US-CERT Technical Cyber Security Alert TA04-111A -- Vulnerabilities in TCP
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Technical Cyber Security Alert TA04-111A archive
Vulnerabilities in TCP
Original release date: April 20, 2004
Last revised: --
Source: US-CERT
Systems Affected
* Systems that rely on persistent TCP connections, for example
routers supporting BGP
Overview
Most implementations of the Border Gateway Protocol (BGP) rely on the
Transmission Control Protocol (TCP) to maintain persistent
unauthenticated network sessions. There is a vulnerability in TCP
which allows remote attackers to terminate network sessions. Sustained
exploitation of this vulnerability could lead to a denial of service
condition; in the case of BGP systems, portions of the Internet
community may be affected. Routing operations would recover quickly
after such attacks ended.
I. Description
In 2001, the CERT Coordination Center released CA-2001-09, describing
statistical weaknesses in various TCP/IP Initial Sequence generators.
In that document (),
it was noted by Tim Newsham:
[I]f a sequence number within the receive window is known, an
attacker can inject data into the session stream or terminate the
connection. If the ISN value is known and the number of bytes sent
already sent is known, an attacker can send a simple packet to
inject data or kill the session. If these values are not known
exactly, but an attacker can guess a suitable range of values, he
can send out a number of packets with different sequence numbers in
the range until one is accepted. The attacker need not send a
packet for every sequence number, but can send packets with
sequence numbers a window-size apart. If the appropriate range of
sequence numbers is covered, one of these packets will be accepted.
The total number of packets that needs to be sent is then given by
the range to be covered divided by the fraction of the window size
that is used as an increment.
Paul Watson has performed the statistical analysis of this attack
when the ISN is not known and has pointed out that such an attack
could be viable when specifically taking into account the TCP
Window size. He has also created a proof-of-concept tool
demonstrating the practicality of the attack. The National
Infrastructure Security Co-Ordination Centre (NISCC) has published
an advisory summarizing Paul Watson's analysis in "NISCC
Vulnerability Advisory 236929," available at .
Since TCP is an insecure protocol, it is possible to inject
transport-layer packets into sessions between hosts given the right
preconditions. The TCP/IP Initial Sequence Number vulnerability
(http://www.kb.cert.org/vuls/id/498440) referenced in CA-2001-09 is
one example of how an attacker could inject TCP packets into a
session. If an attacker were to send a Reset (RST) packet for
example, they would cause the TCP session between two endpoints to
terminate without any further communication.
The Border Gateway Protocol (BGP) is used to exchange routing
information for the Internet and is primarily used by Internet
Service Providers (ISPs). For detailed information about BGP and
some tips for securing it, please see Cisco System's documentation
(
or Team Cymru (). A vulnerable situation
arises due to the fact that BGP relies on long-lived persistent TCP
sessions with larger window sizes to function. When a BGP session
is disrupted, the BGP application restarts and attempts to
re-establish a connection to its peers. This may result in a brief
loss of service until the fresh routing tables are c
Check out the story times for this article and this one at The TR.
No attribution exists on either story so as far as I can tell. As a result both 'authors' would appear to be claiming 'ownership'.
It's a small thing really but someone needs to speak up when they find this sort of thing going on. I don't care who wrote the article but shouldn't someone be properly credited? Then again perhaps they are both by the same person?
Did you happen to see the link in the little "Related" box on the bottom right hand side of the article? CNN.com's new style guide places all links for the story outside the main body text as they feel different coloured links distract from readability.
Speaking of being against chapter stops: David Lynch (Mullholland Drive, Twin Peaks) hates chapter stops and doesn't put them on the dvd's he puts out. He considers his movies a block not to be cut into little bits or made to easily jump around in.
And in the process John K will be opening SpumCo North in Ottawa, Ontario. We have a goodly number of animators up here and one of my buddy has already worked with John K on the Ripping Friends and will be working on the new R&S.
This one has a an LCD view screen and there will be a version with a built in mp3 player.
Details: http://www.casio.com/corporate/pressroom.cfm?act=2 &pr=5530
I bet if you check the power-armor style uniforms that the male soldiers wear in-game, there is a littel circular bit on the front that attaches to the "dongle" from the urinals. When connected, the dongle auto-magically retracts the groin-cup area of said powered armour to allow the busy soldier the dignity of standing up to pee without needing to completely power-down and remove the previously mentioned power armor.
Nothing worse that taking 30 minutes for a simple piss.
to the original National Post article (http://www.nationalpost.com/news/national/story.h tml?f=/stories/20010816/648534.html) is here. (http://www.islamway.com/eng/html/article.php?sid= 110&mode=thread&order=0)
SpaceTime physics defines a static world. Since our world is constantly changing SpaceTime physics is prolly wrong.
http://home1.gte.net/res02khr/crackpots/notorious. htm
I don't know if I hold with everything at the above link but it is certainly something to think about.
Slashdot Mirror
US-CERT Technical Cyber Security Alert TA04-111A -- Vulnerabilities in TCP
.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Technical Cyber Security Alert TA04-111A archive
Vulnerabilities in TCP
Original release date: April 20, 2004
Last revised: --
Source: US-CERT
Systems Affected
* Systems that rely on persistent TCP connections, for example
routers supporting BGP
Overview
Most implementations of the Border Gateway Protocol (BGP) rely on the
Transmission Control Protocol (TCP) to maintain persistent
unauthenticated network sessions. There is a vulnerability in TCP
which allows remote attackers to terminate network sessions. Sustained
exploitation of this vulnerability could lead to a denial of service
condition; in the case of BGP systems, portions of the Internet
community may be affected. Routing operations would recover quickly
after such attacks ended.
