TCP Vulnerability Published 676
Bob Slidell writes "According to Yahoo!, there is a critical flaw in TCP that affects everyone and everything. The article is scant on details and long on fear, hopefully someone will post more details on this." The advisory has more information, and is long on details but only moderate on fear.
He plans to show the exploit this Thursday! (Score:5, Interesting)
Re:Good (Score:2, Interesting)
Might this be THE final topic to bring IPv6 to a wider attention?
I'd hope so...
what about slow start? (Score:4, Interesting)
Re:He plans to show the exploit this Thursday! (Score:4, Interesting)
Really, I think the problem is that the flaw affected
Critical flaw in their server... (Score:2, Interesting)
Stupid (Score:1, Interesting)
OUCH! (Score:2, Interesting)
BGB disruption. This is worse than you can even guess. I anticipate this will lead to effective phishing scams, and other things.
The danger is that by killing off the legiment routes to a host, somebody with a cracked router can then claim to have the legitament route to the host. Which of course, it doesn't. So, quite effective traffic redirection from the internet to a malitious web server.
Bait (Score:1, Interesting)
The script kiddies just found out.
If you're a script kiddie and you try to exploit, you won't get anywhere, and you'll get arrested.
If you're a serious hacker, you won't do that.
If you're a serious cracker, you either already have done it, or you've moved on to another, juicier target, because there's no pride in going in after Yahoo! news stories.
So this is just a way for the FBI to track down script kiddies.
Re:He plans to show the exploit this Thursday! (Score:5, Interesting)
In the mean time, there are a few workarounds which can be put in place, such as IPSec, and options which can be changed to reduce the liklihood of an attack, such as the window size. The smaller it is, the harder it is to guess a sequence number in the range quickly.
Heh I already fixed this. (Score:2, Interesting)
Sounds like IETF is zeroing in on these guy's business model. Good. The anti-P2P vendors will probably catch up by spoofing both numbers, but they will have to ensure that their RST beats the actual packet there, which is tricky.
3 way wave-goodbye? (Score:2, Interesting)
x wishes to close connection, y checks this by sending random bits and a check request, x sends these bits back to ensure that it really is x wishing to close it, and voila.
OpenBSD is safe? (Score:3, Interesting)
IETF TCP Security Considerations draft (Score:5, Interesting)
Re:OpenBSD is safe? (Score:4, Interesting)
Really, though. If you need to calculate a valid offset from the ISN, big TCP-window sizes are of advantage to the attacker.
To quote from the announcement:
BGP-4 relies on persistent connections, with huge window sizes.
Re:OpenBSD is safe? (Score:2, Interesting)
Old news from 1998 and probably before (Score:5, Interesting)
In Aug 1998, RFC 2385 came out with protection of BGP with MD5 signatures. Using MD5 sigs will defeat this attack.
This is a well known issue with well known solutions. If the infrastructure is at risk it is because ISPs haven't been doing their job and following best practices.
-weld
I kind of liked IPX network numbering (Score:3, Interesting)
The 48 bit node address space would make it easy to have large single-subnet LANs without dealing with multiple subnets/NAT/routing, and the network portion of the address space is as large as the entire
The rest of IPX was kind of a kludge, but I liked the numbering system.
Re:It's Al Gore's fault... (Score:3, Interesting)
Gore took the initiative in creating the Internet by taking the initiative to support the legislation required to get it going.
And just how, exactly, did he do that? He wasn't even in Congress at that time. IIRC he was in college, or high school, or something.
nothing in his statement could be properly construed to imply such
Look it up. He clearly implied that he was present at the creation of the Internet, and actively made it happen -- which is clearly a falsehood.
Yes, he apparently DID do some things to help the Internet while in Congress -- for which he deserves credit -- but the Internet already existed; he sure as hell didn't 'invent' it.
And it has nothing to do with which team (Bush v. Gore) you were rooting for. Everyone SHOULD be able to rationally sort out the facts regardless of ideology. Of course, the Gore people still have trouble being rational, but that's another thread....
Re:OpenBSD is safe? (Score:5, Interesting)
Re:BGP vulnerable (Score:2, Interesting)
Re:BGP vulnerable (Score:2, Interesting)
Either I have a stupid day or I do not understand the benefit of putting MD5 into BGP.
To make an end user example: If I have a very long POP3 session (because somebody zipped the google cache and sent it by mail) I would be vulnerable, because this long lasting session could be attacked. Then I loose the session and have to establish a new one. Building a checksum into POP3 won't change much about that.
Nils
Re:OpenBSD is safe? (Score:1, Interesting)
Or did _I_ miss something?
Am I the only one... (Score:2, Interesting)
SINCE THE CREATION OF TCP/IP?
*Duh*
c'mon, script kiddys have been throwing packets to reset connections for years.
Same old trick, new aplication. Yes, now we all have the ability to throw a good fingerpoint at a vendor or two and say shame on them, and make some great BSD-is-safe-again! remarks.
Moving right along...The only people 'vulnerable' to this are people who don't configure routers/firewalls or BGP's properly to use hashing, or no-brainer spoof blocking at the forefront, etc.
And guess what that means? They should have paid closer attention in class. Darwin works in more places than just the gene pool.
