Linux Bug Leaves USA Today, Other Top Sites Vulnerable To Serious Hijacking Attacks

Dan Goodin, reporting for Ars Technica: Computer scientists have discovered a serious Internet vulnerability that allows attackers to terminate connections between virtually any two parties and, if the connections aren't encrypted, inject malicious code or content into the parties' communications. The vulnerability resides in the design and implementation of RFC 5961, a relatively new Internet standard that's intended to prevent certain classes of hacking attacks. In fact, the protocol is designed in a way that it can easily open Internet users to so-called blind off-path attacks, in which hackers anywhere on the Internet can detect when any two parties are communicating over an active transmission control protocol connection. Attackers can go on to exploit the flaw to shut down the connection, inject malicious code or content into unencrypted data streams, and possibly degrade privacy guarantees provided by the Tor anonymity network. At the 25th Usenix Security Symposium on Wednesday, researchers with the University of California at Riverside and the US Army Research Laboratory will demonstrate a proof-of-concept exploit that allows them to inject content into an otherwise legitimate USA Today page that asks viewers to enter their e-mail and passwords.

Once again, open source is vulnerable

Most ordinary users don't look at the source because they just want a computer that works and does what they want it to. However, publishing source code allows hackers to find the vulnerabilities more easily than guessing them with closed source software. Open source software is inherently insecure and closed source offers far greater security.

Re:Once again, open source is vulnerable

[OrangeTide]

Do you have some examples of secure closed source? It's hard to find examples that have an install base in the server world as big as Windows or Linux, and examples of less used systems can be a bit suspect as they could simply be a statistical anomaly or not well known and not a popular target in the hacker scene. (although some of those guys will dig into pretty much anything, especially if they can work out a cool presentation at DEF CON)

Linux vulns tend to get corrected pretty quickly, as there are a lot of contributors. And like most vulns the easy way to avoid this is not to add so many damn features.

PS - OpenBSD doesn't have this flaw, and it is also open source.

Re:Once again, open source is vulnerable

Most ordinary users don't look at the source because they just want a computer that works and does what they want it to. However, publishing source code allows hackers to find the vulnerabilities more easily than guessing them with closed source software. Open source software is inherently insecure and closed source offers far greater security.

At the 25th Usenix Security Symposium on Wednesday, researchers with the University of California at Riverside and the US Army Research Laboratory will demonstrate a proof-of-concept exploit that allows them to inject content into an otherwise legitimate USA Today page that asks viewers to enter their e-mail and passwords.

It looks to me that by having the source code available, these researchers - white hats - found the vulnerability before the bad guys did. Of course, USA Today being highjacked wouldn't exactly be this horrible ordeal or any real loss to humanity.

Re:Once again, open source is vulnerable

However, publishing source code allows hackers to find the vulnerabilities more easily than guessing them with closed source software. Open source software is inherently insecure and closed source offers far greater security.

Ahhh yes, the unbreakable security of obscurity.
Do you publish a newsletter by any chance?

Re:Once again, open source is vulnerable

Obvious troll is obvious.

Re:Once again, open source is vulnerable

[MSG]

I'm not in the habit of responding to obvious trolls, but this case makes very clear the flaw in the logic of people who actually believe that open source is insecure.

The bug is in the specification, which is necessarily open in order to create inter-operable systems. And what is code, if not a machine readable specification?

The idea that closed source is more secure, taken to its logical end, is an argument for closed systems that don't inter-operate with other systems. Their operation would have to be entirely secret and proprietary.

Re:Once again, open source is vulnerable

[Tharkkun]

I'm not in the habit of responding to obvious trolls, but this case makes very clear the flaw in the logic of people who actually believe that open source is insecure.

The bug is in the specification, which is necessarily open in order to create inter-operable systems. And what is code, if not a machine readable specification?

The idea that closed source is more secure, taken to its logical end, is an argument for closed systems that don't inter-operate with other systems. Their operation would have to be entirely secret and proprietary.

It really goes both ways. Open and Closed source code are equally secure. Many times open source code is though to be so secure that people don't discover the bugs for many years later. The advantage of open source is that the bug generally gets fixed faster than closed source due to the visibility of the issue.

Re:Once again, open source is vulnerable

[slimshady76]

It's not a Linux bug, but a buggy RFC implementation. Please read TFA and then try to resume your lame trolling against OSS.

Re:Once again, open source is vulnerable

[EndlessNameless]

It looks to me that by having the source code available, these researchers - white hats - found the vulnerability before the bad guys did.

There is no indication in the paper that the researchers looked at the Linux source code to develop this attack. On the contrary, it looks like they designed the attack using methods devised from earlier research.

They also note that Windows, FreeBSD, and OS X are not vulnerable. In this case, being open source is not an indicator of security.

