Slashdot Log In
TCP Vulnerability Published
Posted by
michael
on Tue Apr 20, 2004 02:16 PM
from the DOS-for-fun-and-profit dept.
from the DOS-for-fun-and-profit dept.
Bob Slidell writes "According to Yahoo!, there is a critical flaw in TCP that affects everyone and everything. The article is scant on details and long on fear, hopefully someone will post more details on this." The advisory has more information, and is long on details but only moderate on fear.
This discussion has been archived.
No new comments can be posted.
TCP Vulnerability Published
|
Log In/Create an Account
| Top
| 676 comments
(Spill at 50!) | Index Only
| Search Discussion
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
(1)
|
2
OpenBSD is safe? (Score:5, Informative)
This just hit the misc@openbsd mail list:It sounds (again) like proactive security auditting saves the day!
Re:OpenBSD is safe? (Score:5, Funny)
NISCC slowing, here is the meat summary of article (Score:5, Informative)
(http://www.teaparty07.com/)
The packets need to have source and destination IP addresses that match the established connection as well as the same source and destination TCP ports.
The fact that TCP sessions can be reset by sending suitable RST and SYN packets is a design feature of TCP according to RFC 793, but a reset attack is only possible at all because the source IP address and TCP port can be forged or "spoofed".
Although denial of service using crafted TCP packets is a well known weakness of TCP, until recently it was believed that a successful denial of service attack was not achievable in practice. The reason for this is that the receiving TCP implementation checks the sequence number of the RST or SYN packet, which is a 32 bit number, giving a probability of 1/232 of guessing the sequence number correctly (assuming a random distribution).
The discoverer of the practicability of the RST attack was Paul A. Watson, who describes his research in his paper "Slipping In The Window: TCP Reset Attacks", presented at the CanSecWest 2004 conference. He noticed that the probability of guessing an acceptable sequence number is much higher than 1/232 because the receiving TCP implementation will accept any sequence number in a certain range (or "window") of the expected sequence number. The window makes TCP reset attacks practicable.
Any application protocol which relies on long term TCP connections and for which the source and destination IP addresses and TCP ports are known or can be easily guessed will be vulnerable to at least denial of service attacks
Re:NISCC slowing, here is the summary of article (Score:5, Funny)
(http://www.teaparty07.com/)
There is a new vulnerability that will cause every GM vehicle and cause your children to cry. Vandals can place 1 domestic house cat into the fan and cause the fan to stop and under some cases, cause the vehicle to overheat. This was previously written off as house cats are usually soft ans squishy and have little effect on the powerful fan but Joe Shmoe PHD realised that many house cats have colars that are pretty tough for the fan to digest. Car experts say this is a serious problem and will be dealt with in a serious manner. Suggested work around is to keep your cat tied in the house, and to drive a bicycle instead.
Re:NISCC slowing, here is the summary of article (Score:5, Funny)
(Last Journal: Sunday April 16 2006, @09:28PM)
I'd say this is a real threat. We need to protect our SUV's from the mobs of 1337 haxor kitten terrorists! I propose bombing __insert country here__, under the guise of giving them democracy and freedom, and simultaniously pass some laws at home which take away some of our freedom.
Re:NISCC slowing, here is the summary of article (Score:5, Funny)
(http://jcenters.blogspot.com/)
Al-Kitty?
Yes, that was corny, and no, I couldn't resist.
Re:NISCC slowing, here is the summary of article (Score:5, Funny)
(Last Journal: Saturday October 27, @04:36PM)
You're not mangling your Arabic-to-English transilteration enough. It would probably look more like "al Qiddy"
Re:NISCC slowing, here is the summary of article (Score:4, Funny)
Re:NISCC slowing, here is the meat summary of arti (Score:5, Informative)
Re:NISCC slowing, here is the meat summary of arti (Score:4, Informative)
Actually, this is just a variation on an old attack with sequence number guessing. Some OSes have a very poor generator for these numbers (even though the vulnerability is known for ages) and it is possible to exploit it. Probably the most famous attack of this sort was Mitnick's break-in into Shimomura's machine ten years ago.
In practice, these attacks are quite tricky to perform, because they require good timing and quite a bit of skills, so they are quite rare. It is far easier to just exploit some common buffer overflow than this.
The impact could be not only DOS (by resetting the connection), but you can do also packet injection with potential for total system compromise. However, if the protocol used is encrypted (in Shimomura's case it wasn't, if I am not mistaken, Mitnick attacked rsh or rlogin), then the DOS is probably the worst thing that could happen to you. The encryption will reject the bogus packets, if properly implemented.
