View all newsletters
Receive our newsletter - data, insights and analysis delivered to you
  1. Technology
April 20, 2004

ISPs ramp defenses as TCP/IP attack uncovered

There's a new more efficient way of exploiting a known vulnerability in the TCP/IP protocol that researchers say could be used to sever peering links between the networks that make up the internet, essentially breaking the internet.

By CBR Staff Writer

Researcher Paul Watson will present findings tomorrow at the CanSecWest 2004 security conference in Vancouver, Canada, that show how an attacker could reset theoretically any active TCP/IP session, creating a denial of service.

Most ISPs, which are most likely to be hit by attacks based on this vulnerability, have known about it for some weeks, it is believed, and the larger ones in particular are said to have already implemented countermeasures.

The news was first released yesterday by the UK’s National Infrastructure Security Coordination Centre, and was followed up by alerts from security companies and the US Computer Emergency Readiness Team and others.

Watson has devised a way to quickly guess sequence numbers used in TCP conversations, due to the way TCP accepts ranges of numbers called TCP windows. A TCP message within the correctly guessed range could turn off TCP sessions.

It’s a complex vulnerability that has been discussed since at least 1985. Previously, it was thought to be highly impractical to exploit due to the statistical improbability of guessing numbers within the TCP window while the session is still alive.

Steve Bellovin, one of the Internet Engineering Task Force’s top security experts, said it was thought that exploiting the vulnerability was statistically improbable and would take a great deal of time to accomplish.

We knew if you could guess the correct sequence number, you could tear down sessions, Bellovin said. Everybody has been assuming you had about 4 billion tries to tear it down, but now it’s just 250,000.

Content from our partners
Rethinking cloud: challenging assumptions, learning lessons
DTX Manchester welcomes leading tech talent from across the region and beyond
The hidden complexities of deploying AI in your business

Watson’s research indicates that someone with a 1.5Mbps internet connection could use the attack successfully in about 15 seconds. He has created a proof-of-concept tool that apparently works.

Fifteen seconds is, however, a long time, longer than most TCP sessions last. Bellovin said only sessions that are more or less persistant, and which publish information about themselves, would be hard-hit by the attack.

According to the NISCC, the biggest risk is with Border Gateway Protocol, which is used to manage how traffic is passed between peered networks. The TCP vulnerability could be exploited to disrupt these BGP sessions, which remain open for long periods.

Exploiting the vulnerability requires knowledge of the source and destination addresses and ports of a TCP conversation. This is typically only practical on sessions that are open for long periods of time. It requires the attacker to spoof their source IP.

I believe most ISPs have already implemented MD5 on their BGP peering, which should mitigate the risk of widespread internet outages, said Chris Rouland, VP of the X-Force vulnerability research team at Internet Security Systems Inc.

MD5 is a hashing algorithm used to validate data integrity. By implementing it on their routers, ISPs can authenticate the source of BGP messages they get from their peers, ISPs to which they are connected.

Large enterprises that use BGP should also be concerned, Rouland said. While ISPs were privy to government-orchestrated pre-warnings, other organizations were not. Those affected can implement MD5, or use intrusion prevention technologies, Rouland said.

The attack is not limited to BGP, and could be used against other implementations of TCP that have long open sessions, Rouland said. BGP really is the largest risk, he said. Email and the web, he said, are not affected.

Many vendors have products that could be affected by the attack, which is still largely proof-of-concept. Because the attack is against the protocol stack itself, not the implementation, there’s not much many vendors can do about it.

This article is based on material originally published by ComputerWire

Websites in our network
Select and enter your corporate email address Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
  • CIO
  • CTO
  • CISO
  • CSO
  • CFO
  • CDO
  • CEO
  • Architect Founder
  • MD
  • Director
  • Manager
  • Other
Visit our privacy policy for more information about our services, how Progressive Media Investments may use, process and share your personal data, including information on your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.