Re:Once again, open source is vulnerable

Vulnerabilities don't grow on trees... they hide in the ground. You have to dig to find them. And source code makes vulnerabilities shallower (less effort to find).

Re:Once again, open source is vulnerable

Good luck with your "NSA implanted" protocols which never get flushed out due to obscurity and closed source.

Re:Once again, open source is vulnerable

Found the Microsoft shill. History complete invalidates this stupidity. Shocking that Microsoft is shilling so desperately in efforts to force people to Win10 nightmares.

No OS is 100% secure. No OS is invulnerable to bugs. Anyone who would assert anything close to what you've stated is a literal imbecile or a liar.
 

Re:Once again, open source is vulnerable

[F.Ultra]

Does WIndows, FreeBSD and OSX implement RFC 5961? Looks like the vulnerability lies in the specs and not in the implementation.

Re:Once again, open source is vulnerable

Anything that isn't vulnerable to this one *right now*, is vulnerable to a nasty DoS based on ACKs that it is meant to stop. Obviously, it could have implemented the fixed defense... only, they didn't. Not one of the BSDs, nor Windows.

Re:Once again, open source is vulnerable

No, they don't. And they are completely vulnerable to the attack RFC 5961 is meant to avoid.

Re:Once again, open source is vulnerable

You dumb internet nigger. Keep crying! Your tears are DELICIOUS!

Re:Once again, open source is vulnerable

[exomondo]

Do you have some examples of secure closed source?

Even if you were to get an answer to that the result would always be "but it could contain undiscovered vulnerabilities" and the same is the case with open source software despite the fact that you can see the code. Yes it does mean that white hats could find and fix bugs easier but it also means black hats could find and exploit bugs easier so whether it is more or less secure depends on who is looking at the code.

There are too many variables to ever broadly say open source or closed source is more secure and it's not something you can prove.

Re:Once again, open source is vulnerable

you are vulnerable to intensive workload so you are uselessly vulnerable? You don't even seem to know what DoS exactly is.

Re:Once again, open source is vulnerable

[X86BSD]

FreeBSD supports partial implementation of 5961. As well as one of the authors of the RFC for 5961 being a FreeBSD committer. FYI. I have yet to see a Security Advisory for FreeBSD yet about this issue. So time will tell. But so far only Linux is affected.

Re:Once again, open source is vulnerable

Vulnerabilities don't grow on trees... they hide in the ground. You have to dig to find them. And source code makes vulnerabilities shallower (less effort to find).

And less effort to fix.

Re:Once again, open source is vulnerable

I don't really need the source to find and exploit bugs. There are excellent tools for picking apart binaries. High level languages are not necessarily more readable than assembler. High-level mainly is an advantage for portability, specifying data structures, and modifying. If I'm reverse engineering, I don't really need any of those features.

What is troublesome is when I don't even have access to the binaries. Pentesting is a whole different ballgame, and there are a million guys better at that aspect of hacking than I am.

Re:Once again, open source is vulnerable

[Barsteward]

Windows and Mac OS X were the only other OSs mentioned in the article and according to the article, the fix was applied to the linux kernel 4.7 three weeks ago. One good thing is that the other OSs who are still dragging their feet on implementing 5961 fully, now have a heads up.

Re:Once again, open source is vulnerable

[Barsteward]

perhaps you'd need to read this http://www.theregister.co.uk/2...

Re:Once again, open source is vulnerable

[EndlessNameless]

No, and the vulnerability from implementing it is actually worse than doing nothing at all.

Without RFC 5961 support, an attacker with visibility of your communication can DoS it with forged resets. With RFC 5961, an attacker without direct visibility can determine if two hosts are communicating and then tamper with the data---roughly 80% of the time, according to paper.

The RFC process follows essentially the same many-eyes approach, yet this vulnerability went undiscovered from draft to implementation.

Open vs closed development of specs and software had little or no effect on the end result---although with open software you could remove the offending code yourself if the developer is unwilling to change or remove it himself.

Re:Once again, open source is vulnerable

And allows for quick fixes.

This attack has already been mitigated in linux kernels 4.0 and later. It sets a per socket limit for creating challenge acks which makes it much harder to hit the challenge ack limit that is used to get side channel information. 3.6 to 3.9 are vulnerable but you can turn it off easily just set the sysctl for tcp_challenge_ack_limit to 0. That prevents any challenges being sent, effectively denying them access to the side-channel and giving you as system that is no more vulnerable than a kernel previous to 3.6.

Re:Once again, open source is vulnerable

[proibido]

I don't really need the source to find and exploit bugs.

Well, it sure helps!

Re:Once again, open source is vulnerable

[EndlessNameless]

The partial implementation in FreedBSD is identified as not vulnerable. It's on p 15 of the research paper.

Re:Once again, open source is vulnerable

DoS vs data manipulation, which is worse?