So, keep calm - this was here since at least 80-ties and there isn't much that you can do against it, except to use encryption. You can only hope, that your system vendor will decide to make their TCP stack less vulnerable (not likely to happen, since many systems still ship with the crappy sequence number generator!). Full fix is not possible anyway, unless you want to break the protocol.
Regards, JanRe:NISCC slowing, here is the meat summary of arti (Score:5, Insightful)
Yep, sure, however, if you flood the network with your packets, it will be probably noticed soon. Also in order to flood the network, you need a fast connection to the attacked host, reducing the problem to the immediate neighborhood of the attacked host. That's why this attack is not very practical to perform and the impact on most normal mortals is low (except for the BGP issue, which could take out your upstream router)
The problem with BGP, which is mentioned in the original article, is that it has a particularly bad failure mode - when a BGP session goes down, it is very expensive to restart it. To top it off, BGP uses very long transmission windows (because it transfers lot of data and that is more efficient with longer windows) and that makes it easier to squeeze-in the spoofed packet. This is quite messy affair, when it happens.
However, if somebody attacks your favorite web site in this way, I doubt that you are even going to notice it, since http sessions are stateless and comparably cheap to establish.
So, I think this is just a big scare for nothing, it is mainly BGP issue for now. It affects just people who know how to fix it (and are fixing it right now) and the machines involved are relatively few. Unlike some Windows RPC exploit which unleashed a massive world-wide worm in few minutes.
Re:OpenBSD is safe? (Score:5, Funny)
Re:OpenBSD is safe? (Score:5, Informative)
(Last Journal: Tuesday November 27, @09:46PM)
The Internet BGP tables are ricketey enough these days - they don't need every other route to "flap"!
Re:OpenBSD is safe? (Score:4, Interesting)
(Last Journal: Tuesday November 27, @09:46PM)
Really, though. If you need to calculate a valid offset from the ISN, big TCP-window sizes are of advantage to the attacker.
To quote from the announcement:
BGP-4 relies on persistent connections, with huge window sizes.
Re:OpenBSD is safe? (Score:5, Interesting)
(http://www.teaparty07.com/)
Re:OpenBSD is safe? (Score:4, Informative)
Re:OpenBSD is safe? (Score:4, Informative)
(http://slashdot.org/)
It's actually quite trivial to do. ebgp-multihop and using the remote host loopback address as the neighbor IP, along with a few small architectural configuration tricks are all that's needed to completely prevent this kind of attack, or, at the very least, minimize it significantly.
Are _you_ going to scan, not only the entire range of source ports, but all those ports times the entire RFC1918 address space? Good luck killing my systems, buddy, 'cause that's what you're in for.
Oh, even with the large window sizes, once you've found all the above, you've still got to find my sequence numbers.
RFC 2385 (Score:5, Informative)
(http://swapped.cc/)
The primary motivation for this option is to allow BGP to protect itself against the introduction of spoofed TCP segments into the connection stream. Of particular concern are TCP resets.
The date of publishing - August 1998, which makes it about 6 years old.
However the proposed option was primarily meant as a quick BGP fixup, which should've got depricated as soon as IPsec got RFC'ed and deployed. It did went standard few months later, but IPsec implementations enjoyed full share of cross-vendor compatibility problems.
With time Authenticated Header (AH) IPsec protocol didn't see much use or acceptance and IPsec slowly evolved (and keeps evolving) into confidentiality rather than authentication layer.
Besides it's an IP security after all, while the RST spoofing is a TCP problem. And one can quite rightfully percieve authenticating TCP with IPsec as an overkill.
Anyhow, long story short - it's a known and rather old problem with handful of existing and equally unattractive solutions. Perhaps this time around it will be addressed better due to the amount of the publicity it's aimed to get.
Re:OpenBSD is safe? (Score:5, Funny)
(Last Journal: Monday October 11 2004, @09:43PM)
they discuss, OpenBSD handles this extremely well. We'll explain more in a week or so.
Is the margin of the page too small to explain the wonderful reason why it handles this so well?
Re:OpenBSD is safe? (Score:5, Insightful)
What details, the info is already out (Score:5, Informative)
Re:OpenBSD is safe? (Score:5, Informative)
(http://www.schoolinsummertime.com/)
Let me be more clear.
This entire thing is being "sold" as `cross-vendor problem'. Sure.
Some vendors have a few small issues to solve in this area. Minor
issues. For us, those issues are 1/50000 smaller than they are for
other vendors. Post-3.5, we have fixes which make the problem even
smaller.
