty holes in common software, with a pay-to-subscribe list where the security holes can be released to those that need the information before the script kiddies. Script kiddies probably wouldn't pay to get on this list and thus get the proof of concepts. There are other issues as well though... like what happens when some script kiddy does pay to get on and then leaks all the informaiton to other script kiddies. Or when some company sues the not-for-profit for pointing out a hole in thier software.

I don't think there can be any solution and we just have to conitinue on how we have been - patch ASAP when new patches come out (with proper testing of course) and hope you don't get exploited in the time that takes, and if you do get hacked take the box offline and rebuild (or replace with a backup if you have one available).

Re:I'm of 2 minds on this

[iabervon]

You're not vulnerable, because this only affects TCP connections with easily guessed source ports and known hosts that last for a significant amount of time and where things can't be restarted efficiently. This matters primarily for BGP which you don't use unless you're running a backbone (which is why they contacted the backbone providers first). The main other possibility is that if you have an SSH connection going for a long time, another user on either of the machines (who can get netstat info) who has root on some other machine which can reach one of them can break your connection. So, if you are constantly monitoring logs on a machine by sending them offsite, someone could break your connection before using a local root exploit that would appear in those logs, thus preventing you from knowing what happened.

this is not uncommon

[quelrods]

Usually people take it upon themselves to notify vendors of bugs and give them time to work on patches or workarounds before releasing the information. For anyone that reads full disclosure lists such as bugtraq this is very commoon. Also, when the bug affects key internet infrastructure, the admins of big isps/colos/routers are informed and given time to patch. This is good for the internet and good for vulnerability researches instead of looking like malicious people who just want to destroy the internet.

Re:"super" exploits

[DR+SoB]

It's an exploit that could affect the core routers of the internet. This one could technical reset 100% of webtraffic going through a particular router, in theory. Of course, this won't make a lick of difference to your average webserver, as they handle many connection resets a day. It would only affect those sites that traffic is so large that if all connections were reset it would cause a flood of re-connects thereby socking bandwidth. This is more directed at always up type connections, such as Telnet, SSH (as the article points out), credit card traffic, etc.. HTTP is constantly dropping and connecting anyways..

Fixing the internet...

[Eagle5596]

Dilbert is in the Boss's office.

Dilbert: I discovered a hole in our internet security.

Boss: What?!!

Boss: Good grief, man! How could you put a hole in our internet?

Dilbert, angry: I didn't PUT it there, I FOUND it.. and it's not...

Boss: It's your job to fix that hole. I want you to work 24-7!

Dilbert: Actually, that's NOT my job. But I'll inform our network management group.

Boss, yelling: PASSING THE BUCK!!! YOU'RE A BUCK PASSER!!!

Dilbert: Forget it! There's no hole! It got better!

Boss: That's more like it.

Last panel, the boss is sitting alone smiling.

Boss thinks: I fixed the internet.

Paranoia?

[dawg+ball]

Is this just a case of paranoia reigning supreme? From what I understand of this problem (And it is very possible that I don't know all the details) it only poses a risk under a very specific set of circumstances and that this set of circumstances is very common. Are we becoming ParaNET?

RedHat or Linux Kernel Fix?

[osewa77]

Many networks used home-grown routers based on Linux, FreeBSC, user-space TCP/Firewall/VPN implementations, or even windows. However, the vendor list only includes commercial router manufacturers. This seems to me like a serious problem waiting to happen; the would-be exploiter now know what systems would remain unpatched for a long time.

Re:RedHat or Linux Kernel Fix?

[stratjakt]

The problem affects mainly huge peering sessions between big routers, the kind that last for days. You can essentially trick the routers into dropping the peering sessions, leading to route flapping and other hassles.

Big backbone providers don't generally use home-grown linux routers.

It has no real bearing on some home/office router running linux made out of an old 486.

Isn't BGP an open protocol

[grahamsz]

The whole TCP window thing seems entirely obvious to me, i just hadn't realised that windows were sufficiently big to be guessed. As we start to see faster and faster transfers we'll need larger and larger windows and this will just get easier.