And the manipulation can include closing the connection anyway so more like "DoS" vs "manipulation and DoS"

I will take my TCP stack without RFC5961, please and thank you

Re:Once again, open source is vulnerable

[ebvwfbw]

Not a Linux bug. Same thing will work against Windows, and everything else. It's in the RFC that everyone follows.

Re: Once again, open source is vulnerable

[igorlord677]

Wrong. Kernel 4.7 has effective mitigation without disabling rate limit on challenge acks.

Re:Once again, open source is vulnerable

[Zontar+The+Mindless]

What are you complaining about? Like the headline says, the bug left the USA today!

wait, what?

USENIX is scooping DEFCON?

"linux is safe"

It isn't.

Re:"linux is safe"

what you don't get is that the bug is in the RFC , the linux developers were just the first to implement this .
Any other OS implementing the same RFC would also be vulnerable.

Re: "linux is safe"

Besides, it'll most likely be fixed before anyone manages to abuse it. So what's the buzz about?

Re:"linux is safe"

[Dadoo]

It isn't.

No one has ever said "linux is completely safe". It's just safer than most of the alternatives.

Re:"linux is safe"

Linux fan boys have been proclaiming "linux is completely safe" at the top of their lungs for years. And there is no proof that Linux is more secure than any other OS. It's the low adoption rate in the PC desktop market that gives the false impression that it is more secure than the leading PC desktop OS. Even Linux in the data center has had some high profile security issues in the last couple of years. A professionally administrated MS OS is just as secure as a professionally administrated Linux OS. The vast majority of security issues are not caused by a glaring weakness in the OS it is poor administration and configuration practices.

Re: "linux is safe"

[orlanz]

No they haven't. Nuff said.

Re:"linux is safe"

Please substantiate your statement about Linux "fanboys" with links. We're dying to evaluate the credibility of the sources that are saying "Linux is completely safe." I'm willing to bet that you're expressing an exaggerated interpretation of "Linux is generally a safer platform than Windows."

TLS

[DarkOx]

And using SSL/TLS or ipsec would basically close this hole entirely. What we see here is that it might be a little easier to inject into non-ciphered non-authenticated content and there may be a slightly larger scope of attackers positioned to do it.

NON STORY

There has always been a risk that plan text traffic could be tampered with, nothing has really changed here and I don't see that risk even being significantly increased.

Re:TLS

SSL in only useful if you can pay up for a cert. For many websites using a cert is simply to expensive and may require a dedicated IP.

Re:TLS

lulz. yer one of them thar tards that thinks t3h intarwebz is just http/https. lollertard.

Re:TLS

Considering some companies have used a revenue model where tampering with plain text traffic to replace "their" ads (replacing the site's original content) is a thing, it seems odd to make a grand demonstration of risk at this point.

Re:TLS

[omnichad]

For many websites using a cert is simply to expensive and may require a dedicated IP.

Answer: Let's Encrypt and SNI. There is no excuse. If you can't do that, find a new host.

Re:TLS

[darkain]

Too bad nobody provides simple to install and manage certs for free that don't require a dedicated IP address then. https://letsencrypt.org/

Re:TLS

If by pay you mean get for free I see your point.

https://letsencrypt.org/

Re:TLS

SSL gets hacked all the time and when they redo it it makes it worse by breaking apps that use that busted junk. Why are you suggesting security theater crap for?

Re:TLS

Why is there so much amazing stupidity in this thread. One shill post after other. The vast majority of posts here are complete stupidity. What has happened to /. Have shills so completely taken it over?

Free
https://letsencrypt.org/

On top of all this, the issue is because of an accurately implemented RFC! It means the RFC is broken, not that Linux has an issue. In order words, Linux has an issue BECAUSE they correctly implemented a problematic RFC.

The idiocy of the shills here is incredible. It's like a brain tumor threw up and created the shills here. Hell, just the other day vulnerable appeared to bypass Microsoft's disk encryption and the ability to leak passwords by passing a malicious URL. Shit. But derp...I so fucking stupid, the end of the world is cuzed by open source because it properly implemented an RFC. Fuck, my brain is exploding from the stupidity here.

Re:TLS

[paskie]

...because letsencrypt?

Re: TLS

[corychristison]

Even without Lets Encrypt, you can find paid certs for ~$5 USD per year. That's half the price of a domain name.

If you can't afford that, what the hell are you doing?

Re:TLS

SSL/TLS would stop the hijacking part, but not the DOS part. Part of the issue is for anyone on the internet, without man-in-the-middle abilities or even an ability to sniff the traffic, to be able to kill a connection.

Re: TLS

Heard of Let's Encrypt?

Re: TLS

[thegarbz]

Even without Lets Encrypt you can find free certs.

Re: TLS

[Dagger2]

The lack of automation means you end up paying in admin overhead though.