But one vendor -- Cisco -- has an *UTTERLY GIGANTIC HUGE* issue in
this regard, and as you can see, they have not yet made an
announcement see..
You are being told "lots of people have a problem". By not seperating
out the various problems combined in their notice, or the impact of
those problems, you are not being told the whole truth.
More Theo:
OpenBSD (and I am sure other systems too) have for some time contained
partial countermeasures against these things.
OpenBSD has one other thing. The target port numbers have been random
for quite some time. Instead of the Unix/Windows way of
1024,1025,1026,... adding 1 to the port number each time a new local
socket is established... we have been doing random for quite some
time. That means a random selection between 1024 and 49151. This
makes both these attacks 48,000 times harder; unless you already know
the remote port number in question, you must now send 48,000 more
packets to effect a change.
At least one other free operating system incorporated our random port
selection code today..
We've made a few post-3.5 changes of our own, since we are
uncomfortable with the ACK-storm potention of the solutions being
proposed by the UK and Cisco people; in-the window SYN or RST's cause
ACK replies which are rate limited.
At least one other free operating system today incorporated the same
changes......
Re:OpenBSD is safe? (Score:5, Insightful)
It doesn't save anything. When someone exploits this and takes out 90% of the Internet's routers, you're screwed no matter what.
It definitely makes a good argument for both OpenBSD and proactive security auditting. But it doesn't save the day.
Re:OpenBSD is safe? (Score:5, Funny)
But it saves the day for my network of 3 linux boxen in my basement which are s0 K3wl, they r0x! While the Internet burns to the ground I can route packets back and forth with impunity between my 486 laptop and my Pentium II Server!! WooHoo!
Re:OpenBSD is safe? (Score:5, Funny)
(http://apgwoz.com/)
Re:OpenBSD is safe? (Score:4, Funny)
(http://www.seizurerobots.com/)
Re:OpenBSD is safe? (Score:4, Funny)
(http://www.pmccorp.com/)
err um, don't you mean your parent's basement :)
Re:Server exploit, not router (Score:4, Informative)
Routers from different AS's talk to each other using BGP4. This protocol uses TCP.
The "exploit" uses spoofed packets, so the router will process them as if it came from their neighbour.
So yes, while the router is mostly "shoveling packets", it learns the direction in which to shovel these packets via the exploitable method.
If you want to disagree, feel free to let all the major tier 1 ISPs who have been busily implementing MD5 authentication on their BGP sessions know their wrong.
Windows also safe (Score:5, Funny)
(http://www.google.com/ | Last Journal: Tuesday December 12 2006, @06:04PM)
In a quickly following press release, Bill Gates adds:
Re:Windows also safe (Score:4, Funny)
(http://www.google.com/ | Last Journal: Tuesday December 12 2006, @06:04PM)
(Was it the hippie part? Yeah, sure calling Steve Jobs a hippie is flamebait, but this was also clearly a joke. Some moderators are just in a dire need of a blow job.)
Re:Windows also safe (Score:5, Funny)
(http://www.dynamicmedical.ca/)
Nice of you to volunteer, looks like their outlook has improved already
Re:Windows also safe (Score:4, Funny)
(http://www.adamofgreyskull.co.uk/)
And that should be modded "-1, Redundant" but you don't hear me compl...oh..shit.
Re:Windows also safe (Score:5, Funny)
This update addresses the vulnerability addressed in Microsoft Security Bulletin 666. Find out about more recent critical updates in the Overview section.
File Name:
WindowsXP-MSTCPDRM-x86-ENU.exe
Download Size:
1261 GB
Date Published:
4/20/2004
Version:
666
Overview
This patch fixes criticals security vulnerabilities present in Windows TCP stack.
This patch also add the new DRM TCP extension.
When is patch is applied, your computer will connect to drm.microsoft.com prior establishing any other connection to make sure the requested end point is an authorized Microsoft partner. All rogue packets are now rejected and reported by the Windows TCP-DRM firewall (TM).
This patch also upload the registry key HKEY_LOCAL_MACHINE and all subkeys and values to drm.microsoft.com so we can make sure all software is used according to their end user licence agreements.
System Requirements
Supported Operating Systems: Windows XP
Windows XP Professional
Windows XP Home Edition
More from Theo (was Re:OpenBSD is safe?) (Score:4, Insightful)
Re:More from Theo (was Re:OpenBSD is safe?) (Score:5, Funny)
(http://chris.homeip.net/wordpress/ | Last Journal: Monday May 13 2002, @08:35AM)
For us, those issues are 1/50000 smaller than they are for other vendors.