However I cant see why BGP needs to implement a large window - in fact in a device which needs to run as fast as possible it's surely disadvantageous.

I've seen TCP RST attacks in the mid nineties actually used on IRC - only the application of the exploit to bgp is new.

Re:still on topic, troll

[mustangsal66]

There are people who use Windows boxes as routers

Now that's scary...

Imagine the techsupport on that mess...
... Now right click, select BGP... Click peer...
... That's correct sir... it's probably not a good idea to run IIS on your core router...

Re:"super" exploits

[richard_willey]

What dinkleberries modded this up to a 5???

Let's make a few things clear:

The attack in question is a method to reset a TCP connection. The TCP reset is launched against one of the two end nodes participating in the TCP connection. The router has NOTHING to do with this. In theory, if an intermediate system like a router goes down, IP will simply find a new path arround the outtage.

The reason that routers feature prominently in this discussion is that Border Gateway Protocol uses very long lives TCP connections. In turn, this means that routers are very vulnerable to this attack. However, the vulnerability effects routers in their roles as an end nodes (sending or recieving data) rather than their role as an intermediate system (forwarding traffic)

"Secret Repairs Preceded TCP Flaw Release"

And now you blew it! Thanks a lot.

Now if you'll all step this way please...

Diversity

[MachineShedFred]

Hey! He has an Italian typing accent, you insensitive clod!

Why is everyone freaking now?

[fremen]

This attack vector has been known for years, and the TCP windowing nonsense has too. Programs like tcpkill have used the RST trick in conjunction with TCP INS windows for a while and have seen quite a bit of use. What's new with this attack that wasn't already in the wild?

Re:Why is everyone freaking now?

What's new is that someone found an efficient
way to exploit it. Before, it was inefficient
to exploit it.

Re:secret?

[divisionbyzero]

What a troll. Yes, because everyone who doesn't setup MD5 is obviously lazy or stupid, unlike you and your smart friends. Please. There is obviously overhead with doing MD5 and it is reasonable not to use it for performance reasons. Anyway, as someone already mentioned, the vulnerability is in TCP which means the MD5 solution works for BGP, which is the most vulnerable, but does nothing for anything else built on TCP (e.g. DNS).

trap?

[mabu]

I'm wondering why all the hooplah about this, especially after steps were taken to deal with it before publicizing it... unless at the same time, systems were put in place to ID attempts to exploit the vulnerability.

That would make a lot more sense. Protect against the exploit, publicize it, then watch what happens to determine which groups are most adept at quickly exploiting published vulnerabilities and raid their location. Neat idea for a large-scale honeypot.

Although, most of us know that the majority of exploits are now being deployed by spammers. They don't have any incentive to take major backbones down so this effort might just reveal a few more script kiddies that aren't really the problem.

OpenBSD is not vulnerable

[chrysalis]

No, everyone is not vulnerable to the recently published vulnerability in the TCP protocol that allows to shut down BGP routers. Because Cisco hardware is, stupid writers yell that the whole internet is vulnerable. Come on, Cisco is not the internet.

As stated by Theo de Raadt and Henning Brauer, OpenBSD is not vulnerable because (quoting Henning) :

Even without TCP MD5, bgpd on OpenBSD is not affected, because:

we use random emphereal ports
we do not use insanely hughe window sizes as Cisco does
we require the RST sequence number to be right on the edge of the window

(quoting Theo) :

That is right. If you have a Cisco, you can tear down BGP sessions by spoofing:

64K of

SYN?s or RST?s sent to #.#.#.#:179 -> #.#.#.#:{1024,+512,+512,...}

The SYN and RST methods are different, but the end effect is that a tiny little burst of packets will cause a flap.

OpenBSD (and I am sure other systems too) have for some time contained partial countermeasures against these things.

OpenBSD has one other thing. The target port numbers have been random for quite some time. Instead of the Unix/Windows way of 1024,1025,1026,... adding 1 to the port number each time a new local socket is established? we have been doing random for quite some time. That means a random selection between 1024 and 49151. This makes both these attacks 48,000 times harder; unless you already know the remote port number in question, you must now send 48,000 more packets to effect a change.