Re: TLS

[Dog-Cow]

15 minutes a year. Woo-fucking-hoo.

Re: TLS

I'm blaming the millennials. It may not be their fault, but I blame them for everything.

Re: TLS

[thegarbz]

If you can't afford the tiny overhead of updating your SSL certificates then you should really make that clear to your investors or anyone else who has any stake in the impeding failure of your business.

Re:TLS

For many websites using a cert is simply to expensive and may require a dedicated IP.

Answer: Let's Encrypt and SNI. There is no excuse. If you can't do that, find a new host.

Depending on the application there is also the problem of extra CPU usage caused by TLS. If you need to push lots of data, we're talking 10+ Gbit/s and does not have powerful enough hardware acceleration TLS might still not be possible for you. I know of a handful of open source projects that have run into this while moving their infrastructure over to TLS.

Re: TLS

After StartSSL's abysmal handling of their attempted automated-certification process, I assumed they'd be dropped from the certificate stores of the major browsers by the end of the year. I've been moving away from StartSSL since that story came out under the assumption that StartSSL will be dead within a year.

Re:TLS

Does Let's Encrypt actually give out certs now? Or am I still having to run their daemon on my system to actually get the cert?

Re:TLS

[Zontar+The+Mindless]

The idiocy of the shills here is incredible. It's like a brain tumor threw up...

Thanks for making me laugh out loud with a mouthful of coffee.

(P.S. You owe me a new keyboard.)

Re:TLS

They have a command-line tool that you can run once and it will give you a cert. That's how I use it. certbot certonly for the first cert, and then certbot renew for renewals. There is no daemon running, I don't even know if they have the ability to run in daemon mode. All docs I've seen have been for invoking it manually or from cron.

Re: TLS

[bhiestand]

If you can't afford to automate the overhead and risk of not properly updating your SSL certificates, then you should really make that clear to your investors or anyone else who has any stake in the impending failure of your business.

Re: TLS

[thegarbz]

Err no. The ability to automate or not automate really low cost risks is not something that will put you out of business.

Depending on eliminating those really low costs however will.

Thanks for playing.

R.I.P. IPsec

[OrangeTide]

I wrote a tiny bit of IPsec code about 15+ years ago, for a router company thinking it would take off. It still hasn't taken off, and I've given up on anyone giving two shits about rolling out IPsec in any significant way.

Re:R.I.P. IPsec

Me too (writing IPsec code years ago) and it was just so over-engineered, and had so many platform interoperability issues, no one wanted to use it. Hard to configure, hard to get right. Almost as if someone wanted it to be too complex to audit, and too full of holes.

SSH and VPN tunnels are more useful in real life.

Re: R.I.P. IPsec

[HunterBreedlove4465]

With simplicity being the goal, Id want some complexities for security; hense, smoke on the battlefields _ avoidance _ distractions are the aterior motives to discussion. IPSec, how many rules can you bend?

Re:R.I.P. IPsec

[skids]

IKEv2 is a bit better in that respect than IKEv1 is.

Really, the problem with doing IPSEC right has always been 90% inter-vendor interoperability and only 10% due to the complexities of the protocol. When you have to interoperate with vendors who have not made a complete IPSEC product, security with the well done implementations also suffers. Strongswan to Strongswan works pretty damn well, though.

No

[HBI]

The DOS possibilities are ignored by you. This is a significant problem. Why bother with a DDOS via a botnet when you can do this kind of thing from a single host?

Re:No

Single hosts can be easily detected and turned off. DDOS is preferred because it's much harder to defend against and localize the attacker.

Re:No

[HBI]

Combine the two, and a smaller botnet is sufficient to accomplish your goal. Regardless, it's still another threat that we didn't need. If the RFC were unimplemented, we'd be better off.

The good idea fairy(tm) strikes again.

Seems too scary to be believable

[mi2]

hackers anywhere on the Internet can detect when any two parties are communicating over an active transmission control protocol connection

The above does not seem believable — in principle. Unless by "hackers anywhere" means "hackers able to login anywhere".

Would any resident network experts care to comment?

Re:Seems too scary to be believable

[kamakazi]

Yeah, I am also having a little trouble with the "hackers anywhere" You can't inject into traffic you can't see, so saying you don't need a man in the middle is a little disingenuous. Yes, you don't need an actual man in the middle routing packets, but it appears that you need a controlled host on a subnet through which the traffic passes.

In a switched network even this would be insufficient, since in the terminal subnets (both client and server) IP traffic is only visible on the actual switchport to which the relevant host is connected.

In the routing subnets between the terminal subnets I would hope that any computers that exist (as opposed to hardware switches and routers and flow shapers and such) would be very carefully monitored and protected. I know on the college campus network I administer the routing subnets are very small (/29s or even /30s) and usually do not contain any general purpose computers.

