May 10, 2004
Technology in Focus features analysis of recent technology news articles, by the consultants in Technology Group, IDA. This is the top pick of the month from a list of 10-20 news analysis compiled monthly.
Flaw Could Cripple Entire Net, 20 Apr 04
by Steven Ong, ENAT Consultant
TCP Protocol
A flaw affecting the Internet's "Transmission Control Protocol", or TCP was discovered late last year by a computer researcher named Paul Tony Watson in Milwaukee. He identified a method to reliably trick personal computers and routers into terminating established TCP session between two communicating entity by resetting the machines remotely.
It was found that existing TCP sessions could be reset by sending specially crafted RST (reset) or Syn (synchronization) packets to either of the communicating machines involved in the session. This is nothing new as it is an intended feature of the protocol. An attacker who is able to forge the source addresses of either machines could in theory caused the session to be terminated prematurely by sending such RST or SYN packets to either machines. If done persistently, this could lead to a de facto denial of service.
Security experts has known for some time that such as attack was possible, but has thought it to be impractical to implement since in real situation it would be too difficult for the attacker to correctly guess the random numbers (based on a pool of about 4 billion possible 32-bit sequences) used to establish new TCP sessions. The number on each packet is checked to ensure that they are in the correct sequence and subsequently assembled back to form the original data. Paul Watson has discovered that machines receiving TCP packets do however accept packets containing numbers that are within a certain range of the actual sequence number. This creates opportunity for an attacker to craft authentic-looking packets capable of shutting down TCP sessions.
Critical Vulnerability
It should however be noted that the potential problem ONLY applies to applications that rely on having a long-term TCP session between two points. But few applications use TCP for such applications - streaming video and audio, for example, typically rely on the UDP (User Datagram Protocol) instead.
Unfortunately, such long-term TCP sessions are commonly found between peer border routers communicating over BGP (Border Gateway Protocol). These routers are typically located at the edge of an ISP's network that links pairs of ISP together. BGP protocol is used to exchange routing information between routers, and resetting BGP connections often creates the need to rebuild routing tables which requires a fair bit of time. An intentional attack carried out repeatedly, could stop traffic between two ISPs by way of that peer connection and if carried out on a large enough scale would seriously impact the Internet traffic.
To carry out such an attack, attackers need to know both the source and destination IP addresses as well as the source and destination ports for whatever connection they want to go after. IP addresses can be easily traced using simple trace route commands, but knowledge of ports would require some hacking and probing.
Mitigations
According to a published advisory from British National Infrastructure Security Co-ordination Centre, there are relatively simple work arounds;
- Where possible, implement IP Security (IPSEC) which will encrypt traffic at the network layer, so TCP information will not be visible
- Reduce the TCP window size (although this could increase traffic loss and subsequent retransmission)
- Do not publish TCP source port information
In the case of BGP, the following may counter the problem
- Implement ingress and egress filtering to check that the traffic entering or leaving the network has a source IP address that is expected on the router/firewall interface that receives the traffic
- Implement the TCP MD5 Signature Option to checksum the TCP packet between peer links. The MD5 algorithm has been available for some time; it was defined as an optional extension to BGP in the Internet Engineering Task Force's RFC 2358 back in 1998 but was not widely used
Based on reports on the net, many of the backbone service providers have updated their devices to guard against the new attack, as they were given advance notice of the public release of the information. For most general users, the TCP vulnerability should not cause any major concerns and they should not be overly alarmed.
Some words about the writer
Steven Ong is a consultant with the Technology Group, tasked with the responsibility of identifying, tracking and exploring leading edge enabler technologies in the mobile wireless arena. He is currently looking at areas such as Digital Rights Management, wireless security as well as smartphone application platforms.
Disclaimer:
The Info-Communications Development Authority of Singapore ("IDA") makes no warranties as to the suitability of use for any purpose whatsoever of any of the information, data, representations, statements and/or any of the contents herein nor as to the accuracy or reliability of any sources from which the same is derived (whether as credited or otherwise). IDA hereby expressly disclaims any and all liability connected with or arising from use of the contents of this publication. This analysis does not necessarily represent or contain the views of IDA nor the Government of the Republic of Singapore and should not be cited or quoted as such. All trademarks are the property of their respective owners. Copyright 2004 Info-communications Development Authority of Singapore. Other than for purposes of circulation WITHIN your organisation/company, this article (or any part thereof) must not be reproduced or redistributed without the prior permission of IDA.