I. Description
In 2001, the CERT Coordination Center released CA-2001-09, describing
statistical weaknesses in various TCP/IP Initial Sequence generators.
In that document (),
it was noted by Tim Newsham:
[I]f a sequence number within the receive window is known, an
attacker can inject data into the session stream or terminate the
connection. If the ISN value is known and the number of bytes sent
already sent is known, an attacker can send a simple packet to
inject data or kill the session. If these values are not known
exactly, but an attacker can guess a suitable range of values, he
can send out a number of packets with different sequence numbers in
the range until one is accepted. The attacker need not send a
packet for every sequence number, but can send packets with
sequence numbers a window-size apart. If the appropriate range of
sequence numbers is covered, one of these packets will be accepted.
The total number of packets that needs to be sent is then given by
the range to be covered divided by the fraction of the window size
that is used as an increment.
Paul Watson has performed the statistical analysis of this attack
when the ISN is not known and has pointed out that such an attack
could be viable when specifically taking into account the TCP
Window size. He has also created a proof-of-concept tool
demonstrating the practicality of the attack. The National
Infrastructure Security Co-Ordination Centre (NISCC) has published
an advisory summarizing Paul Watson's analysis in "NISCC
Vulnerability Advisory 236929," available at
Since TCP is an insecure protocol, it is possible to inject
transport-layer packets into sessions between hosts given the right
preconditions. The TCP/IP Initial Sequence Number vulnerability
(http://www.kb.cert.org/vuls/id/498440) referenced in CA-2001-09 is
one example of how an attacker could inject TCP packets into a
session. If an attacker were to send a Reset (RST) packet for
example, they would cause the TCP session between two endpoints to
terminate without any further communication.
The Border Gateway Protocol (BGP) is used to exchange routing
information for the Internet and is primarily used by Internet
Service Providers (ISPs). For detailed information about BGP and
some tips for securing it, please see Cisco System's documentation
(
or Team Cymru (). A vulnerable situation
arises due to the fact that BGP relies on long-lived persistent TCP
sessions with larger window sizes to function. When a BGP session
is disrupted, the BGP application restarts and attempts to
re-establish a connection to its peers. This may result in a brief
loss of service until the fresh routing tables are c
John Siracusa is that you?
My favourite quote:
"But Microsoft's president and chief executive, Steve Ballmer, insisted they had not been able to tamper with any of the company's key programs."
Check out the story times for this article and this one at The TR.
No attribution exists on either story so as far as I can tell. As a result both 'authors' would appear to be claiming 'ownership'.
It's a small thing really but someone needs to speak up when they find this sort of thing going on. I don't care who wrote the article but shouldn't someone be properly credited? Then again perhaps they are both by the same person?
For those of us who aren't math geeks: What is Reverse Polish Notation?
And another: http://www.eeye.com/html/Research/Flash/AL20030125 .html (worm operation and links)
PC Magazine published a freeware utility called Shred 2.
Use at your own risk under Windows 95, 98, 2000, Me, NT 4.0, and XP.
I use this to clean the free space on my hdd at least once a week after clearing out my webcache folders, cookies and 'temporary' *snrk* files.
Enjoy.
from the December issue of Time Magazine with LOTR:TTT on the cover.
Did you happen to see the link in the little "Related" box on the bottom right hand side of the article? CNN.com's new style guide places all links for the story outside the main body text as they feel different coloured links distract from readability.
Speaking of being against chapter stops: David Lynch (Mullholland Drive, Twin Peaks) hates chapter stops and doesn't put them on the dvd's he puts out. He considers his movies a block not to be cut into little bits or made to easily jump around in.
We /.'ed Anandtech. We're bastards.
I thought AT had the hardware goods to handle this crowd.
And in the process John K will be opening SpumCo North in Ottawa, Ontario. We have a goodly number of animators up here and one of my buddy has already worked with John K on the Ripping Friends and will be working on the new R&S.
This one has a an LCD view screen and there will be a version with a built in mp3 player. Details: http://www.casio.com/corporate/pressroom.cfm?act=2 &pr=5530
I bet if you check the power-armor style uniforms that the male soldiers wear in-game, there is a littel circular bit on the front that attaches to the "dongle" from the urinals. When connected, the dongle auto-magically retracts the groin-cup area of said powered armour to allow the busy soldier the dignity of standing up to pee without needing to completely power-down and remove the previously mentioned power armor.
Nothing worse that taking 30 minutes for a simple piss.
Then what would I do with my weekends? I suppose I will have to resort to alcomohol.
to the original National Post article (http://www.nationalpost.com/news/national/story.h tml?f=/stories/20010816/648534.html) is here. (http://www.islamway.com/eng/html/article.php?sid= 110&mode=thread&order=0)
SpaceTime physics defines a static world. Since our world is constantly changing SpaceTime physics is prolly wrong. http://home1.gte.net/res02khr/crackpots/notorious. htm
I don't know if I hold with everything at the above link but it is certainly something to think about.