If you have a compromised computer actually in a position to see IP traffic it has always been trivial to spoof TCP RST packets and such to break a connection.

So yes, the vulnerability exists, but I don't see anything that I will lose sleep over. The problem with the hack is it seems to require the hacker to have already owned a machine on one of the terminal subnets involved in the attack which can see a lot more than it should be able to. A promiscuous NIC still can't see switched traffic. If this is indeed the case there has been a severe misconfiguration on the network.

Even in a wireless scenario I am not sure it is a serious threat, unless the hacker has full visibility in the wired network behind the access points, since WPA2 is going to make packet injection pretty tough

I looked briefly at the RFC mentioned, and it is attempting to make the old school "spoof a RST" type attacks harder, but those attacks should be very difficult on a modern network simply because layer 2 switching makes it hard to collect the parameters needed to build the layer 3 attack packets.

There was a company a decade or so ago (maybe they still exist, I dunno) called Audible Magic which was designed to prevent downloading copyrighted music. It required a span or mirror port so it could see the entire internet feed, it then watched TCP connections, did some sort of hash based song detection, then spoofed RSTs to both ends of the connection. Didn't work all that well, probably because it took to long to detect the song, and bittorrent made it useless because you don't get big enough pieces to fingerprint the song from a single connection, so we didn't have it around too long. I just don't understand how this attack works without that full sniffer connection.

If you were to combine some kind of storm attack in the network to cause the switches to fall into dumb repeater mode then yes, you could see the packets, but at that point the network is probably too dysfunctional for the target TCP connection to stay up anyway.

Re:Seems too scary to be believable

[DarkOx]

I commented already that I don't think this is of concern either. If we really want to tin foil hat up though it might be possible to inject into traffic you can't see. If its highly predictable traffic.

Linux Bug Leaves USA Today,

Am I the only one that (mis-)read the headline and went WTF?

Re:Linux Bug Leaves USA Today,

Am I the only one that (mis-)read the headline and went WTF?

You mean the bug has not left USA? Damn, who said English was easy to learn?

Linux Bug Leaves USA Today

[StikyPad]

I say good riddance!

Re:Linux Bug Leaves USA Today

[Tablizer]

Linux hater!

Re:Linux Bug Leaves USA Today

[darkain]

I think you need a new sig (posted via Slashdot HTTPS)

Not A Linux Bug

[StormReaver]

The bug is in the RFC, which Linux implements faithfully. I find it funny that the only reason Linux is the only mainstream operating system that is vulnerable is because it's the only mainstream operating system that implements the RFC. And yes, it is a very critical bug, one which the RFC needs to address, too.

Also, the fix was committed a few weeks ago, but distributions haven't pushed it out yet (at the time the arstechnica article was written).

Re:Not A Linux Bug

Really? Not A Linux Bug?

How about it is a Linux bug, with ultimate responsibility going to the RFC. And no, it's not sufficient for the Linux world to say, "oh well, it's the RFC, so nothing to do with us." You used the RFC, you inherited the bug, you have a problem.

Linux must now decide whether to wait for the RFC process to correct the issue at source (a process that could potentially take months or years), unilaterally change the spec and wait for the RFC process to catch up, or deprecate the RFC entirely. Not a fun set of choices huh?

To do nothing is irresponsible. To send out the message that "there's nothing wrong with Linux here" is equally irresponsible. You don't get to leave your users in the lurch while you sit (collectively speaking) on your hands.

Re:Not A Linux Bug

[Mondragon]

There is absolutely nowhere in the RFC that it specifies that the challenge ACK rate limiter should be a single global limiter. Claiming that the Linux implementation is "faithful" is mostly true, in a naive way, but a non-broken implementation would *also* be a "faithful" implementation of the RFC.

Re:Not A Linux Bug

[Dog-Cow]

Your stupidity is so profound, you truly deserve to be tortured for decades.

The very comment you replied to has a second paragraph, which you completely ignored in your rush to post a stupid rant about a complete non-issue.

Re:Not A Linux Bug

So, I agree I was a little too quick on the draw there, and I definitely overlooked the "a fix was committed a few weeks ago" part. My bad.

On the other hand. You have fully invested in the Linux worlds occasional bad habit of being hostile and unwelcoming, haven't you? "Your stupidity is so profound, you truly deserve to be tortured for decades." Who peed in your Cornflakes this morning? Truly, you keep using that word. I do not think it means what you think it means.

You have also fully invested in the Linux Uber Alles world view, in which Linux is so wonderful that even it's flaws are wonderful. Let anyone else make a mistake and they are Too Stupid to Live. Linux makes a mistake and hey, no problem, it's the RFC (or any external entity), and RTFM and the stupid users. Right? Come on, admit it.

