Researcher Paul Watson will present findings tomorrow at the CanSecWest 2004 security conference in Vancouver, Canada, that show how an attacker could reset theoretically any active TCP/IP session, creating a denial of service.
Most ISPs, which are most likely to be hit by attacks based on this vulnerability, have known about it for some weeks, it is believed, and the larger ones in particular are said to have already implemented countermeasures.
The news was first released yesterday by the UK’s National Infrastructure Security Coordination Centre, and was followed up by alerts from security companies and the US Computer Emergency Readiness Team and others.
Watson has devised a way to quickly guess sequence numbers used in TCP conversations, due to the way TCP accepts ranges of numbers called TCP windows. A TCP message within the correctly guessed range could turn off TCP sessions.
It’s a complex vulnerability that has been discussed since at least 1985. Previously, it was thought to be highly impractical to exploit due to the statistical improbability of guessing numbers within the TCP window while the session is still alive.
Steve Bellovin, one of the Internet Engineering Task Force’s top security experts, said it was thought that exploiting the vulnerability was statistically improbable and would take a great deal of time to accomplish.
We knew if you could guess the correct sequence number, you could tear down sessions, Bellovin said. Everybody has been assuming you had about 4 billion tries to tear it down, but now it’s just 250,000.
Content from our partners
Watson’s research indicates that someone with a 1.5Mbps internet connection could use the attack successfully in about 15 seconds. He has created a proof-of-concept tool that apparently works.
Fifteen seconds is, however, a long time, longer than most TCP sessions last. Bellovin said only sessions that are more or less persistant, and which publish information about themselves, would be hard-hit by the attack.
According to the NISCC, the biggest risk is with Border Gateway Protocol, which is used to manage how traffic is passed between peered networks. The TCP vulnerability could be exploited to disrupt these BGP sessions, which remain open for long periods.
Exploiting the vulnerability requires knowledge of the source and destination addresses and ports of a TCP conversation. This is typically only practical on sessions that are open for long periods of time. It requires the attacker to spoof their source IP.
I believe most ISPs have already implemented MD5 on their BGP peering, which should mitigate the risk of widespread internet outages, said Chris Rouland, VP of the X-Force vulnerability research team at Internet Security Systems Inc.
MD5 is a hashing algorithm used to validate data integrity. By implementing it on their routers, ISPs can authenticate the source of BGP messages they get from their peers, ISPs to which they are connected.
Large enterprises that use BGP should also be concerned, Rouland said. While ISPs were privy to government-orchestrated pre-warnings, other organizations were not. Those affected can implement MD5, or use intrusion prevention technologies, Rouland said.
The attack is not limited to BGP, and could be used against other implementations of TCP that have long open sessions, Rouland said. BGP really is the largest risk, he said. Email and the web, he said, are not affected.
Many vendors have products that could be affected by the attack, which is still largely proof-of-concept. Because the attack is against the protocol stack itself, not the implementation, there’s not much many vendors can do about it.
This article is based on material originally published by ComputerWire
