TCP Vulnerable, But Net Won't Go Down

A flaw in the basic TCP protocol used to transmit data across the Internet quickly seized the attention of security professionals Tuesday as various government agencies and security firms posted alerts warning that an exploit could let attackers to shut down connections between servers and routers.

Experts said the vulnerability poses a serious threat, which could possibly disrupt portions of the Net, or more likely impact enterprise networks. But they also urged end users and IT security pros to remain calm.

"The Internet isn't going down tonight," promised Chris Rouland, the vice president of Internet Security Systems' X-Force threat group. "Internet infrastructure providers have been given plenty of advance notice, and have taken additional security precautions so that not just anyone can connect to them and authenticate. That's mitigated a lot of the risk.

"But even the largest companies haven't had this advance notice, and may have some work to do tonight."

According to advisories posted by the United Kingdom's National Infrastructure Security Co-ordination Centre (NISCC) and the U.S. Computer Emergency Readiness Team (US-CERT), TCP -- the Transmission Control Protocol -- contains "a vulnerability which allows remote attackers to terminate network sessions. Sustained exploitation of this vulnerability could lead to a denial of service condition...and portions of the Internet community may be affected."Both agencies called the vulnerability "critical."

On the brighter side, once an attack stopped, normal operations of the Internet or a network would likely resume as the hardware -- routers in particular -- reset and rebuilt their tables.

The vulnerability stems from the fact that TCP sessions can be reset -- in other words, shut down, if only temporarily -- by sending maliciously-crafted RST (reset) or Syn (synchronization) packets to either end of the session's connection. Although this is an intended feature of TCP -- as in the infamous phrase, not a bug -- an attacker who spoofs the source IP addresses on the packets can terminate the session, resulting in a denial of service.

Although a denial of service attack using TCP packets has long been known as a weakness of the protocol, experts believed that a successful attack wasn't practical, since the attacker would have to guess the an identifying sequence number in the next packet; the odds of that are about one in 4.3 billion.

But researcher Paul Watson, who runs the pro-hacking blog on terrorist.net, has discovered that the "probability of guessing an acceptable sequence number is much higher because the receiving TCP implementation will accept any sequence number in a certain range. [That] makes TCP reset attacks practicable," said the NISCC in its advisory.Watson is scheduled to present his findings Thursday at the CanSecWest 2004 security conference in Vancouver, B.C., but early news of the exploit's ease sent security professionals scrambling Tuesday, and worrying that once Watson discloses the full nature of the exploit, attacks will follow.

The brunt of such attacks would likely be done at the router level, said Rouland. Routers use the Border Gate Protocol (BGP) to update each other so that they can continue to communicate, and their persistent and open connections are especially vulnerable. "By nature, they have to be exposed," said Rouland, making them target #1 for any TCP exploit.

"This is a vulnerability that can be exploited," said Rouland, "and there is exploit code out there. It takes just 15 seconds for the code to shut down a Cisco router."

Ultimately, router vendors will have to issue patches. Not all had done so by late Tuesday afternoon, although leading router makers Cisco and Juniper Networks had posted advisories, and provided either patches or software to mitigate the risks of an exploit.

But even those companies and organizations relying on routers for which patches are available shouldn't be completely comfortable, said Rouland. "These are pretty significant changes to the IP set, and they're non-trivial patches that will require a lot of testing," he said.Other tactics that enterprises could employ until patches were available and deployed, said Oliver Friedrichs, the senior manager of Symantec's security response team, include implementing their routers' MD5 Signature Option, another level of authentication that should stymie attackers.

"MD5 adds a hash to each request for BGP," said Friedrichs, "so the attacker would have to try to calculate the hash as well. That should make it much more difficult to inject a packet into the TCP session at the router."