Re:Not A Linux Bug

Ouch! I'm not sure you are right, but you sure sound right. And if that is so then... ouch!

Re:Not A Linux Bug

"Linux Uber Alles."

"I definitely overlooked the 'a fix was committed a few weeks ago' part."

You're obviously not too stupid to live because you're still making an utter ass of yourself in the comments, but you're not too stupid to die I assume? Do us all a favour and suck on an exhaust pipe. Or Tim Cook's dick, I'm sure you'd both enjoy that.

How do I know you're a Macfag? The fact that you can manage to post cringe-worthy, senseless rants without a functioning brain cell is always a dead giveaway. Kind of like how your mother's virginity must have been a dead giveaway, judging by the little shit she squat out and named.

só goza quando pensa em mim, por fica persegu

Go to Google images and search for anuses pictures, it's like when You're doing your makeup at the mirror, right? It's start to get clean, but I know it still is your ass face.

dear internet:

possibly degrade privacy guarantees provided by the Tor anonymity

quit finding our back doors.

sincerely,
fbi/nsa/cia

RFC5961 is flawed

[kent.dickey]

I read the brief article, and read RFC5961, and here's a quick summary:

A TCP connection is uniquely identified by the combination of: Source IP address; Destination IP address; Source port number; Destination port number. TCP also has a sequence number, which helps reorder packets. It also helps prevent spoofing, but spoofing is still possible. Any computer on the internet can craft a packet to send to a Destination IP address and Destination port with all the other fields spoofed. A spoofer cannot receive a reply (the Destination machine will send any replies to the indicated Source IP address, which the spoofer cannot see).

So, it's possible to inject SYN and RST requests into valid streams, shutting down other people's connections (although you couldn't be sure you've succeeded). RFC5961 tries to prevent this by adding some cases where the SYN/RST are not treated as valid, but instead it sends a special ACK to the source requesting confirmation. To avoid denial of service, these special ACKs are rate-limited to 10 per 5 seconds. Note these special ACKs are only generated if the SYN or RST look "nearly" valid based on the sequence number, otherwise the RST or SYN is ignored.

And that's what they discovered is the problem--open your own connection to any Destination which has long-term connections (and they picked a USA Today website, but anything would work), and every 2 seconds try to get it to generate those special SYN/RST ACKs. If it's not under "attack", you'll get your ACKs.

Then, spoof billions of packets using a chosen source IP address (and loop through all sequence nums and port nums) and guess the dest port (say, 80).

Now send a little traffic to the Destination on your valid connection to try to get these special SYN/RST ACKs. If you don't get your ACKs (due to the global rate limiting), then you "know" that you've stumbled upon a valid combination of Source IP/port and Destination IP/port and sequence number, so you know who's talking to the Destination machine. If you've picked a Source Address and port number not connected, then these special ACKs don't get generated, so your slow traffic generating these ACKs will not be rate limited, so you can tell this Source IP/port are not connected to this destination IP/port.

So RF5961 turns a pesky annoyance bug into a bug where its possible to determine who's connecting to a particular website (although time consuming).

With more care, they then figure out the sequence number--and once you have that, you can do targeted data injection. (It's always possible to do blind data injection, but the chance you can accurately inject javascript is hard since the sequence number is hard to predict).

RFC5961 should not do global rate limiting--it leaks important data.

Re:RFC5961 is flawed

[kamakazi]

Actually, the global rate limiting may not be the problem, the fixed limit may be. If the global rate limit were periodically randomly set, instead of 100/second, somewhere between 95 and 105 per second, then this attack would not work. It depends completely on knowing the global rate limit, and assumes there is no other traffic generating challenge ACKs.

A per connection rate limit would not accomplish the purpose of a rate limit, but an unknown global rate limit that changed fairly often would prevent this information leakage. Based on the attack time in the paper I think a rate limit that reset to a random value at a random time from 3-5 seconds would make this attack useless.

If the time the limit changes is fixed then the attacker can synchronize with the reset clock and still achieve a workable attack window by probing to determine the new limit.

I suppose you could skip the lifetime and just change it every second, since then the attacker would have great difficulty synchronizing with the limit counter as described in the article.

Re:RFC5961 is flawed

The flaw is that RFC5961 even exist. It is trying to solve a problem in the wrong place.
The proper solution for this problem is for networks not to allow packets with invalid source addresses (as in, does not belong to the network) to leave the network.

Inter-networking operations and ISP's really need to start taking network sanitization seriously. Just like ISP's should handle abuse reports prudently. Those 2 together would take care of most botnet and DDoS attacks.

Since the industry does not take care of this itself, it is time to make some laws. And yes this can be done globally, if the US puts its weight behind it.

