Internet security experts have warned of a serious
security vulnerability in the Transmission Control Protocol (TCP) a
critical communications protocol used on most of the computer
networks in the world.
An advisory from the National Infrastructure Security
Co-Ordination Centre (NISCC) said the hole exists in all
implementations of TCP that comply with the Internet Engineering
Task Force's TCP specification.
By exploiting the holes, malicious hackers could cause TCP
sessions to end prematurely, creating a denial-of-service attack.
The TCP vulnerability could also disrupt communications between
routers on the internet by interrupting Border Gateway Protocol
sessions that use TCP.
The US-Cert Co-ordination Center issued a warning about the
vulnerability yesterday, citing an older advisory which advised
that sustained exploitation of the hole could lead to
denial-of-service affecting "portions of the internet community".
(See:
http://www.cert.org/advisories/CA-2001-09.html)
BGP is the most commonly used routing protocol used by major
external routers on the internet. Major ISPs use BGP to configure
redundant high-speed connections and to co-ordinate with other ISPs
and other peers, said Dan Ingevaldson, research director at
Internet Security Systems.
NISCC and US-Cert issued their advisories after security
researcher Paul Watson described the problem in a paper called
"Slipping in the Window: TCP Reset Attacks".
Watson will be presenting the paper at the CanSecWest 2004
security conference in Vancouver this week. (See:
http://www.uniras.gov.uk/vuls/2004/236929/index.htm.)
He discovered that the TCP standard allows a malicious hacker to
guess a unique 32-bit number needed to reset an established TCP
connection because the standard allows sequence numbers in a range
of values to be accepted rather than just exact matches, according
to the NISCC advisory.
By spoofing the source IP (address and the TCP port, then
randomly guessing the unique sequence number, an attacker could
cause an active TCP session to terminate.
Networking experts have known about the potential for such
attacks for almost 20 years. However, as internet use and the use
of broadband internet connections has grown over the years, ISPs
and others have gradually increased the size of the "window", or
range of acceptable sequence numbers that they permit to reset a
connection, making a successful DOS attack more plausible,
Ingevaldson said.
BGP sessions are particularly vulnerable to such attacks because
they are longer, more predictable connections that often take place
between two devices with published IP addresses.
"Attackers know where they are and where they're going, they
know the ports on either side that are being used and the window,"
he said.
ISS notified its customers about the hole and said that network
infrastructure providers and enterprises' internal networks are the
most vulnerable to DOS attacks that use the vulnerability.
Cisco Systems and Juniper Networks are expected to release
advisories for their customers this week explaining which of their
products contain BGP code vulnerable to attack and to offer updated
versions of operating system software for those devices that fix
the problem.
Despite the dire warnings, the impact of the TCP hole will
probably be small, Ingevaldson said.
Leading networking suppliers have probably been in conversation
with US-CERT and the NISCC far in advance of the news becoming
public, giving those companies time to prepare a patch, he
added. The BGP protocol was designed to be resistant to attack and
to support digital signatures using algorithms such as MD5 that can
prevent spoofing, he said.
Paul Roberts writes for IDG News
Service