So, they are 50,000 times bigger ?
Re:More from Theo (was Re:OpenBSD is safe?) (Score:4, Funny)
(http://www.unity08.com/)
> So, they are 50,000 times bigger ?
No, that would be 49999/50000 as big.
Re:OpenBSD is safe? (Score:5, Funny)
(Last Journal: Thursday May 13 2004, @07:26PM)
Re:OpenBSD SMP (Score:5, Informative)
(http://cafepress.com/phototravel?pid=5934485)
Wrong. Very wrong. Are you anaware of this field called "banking"? What about "financial trading"? These firms have huge portfolios and run and re-run various models on them. At night, the systems have to run various "end-of-day" scripts and reports, which take CPU-hours to complete. Most of this things run on Unix...
There is also on-the-fly image manipulation, and the scene-rendering done by fleets of Unix machines. The more CPUs each such Unix machine can fit, the better.
Then come databases -- depending on the queries (with joins and orderings), DB-servers can be CPU bound and appreciate multiple processors when available.
What about PVM [ornl.gov]? What was it -- and similar packages both free and commercial -- written for? What about this proverbial "beowulf clusters"? Of course, it is much better to have several CPUs inside the box, rather than in separate machines.
Until which time, the OpenBSD zealots will continue to deny the issue exists or is of any importance. I see...
Re:OpenBSD is safe? (Score:5, Insightful)
(http://spiceweasel.dk/)
Best security advice... (Score:4, Funny)
Re:Best security advice... (Score:5, Funny)
(http://kasperd.net/~kasperd/ | Last Journal: Thursday July 08 2004, @10:18AM)
How would that keep you safe from DoS attacks?
Re:Best security advice... (Score:5, Funny)
He plans to show the exploit this Thursday! (Score:5, Interesting)
(http://novanix.com/)
Re:He plans to show the exploit this Thursday! (Score:4, Interesting)
(http://robertdot.org/ | Last Journal: Friday January 23 2004, @06:02PM)
Really, I think the problem is that the flaw affected
Re:He plans to show the exploit this Thursday! (Score:4, Insightful)
The reason it only affects long-term connections is because it takes awhile to probe for the magic number to reset the connection, and ALL this does is reset the connection, nothing more.
This whole thing is retarded, if you know enough about TCP this exploit was already on your mind and forgotten because its stupid.
-Bill
Neither forgotten nor stupid (Score:5, Informative)
A recently published I-D (here [ietf.org]) claims 200 seconds is sufficient time for a broadband sub to successfully attack a TCP session, provided their ISP doesn't use egress filtering (and way too few do so).
This is rather serious. Whether you personally aren't susceptible is irrelevant if your upstreams are.
Re:Neither forgotten nor stupid (Score:5, Informative)
(http://www.inflicted.net)
I do realize this likely isn't the case on many networks, but perhaps this will push such sanity (and very simple) filtering to become more widespread.
Re:Neither forgotten nor stupid (Score:5, Insightful)
Maybe it's about fucking time ISPs started using egress filtering. At the very least, there'd be an order of magnitude less crap (smurfage, etc) if ISPs dropped spoofed source IP packets before they got to the backbone.
OK, so the ability of any skript kiddie to spoof and insert a BGP update is a pretty fucking huge mess. But "pretty fucking huge" it may be the only kind of mess that motivates the clueless fucktards pretending to be "ISPs" these days.
Re:He plans to show the exploit this Thursday! (Score:5, Interesting)
(http://www.novitionusa.com/ | Last Journal: Wednesday July 16 2003, @09:37AM)
In the mean time, there are a few workarounds which can be put in place, such as IPSec, and options which can be changed to reduce the liklihood of an attack, such as the window size. The smaller it is, the harder it is to guess a sequence number in the range quickly.
Not flawed, just unimaginative. (Score:4, Insightful)
(Last Journal: Wednesday March 02 2005, @11:08PM)
Routers don't usually do a lot of TCP themselves, except SSH or telnet access for management, but the one big exception is the BGP protocol that routers use to connect to each other, primarily at the interfaces between carriers. The BGP sessions stay up for a long time, and killing them tells the router that it's no longer talking to its neighbor so it should go find a different route to get to that network, which is really really annoying. On the other hand, BGP has options to do more checking on BGP messages before accepting them, and carriers that do spoof-proofing to prevent their customers from forgin