Re:RFC5961 is flawed

[skids]

Thanks for the summary. Obviously, that points out some limitations to the attack -- you have to be on an insecure ISP that will accept your spoofed source addresses to launch it. Which addresses you can spoof can vary greatly based on the granularity of the ISP's and local network's source lockdowns, so attacking people on the same segment or the same organization may be more possible than those located elsewhere. That, and a DPI firewall on the attacked end that is able to detect such floods could probably shut the attack down, and some products might already do so by default if they protect against pre-RFC5961 flooding attacks.

Re:RFC5961 is flawed

Thank you for posting this nice readable summary. If only Slashdot had editors that could do this job. You are why I still visit this site.

Re:RFC5961 is flawed

[jgreen1024]

So RF5961 turns a pesky annoyance bug into a bug where its possible to determine who's connecting to a particular website

Well what's the big deal? NextGenHacker101 showed us how to do that back in 2008!

Re:RFC5961 is flawed

[kent.dickey]

If you just want to know if a connection exists, the exact global rate limit doesn't matter.

Let's say we're sending 5000 packets/sec to try to probe if a connection exists. And then we send 5 to see if we got it right (whatever you think the minimum per-second global throttle rate can be). If we get >= 3 on our test channel, then the probe is not for a valid connection. It doesn't matter if the server's throttle is to 5 per second or 200 per second.

A per-connection rate limit does fix the DDOS amplification issue. Yes, there may be lots of sockets open on a server, but hitting each socket with the right traffic to generate these ACKs is hard.

Fixing this on the server by limiting each socket's challenge-ACK rate is easy: have a global counter of seconds somewhere in the OS. Have each socket hold a "seconds value of last challenge ACK". If we want to send a chellenge ACK, only do it if the last_seconds_ack != global_seconds. This limits each socket to one per second. It's not even important to have the counter be large--it can be a byte (or even one bit), since it's only necessary to try to prevent sending many within the same second. And this is just to prevent magnification DDOS, which in this case may not even be necessary since it's so hard to generate the right traffic, and these ACKs are so small.

Re:RFC5961 is flawed

Let's say we're sending 5000 packets/sec to try to probe if a connection exists. And then we send 5 to see if we got it right (whatever you think the minimum per-second global throttle rate can be). If we get >= 3 on our test channel, then the probe is not for a valid connection. It doesn't matter if the server's throttle is to 5 per second or 200 per second.

I haven't read the RFC, but this sounds like an order of magnitude more work for the attacker, since instead of only sending one spoofed packet for each combination of (source IP, source port, sequence number), they have to send enough spoofed packets to reliably hit the rate limit.

If you're in the USA

Two words, egress filtering.

GL finding a provider that doesn't have egress filtering rules.

Nothing scary here, on to the next article.

FBI LIE. FOUND ON FBI SLASHDOT.

>https://www.usenix.org/conference/usenixsecurity16/technical-sessions/presentation/cao

Off-Path TCP Exploits: Global Rate Limit Considered Dangerous
Authors:

Yue Cao, Zhiyun Qian, Zhongjie Wang, Tuan Dao, and Srikanth V. Krishnamurthy, University of California, Riverside; Lisa M. Marvel, United States Army Research Laboratory

Abstract:

In this paper, we report a subtle yet serious side channel vulnerability (CVE-2016-5696) introduced in a recent TCP specification. The specification is faithfully implemented in Linux kernel version 3.6 (from 2012) and beyond, and affects a wide range of devices and hosts. In a nutshell, the vulnerability allows a blind off-path attacker to infer if any two arbitrary hosts on the Internet are communicating using a TCP connection. Further, if the connection is present, such an off-path attacker can also infer the TCP sequence numbers in use, from both sides of the connection; this in turn allows the attacker to cause connection termination and perform data injection attacks. We illustrate how the attack can be leveraged to disrupt or degrade the privacy guarantees of an anonymity network such as Tor, and perform web connection hijacking. Through extensive experiments, we show that the attack is fast and reliable. On average, it takes about 40 to 60 seconds to finish and the success rate is 88% to 97%. Finally, we propose changes to both the TCP specification and implementation to eliminate the root cause of the problem.

Better fix this "Linux bug" by changing TCP specification standards? No, bitches.

The title says Linux bug, this is bullshit. It is posted before they even demonstrated proof of concept later Wednesday
>researchers with the University of California at Riverside and the US Army Research Laboratory will demonstrate a proof-of-concept exploit

Over and over lately arstechnica have been quoted on Slashdot stories that have been lies. Does anybody else see this security flaw? Has anybody ever been affected by it even one time? No, they post this shit before they even demonstrate proof of concept. They call it a Linux bug yet want to change TCP/IP standards and even allude to Tor.

Slashdot is FBI. Look at the names who are reporting this Linux bug too. "Lisa from the Army and.."

gtfo.

Re:FBI LIE. FOUND ON FBI SLASHDOT.