Peeve (Score:3, Interesting)
From the advisory:
We told you not to deploy NAT because (among other reasons) it would break IPsec authenticated header (AH) mode. You did it anyway and told us we were pedantic academic pinheads.
You deserve what you get.
--
zebra? (Score:1, Interesting)
AC
Re:NISCC slowing, here is the meat summary of arti (Score:3, Interesting)
Well, they require a packet with the right sequence number to hit in the right time period.
Since there's a window of accepted sequence numbers, it really only requires a shitload of packets with likely numbers. Send enough good guesses and one will hit at the right time.
Like a race exploit, I don't think this requires 'good timing', I think it requires enough attempts to reduce the odds - many will fail, but one may succeed.
Re:IPv6 (Score:3, Interesting)
(if the hack is still possible in IP6, then I can only ask *why*??, since the basic principles of the flaw have been known for a long time)
Re:Good (Score:2, Interesting)
First of all, it's trivial to deliver a packet to a certain host on the Internet so that the TTL on the packet is exactly 1 (just do a traceroute and send out the packet with a TTL to match the number of hops). Second, I would say that many important BGP sessions are NOT accross point to point links, they are over Gigabit Ethernet at IXP's.
Basic anti-spoofing on each side will stop any packets that cleam to be from the other end of that interface from comming in any other interface
Please explain to me how you would do this on a Cisco 12000 with Engine 0 or 1 linecards and still maintain line rate. In fact, please explain to me how this can be done on any Cisco at all. (URPF doesn't protect against this.)
BGP does support preshared keys as well though I'm not sure if that will stop this attack as it's more to prevent session hijacking. I dont see a 'fix' for this comming out besides normal security settings.
I'm not sure either. I'm aware of the enormous BGP MD5 authentication setup rage that has been going on over the past week and while I think this is a good effort I'm not entirely sure if it will protect against the RST attack. BGP lies on top of TCP so if you are able to kill the underlying TCP session I don't think MD5 authentication protects against this. Anyone care to enlighten me?
The best thing I can think of so far is tweaking windows sizes etc. and do ingress filtering on your network where possible.
What about fragmentation? (Score:3, Interesting)
Re:OpenBSD is safe? (Score:3, Interesting)
So, those 20 people who use bsd as a network *client* are somewhat less likely to have their tcp-connections successfully attacked as those who use predictable source-ports. (still not 48000 times safer as Theo writes, predictable does not typically equate "100% guessable with 1 try")
This "vulnerability" is kinda lame really. Previously, people who didn't think about it very much, assumed that since to reset a TCP-connection you need to guess the sequence-number, the chance of successfully doing so would be no higher than 1 in 2^32.
This "vulnerability" only points out that infact tcp-implementations will accept as valid any sequence-number between $CURRENT and $CURRENT+$WINDOW_SIZE.
So, instead of needing to try 2^32 times, you need "only" to try (2^32)/$WINDOW_SIZE times. Still fairly hard under typical conditions.
Window-size is however typically proportional to bandwith and inversely proportional to delay, so it'll be easiest to exploit on a tcp-connection that has high bandwith, and high ping-times. For example any connection that goes over satelite. (those of you that knee-jerk and think that high bandwith and high ping can't coexist should go reread first-year networking-curriculum.)
Re:This is new?? (Score:3, Interesting)
You didn't before either. Guessing sequence numbers used to be much easier...
And BTW, guessing sequence numbers based upon the predicitability of different vendors' TCP stacks is also quite old.
About the only new thing here is that some moron reporter decided to write a fire and brimstone story about this well-known issue.
Does everybody remember back when CNET reported that Mozilla was going to become a full office-suite? Yes, that who article was based on one random person posting that (one-line) suggesting to the mailing list. Many reporters really are pure slime.
OpenBSD is _not_ vulnerable (Score:3, Interesting)
As stated by Theo de Raadt and Henning Brauer, OpenBSD is not vulnerable because (quoting Henning)
Even without TCP MD5, bgpd on OpenBSD is not affected, because: - we use random emphereal ports - we do not use insanely hughe window sizes as Cisco does - we require the RST sequence number to be right on the edge of the window
(quoting Theo)
That is right. If you have a Cisco, you can tear down BGP sessions by
spoofing:
64K of
SYN's or RST's sent to #.#.#.#:179 -> #.#.#.#:{1024,+512,+512,...}
The SYN and RST methods are different, but the end effect is that
a tiny little burst of packets will cause a flap.
OpenBSD (and I am sure other systems too) have for some time contained
partial countermeasures against these things.
OpenBSD has one other thing. The target port numbers have been random
for quite some time. Instead of the Unix/Windows way of
1024,1025,1026,... adding 1 to the port number each time a new local
socket is established... we have been doing random for quite some
time. That means a random selection between 1024 and 49151. This
makes both these attacks 48,000 times harder; unless you already know
the remote port number in question, you must now send 48,000 more
packets to effect a change.
We've made a few post-3.5 changes of our own, since we are
uncomfortable with the ACK-storm potention of the solutions being
proposed by the UK and Cisco people; in-the window SYN or RST's cause
ACK replies which are rate limited.
It will have the most impact on vendors who do BGP over poor TCP
stacks. In particular, Cisco.
Cisco has not been teaching engineers to block SYN's coming in; they
have only been teaching them to block SYN-ACK's from going out in
return. And... well, you'll see.