Slashdot Mirror
Secret Repairs Preceded TCP Flaw Release
efranco cuts and pastes: "Only the math had changed. But the emergence of a workable exploit for an old TCP security hole prompted a secret initiative to fix the Internet, giving network operators a week to secure vulnerable routers. The clandestine repair effort livened an already intense period for security pros already juggling a bevy of Windows security patches." We ran a story on a this a few days ago.
is here as posted from an article on the register.
I think we're gonna see a lot more of this. If you release information before you fix it these days you're just inviting people to test your shiny new vulnerability ;-)
we see things not as as they are, but as we are.
-- anais nin
When will I be able to download a fixed version?
The best kind!
"What are you doing?"
"Can't tell you."
"When will you be done?"
"Can't say."
"Is there anything you can tell me?"
"This will save your life."
"Really?"
"No."
Any user without the technical competence to inspect and repair TCP/IP packets on the fly should not be allowed to use the Internet. Such vulnerabilities only exist because people too lazy and ignorant to download the patches for their Cisco routers!
Ceci n'est pas une signature
Yesterday was 1998? Whew, I thought it was 2004 and 6 years of my life were wasted
It's the one with the red "S" on its chest . . .
Ba dum bump.
I'm not tense. I'm just terribly, terribly, alert.
No. TCP is a different layer than IPv6. It has no effect on IPv6 or IPv4.
From the article:
"The actual threat to the Internet is really small right now," Watson said on Wednesday. "You could have isolated attacks against small networks, but they would most likely be able to recover quickly."
"Teleporting Rodents with D-Cell Battery Displacement" theory -- IgnoramusMaximus (692000)
Yes, I would prefer to know immediately if I was vulnerable. However, the vast majority of defense is against script kiddies who wait to have exploits handed to them so they can copy and paste some malicious code together to prove what "hackers" they are. Why should we tell them before there's a patch? I dunno. Hopefully someone smarter than me is working on it.
Yeah, I guess I'm funny like that.
Usually people take it upon themselves to notify vendors of bugs and give them time to work on patches or workarounds before releasing the information. For anyone that reads full disclosure lists such as bugtraq this is very commoon. Also, when the bug affects key internet infrastructure, the admins of big isps/colos/routers are informed and given time to patch. This is good for the internet and good for vulnerability researches instead of looking like malicious people who just want to destroy the internet.
:(){
IPv6 is a layer below, thats why its called TCP/IP. IPv6 is only an addressing scheme for bit packing, and how many bits in a reference. Tcp is above it, they are independent of each other. For more information google "OSI Network Layer Model".
Dilbert is in the Boss's office.
Dilbert: I discovered a hole in our internet security.
Boss: What?!!
Boss: Good grief, man! How could you put a hole in our internet?
Dilbert, angry: I didn't PUT it there, I FOUND it.. and it's not...
Boss: It's your job to fix that hole. I want you to work 24-7!
Dilbert: Actually, that's NOT my job. But I'll inform our network management group.
Boss, yelling: PASSING THE BUCK!!! YOU'RE A BUCK PASSER!!!
Dilbert: Forget it! There's no hole! It got better!
Boss: That's more like it.
Last panel, the boss is sitting alone smiling.
Boss thinks: I fixed the internet.
It's a pointer to self. Useful for creating dupe stories:
story_type dupe = this->return_story();
Toronto-area transit rider? Rate your ride.
The problem affects mainly huge peering sessions between big routers, the kind that last for days. You can essentially trick the routers into dropping the peering sessions, leading to route flapping and other hassles.
Big backbone providers don't generally use home-grown linux routers.
It has no real bearing on some home/office router running linux made out of an old 486.
I don't need no instructions to know how to rock!!!!
Rot. Non-full-disclosure has generally meant that we didn't have any progress at all cos the vendors typically wouldn't do jack till they had to.
For instance, there was a mail on BugTraq not too long ago about a bug that the finder chased with whichever company it was for about six weeks. No reply. No acknowledgement, no fix. He gave up and went open - they fixed it in a week.
Now, how many other people had found that bug and were trying to make an exploit out of it? What if he had kepy schtum and the black-hats had got in?
That's what full-disclosure is for, to force vendors to fix stuff they could otherwise ignore.
Justin.
You're only jealous cos the little penguins are talking to me.
And now you blew it! Thanks a lot.
Now if you'll all step this way please...
Hey! He has an Italian typing accent, you insensitive clod!
Slashdot still doesnâ(TM)t support Unicode after it was added to the HTML standard in 1997.
This attack vector has been known for years, and the TCP windowing nonsense has too. Programs like tcpkill have used the RST trick in conjunction with TCP INS windows for a while and have seen quite a bit of use. What's new with this attack that wasn't already in the wild?
What a troll. Yes, because everyone who doesn't setup MD5 is obviously lazy or stupid, unlike you and your smart friends. Please. There is obviously overhead with doing MD5 and it is reasonable not to use it for performance reasons. Anyway, as someone already mentioned, the vulnerability is in TCP which means the MD5 solution works for BGP, which is the most vulnerable, but does nothing for anything else built on TCP (e.g. DNS).
No, everyone is not vulnerable to the recently published vulnerability in the TCP protocol that allows to shut down BGP routers. Because Cisco hardware is, stupid writers yell that the whole internet is vulnerable. Come on, Cisco is not the internet.
:
:
:)
As stated by Theo de Raadt and Henning Brauer, OpenBSD is not vulnerable because (quoting Henning)
Even without TCP MD5, bgpd on OpenBSD is not affected, because:
we use random emphereal ports
we do not use insanely hughe window sizes as Cisco does
we require the RST sequence number to be right on the edge of the window
(quoting Theo)
That is right. If you have a Cisco, you can tear down BGP sessions by spoofing:
64K of
SYN?s or RST?s sent to #.#.#.#:179 -> #.#.#.#:{1024,+512,+512,...}
The SYN and RST methods are different, but the end effect is that a tiny little burst of packets will cause a flap.
OpenBSD (and I am sure other systems too) have for some time contained partial countermeasures against these things.
OpenBSD has one other thing. The target port numbers have been random for quite some time. Instead of the Unix/Windows way of 1024,1025,1026,... adding 1 to the port number each time a new local socket is established? we have been doing random for quite some time. That means a random selection between 1024 and 49151. This makes both these attacks 48,000 times harder; unless you already know the remote port number in question, you must now send 48,000 more packets to effect a change.
We?ve made a few post-3.5 changes of our own, since we are uncomfortable with the ACK-storm potention of the solutions being proposed by the UK and Cisco people; in-the window SYN or RST?s cause ACK replies which are rate limited.
It will have the most impact on vendors who do BGP over poor TCP stacks. In particular, Cisco.
Cisco has not been teaching engineers to block SYN?s coming in; they have only been teaching them to block SYN-ACK?s from going out in return. And? well, you?ll see.
Ehm, actually OpenBSD is vulnerable. To quote Mike Frantzen : The exploit has a one in 206,703,891,006,465 chance of succeeding. An exhaustive search would require 11,162,010,114,349,110 bytes of traffic which would take 962 days at a saturated gigabit per second. Or two hundred years on a T1.
{{.sig}}