Timeline:

arstechnica (b.s. stories lately)
FBI Slashdot claims "Linux bug"

THEN proof of concept by these people...
Yue Cao, Zhiyun Qian, Zhongjie Wang, Tuan Dao, and Srikanth V. Krishnamurthy, University of California, Riverside; Lisa M. Marvel, United States Army Research Laboratory...
@ In Austin, TX

(about Linux bug) on *USA Today and "other top sites"*... USA Today. And. Other ^^^TOP SITES^^^. naw homie.

Solution before proof of concept? Change TCP/IP standards to solve "root of problem"
Look at the names again of Riverside and US Army Research again.
Mention Tor.

They want to alter TCP/IP in any way possible to make it snoopable on Tor. Everything else is tracked by default unless you block it, and if your PC clock is set right they use timelogs.

Fuck you Slashdot. Fuck you FBI.

DONT FORGET IT IS SUPPOSED PROOF OF CONCEPT

It has never happened, and they claim it affects Linux all the way back to 2012 .. Kernel 3.6.

So it is a never-happened exploit, nobody is going to get hacked on USA today, if you were about to have a problem on USA today... they would be patching their own shit not re-writing TCP/IP in any way shape or fashion

FBI cunts at slashdot busted again.

Call this the Linux bug that needed TCP/IP re-written in a way that saves USA Today even though nobody ever hacked shit on USA today.. according to the proof of concept to be demonstrated later today in Austin by some chinese people at Riverside and a chick named Lisa of the Army.

Get,, the... fuck,, OUT.

HAPPY ANNIVERSARY 10 HAPPY ANNIVERSARY 10

haaaaappy anniversary Windows 10.

Windows 10, the US Government spy shop Microsoft's latest flagship social engineering, data mining, spyware, malware, that comes FREE because ANNIVERSARY . AND.. with no start button, some ads in the "Store", no way to see what is in the security patches, keyboard logging, Indian tech support etc.

Your mama's got crabs Slashdot FBI.

Re:HAPPY ANNIVERSARY 10 HAPPY ANNIVERSARY 10

You must really enjoy talking to yourself.

^^ BULLSHIT ^^ BULLSHIT ^^ BULLSHIT ^^

bullshit.

This exploit never happened. It's a ploy to modify TCP/IP.

Slashdot credibility now? Minus 1.

Minus 1 Slashdot. You are FBI.

USAToday

[tomhath]

If a hacker injected a story into USAToday that was total BS, would anyone notice the difference?

Re:USAToday

[swb]

Way back in the 1980s when USA Today was just getting started, a news kiosk on campus had the logos of various papers on the wall next to the kiosk.

One day next to the USA Today kiosk, a graffiti artist had added in extremely neat penmanship "...tomorrow the world!" in a kind of matching font.

Not only was it pretty funny, but I think because it looked like it belonged, it never got removed.

Re:USAToday

Dude, I wish you had pics.

Re:USAToday

[ebvwfbw]

Na, it would fit right in with all the other BS.

Re:USAToday

Great story! Don't forget though, that the campus environment tends to welcome outsider/rebellious/subversive commentary. So long as the speech isn't disruptive, these kinds of graffiti may be left alone for a long while. The fact that it is funny helps keep it around too. I wouldn't be surprised if the owner/manager of the kiosk received appreciative comments about the graffiti and decided to leave it alone.

Anything which brings traffic to the kiosk is probably going to be welcomed.

Here we go again...

When will the community finally dump this shitty operating system? Every day we hear about another 0-day exploit. Will people ever learn?!

Re:Here we go again...

The whole world runs on Linux. This FBI-ass site does too.

Just stay away from Debian (newer Debian).. FBI in there too. They murdered Ian Murdock too.

Slashdot, fuck you.

Re:Here we go again...

I guess if we were wondering whether APK had any family... now we know that he does.

Microsoft Propoganda

[Eravnrekaree]

Apparently Microsoft paid for the article, because its not a Linux bug. If I am not mistaken, Windows and all other TCP OSs have this problem because of the fact TCP is an insecure protocol (by itself), OF COURSE you can rewrite the packets if you are a man in the middle. This has been known for a very long time. TLS will solve this problem of course.

Re:Microsoft Propoganda

[SilentChasm]

If you read the article, you would see it's not a flaw in TCP in general but in RFC 5961, which only Linux has implemented so far and thus why it's the only one that's vulnerable. It also does not require you to be in the middle of the connection. Even with TLS you can still create a denial of service using this attack.

The title is WRONG

[igorlord677]

The title of the article is WRONG. USA Today and most major sites are NOT vulnerable to this. If you did not notice, the video is from Match 22. The vulnerability fix was reported by the research group in July and patched upstream by the Linux kernel community shortly thereafter. USA Today and other sites were fixed ahead of this announcement back in July. Read more on this at blogs.akamai.com.