We?ve made a few post-3.5 changes of our own, since we are uncomfortable with the ACK-storm potention of the solutions being proposed by the UK and Cisco people; in-the window SYN or RST?s cause ACK replies which are rate limited.

It will have the most impact on vendors who do BGP over poor TCP stacks. In particular, Cisco.

Cisco has not been teaching engineers to block SYN?s coming in; they have only been teaching them to block SYN-ACK?s from going out in return. And? well, you?ll see.

Ehm, actually OpenBSD is vulnerable. To quote Mike Frantzen : The exploit has a one in 206,703,891,006,465 chance of succeeding. An exhaustive search would require 11,162,010,114,349,110 bytes of traffic which would take 962 days at a saturated gigabit per second. Or two hundred years on a T1. :)

Re:Why is BGP maintaining persistent connections

[DR+SoB]

I have no idea about BGP, or the decisions made, but I can speak from the credit card standpoint. It used to be that credit card transactions (not a-sync, TCP only.), would connect, send transaction, wait 10-30 seconds, then disconnect. This has changed over the past 5 years or so for many vendors, who have now switched to an "always up" state. The reason before was bandwidth was an expensive commodity, but with the prices now, it's better to have a connection stay always online so that as soon as there is a connection issue it can be detected by the host server, the thinking there is you can correct many incidents before the customer/store is even aware there is an issue. Security is not a concern for either of the formats as the link must be encrypted, and private.

Smithsonian's Storage

[Gunfighter]

Funny you should mention that scene. I've been to the Smithsonian's storage facilities in Silver Hill, MD on numerous occasions. The final scene of the Ark rolling down an aisle with unknown treasures stacked floor to ceiling on either side isn't too far from the truth. The individual football field-sized containers are called "pods". They're highly guarded and environmentally controlled.

My favorite resident of the pods was the stuffed black rhino that the Smithsonian didn't want to put on display because the animal is extinct and they didn't want any controversy over it.

The scary thing is that if you took the time to look at every individual item on display in the Smithsonian for a few seconds, it would take you several years. If they actually had their entire collection displayed (they have crap tucked everywhere, not just in the Silver Hill storage facility), it would probably take you several lifetimes. There's no telling what they have stashed away.

The Smithsonian's "Secret Repairs" are handled by the Smithsonian Center for Materials Research and Evaluation (http://www.si.edu/scmre/index.asp). SCMRE is, conveniently enough, primarily located at the Silver Hill storage facility.

MD5 isnt enough

[Alan+Cox]

The MD5 auth hack unfortunately fixes only some of the issues here. There is a second way to disrupt streams involving shrinking the MTU to a stupid level, and the "aim for the window" tricks observed in the other attack apply here too.

Going back to 199x it was known that you could hit long lasting streams with ICMP must-fragment mtu = 80 and similar values and basically stall the stream. Some stacks correctly turn off MTU discovery faced with such a claim others ignore it (and break on low mtu links), and others believe it (and break spectacularly). The routters in the middle of the stream have no knowledge of the MD5 or other secrets so can only reply in untrusted form. It is possible to do some checking from the reply data but not full checks.

To make it more fun the proposed fix seems to open a new exploit path that may be worse. Fortunately there is a trivial fix for this case if the problem is confirmed real.

The ultimate problem though is ISPs not filtering packet source addresses. If the governments want to pass one sane bit of 'cybersecurity' law then filtering end users to stop source address spoofing would be it, and require they only used their legitimate assigned addresses (or other addresses properly owned by one way downlinks like satellite etc)

Alan

Re:"super" exploits

[the+morgawr]

It can't be targeted unless the vendor has both an unsecure BGP protocal and a crappy TCP implementaion.

This isn't a TCP problem, it's just being billed that way because a bunch of vendors have crappy implementations of the above protocals. Yes, in theory this could affect everyone, but the difficulty of doing this type of attack on a system with a good TCP implementation is next to nothing.

Basically, the attack takes advantage of certain predictable behaviors that arn't in the spec but that most of the TCP implementations have to reduce the possible space of packets to something that is reasonably tryable.