[ISN] Net threat overstated, says security researcher

InfoSec News isn at c4i.org
Thu Apr 22 03:11:32 EDT 2004


http://news.com.com/2100-1002_3-5197184.html

By Robert Lemos 
Staff Writer, CNET News.com
April 21, 2004

VANCOUVER, British Columbia -- Widespread reports about a flawed
communications protocol making the Internet vulnerable to collapse
were overblown, according to the researcher credited with uncovering
the security problem.

A flaw in the most widely used protocol for sending data over the
Net--TCP, or the Transmission Control Protocol--was addressed by most
large Internet service providers during the last two weeks and
presents little danger to major networks, said Paul Watson, a security
specialist for industry automation company Rockwell Automation. If
left unfixed, the weakness could have allowed a knowledgeable attacker
to shut down connections between certain hardware devices that route
data over the Net.

"The actual threat to the Internet is really small right now," Watson
said on Wednesday. "You could have isolated attacks against small
networks, but they would most likely be able to recover quickly."

Watson was responding to news reports that ran Tuesday, after
Britain's national emergency response team, the National
Infrastructure Security Co-ordination Centre, released an advisory
about the issue based on his research. Watson, who's scheduled to
present that research here at the CanSecWest 2004 conference this
week, referred to the media reaction as an "inordinate level of
attention in respect to the amount of risk."

At greatest risk, he said, may be e-commerce sites that manage their
own routers--those sites may not believe they're vulnerable to attack
and may not have implemented a fix. Sites that have routers that share
information on the most efficient paths through the Internet--using
the Border Gateway Protocol, or BGP--are most vulnerable to the
attacks.

Networking-gear maker Cisco Systems said Wednesday that it had
released updated software that addresses how the flaw affects its
products. Other gear makers, including Juniper Networks, Hitachi and
NEC, have been investigating the issue. Information on each company's
conclusions can be found in the vendor information section of the
NISCC's advisory.

People have known for at least a decade about problems with the way
Internet servers and network devices maintain connections with each
other. "I am not the first person to notice the issues," Watson said.  
"I sort of pulled together all the pieces."

The problem, said Watson, involves numbers that identify data packets
being sent over the Net. Many network appliances and software programs
rely on a continuous stream of packets from a single source--called a
session. The packets are identified and grouped together using
so-called sequence numbers, and, theoretically, if someone could guess
the next number in a session and send a packet with that identifier,
he or she could substitute illicit commands for authorized ones,
Watson said.

The odds against a correct guess were commonly thought to be
staggering: about one in 4.3 billion. However--and here's the
issue--Watson found that certain applications of TCP sessions, such as
routers using the border gateway protocol, relied on long connection
times, creating a much larger window of sequence numbers that could be
valid. Instead of a one in 4 billion chance to guess the right number,
a single-packet attack against a BGP connection might be successful
once in 260,000 attempts. An attacker armed with a typical broadband
connection could send all 260,000 possible attacks in less than 15
seconds.

It's not simple or elegant, Watson admitted, but it's effective.  
Rather than unleashing the sort of massive packet flood that normally
makes up a denial-of-service attack, an online vandal could send far
fewer packets and still bring down a site. "You can take e-commerce
sites offline, but instead of billions and billions of packets, you
can do it with a whole lot less," he said.

The U.S. Computer Emergency Response Team (US-CERT) has issued an
advisory, referencing a similar warning released almost three years
ago that mentioned comparable attacks.

Although large Internet service providers are vulnerable "to a very
low degree," large and medium-size businesses should make sure they
have assessed their vulnerability to the issue, said Sean Hernan,
senior member of the technical staff for US-CERT.

"In addition to the core Internet, this TCP vulnerability affects any
two endpoints," he said. The vulnerability could affect mail servers,
the servers that handle domain names and act as the yellow pages for
the Internet, and other major applications. However, in those
instances, it is much harder to guess the right sequence numbers,
Hernan said.

"This issue turned out to be particularly pernicious against BGP,"  
Hernan said.

Both CERT and Watson recommend that companies add a random 128-bit
number to each packet in a session to identify that data as part of
the same session--the solution adopted by many major ISPs. Moreover,
CERT also recommends that companies encrypt their data to further hide
the information in the session from prying eyes.





More information about the ISN mailing list