[ISN] Net threat overstated, says security researcher

From: InfoSec News (isn@private)
Date: Thu Apr 22 2004 - 00:11:32 PDT

  • Next message: William Knowles: "[ISN] In cyberwar game, US Army confronts enemies within"

    By Robert Lemos 
    Staff Writer, CNET News.com
    April 21, 2004
    VANCOUVER, British Columbia -- Widespread reports about a flawed
    communications protocol making the Internet vulnerable to collapse
    were overblown, according to the researcher credited with uncovering
    the security problem.
    A flaw in the most widely used protocol for sending data over the
    Net--TCP, or the Transmission Control Protocol--was addressed by most
    large Internet service providers during the last two weeks and
    presents little danger to major networks, said Paul Watson, a security
    specialist for industry automation company Rockwell Automation. If
    left unfixed, the weakness could have allowed a knowledgeable attacker
    to shut down connections between certain hardware devices that route
    data over the Net.
    "The actual threat to the Internet is really small right now," Watson
    said on Wednesday. "You could have isolated attacks against small
    networks, but they would most likely be able to recover quickly."
    Watson was responding to news reports that ran Tuesday, after
    Britain's national emergency response team, the National
    Infrastructure Security Co-ordination Centre, released an advisory
    about the issue based on his research. Watson, who's scheduled to
    present that research here at the CanSecWest 2004 conference this
    week, referred to the media reaction as an "inordinate level of
    attention in respect to the amount of risk."
    At greatest risk, he said, may be e-commerce sites that manage their
    own routers--those sites may not believe they're vulnerable to attack
    and may not have implemented a fix. Sites that have routers that share
    information on the most efficient paths through the Internet--using
    the Border Gateway Protocol, or BGP--are most vulnerable to the
    Networking-gear maker Cisco Systems said Wednesday that it had
    released updated software that addresses how the flaw affects its
    products. Other gear makers, including Juniper Networks, Hitachi and
    NEC, have been investigating the issue. Information on each company's
    conclusions can be found in the vendor information section of the
    NISCC's advisory.
    People have known for at least a decade about problems with the way
    Internet servers and network devices maintain connections with each
    other. "I am not the first person to notice the issues," Watson said.  
    "I sort of pulled together all the pieces."
    The problem, said Watson, involves numbers that identify data packets
    being sent over the Net. Many network appliances and software programs
    rely on a continuous stream of packets from a single source--called a
    session. The packets are identified and grouped together using
    so-called sequence numbers, and, theoretically, if someone could guess
    the next number in a session and send a packet with that identifier,
    he or she could substitute illicit commands for authorized ones,
    Watson said.
    The odds against a correct guess were commonly thought to be
    staggering: about one in 4.3 billion. However--and here's the
    issue--Watson found that certain applications of TCP sessions, such as
    routers using the border gateway protocol, relied on long connection
    times, creating a much larger window of sequence numbers that could be
    valid. Instead of a one in 4 billion chance to guess the right number,
    a single-packet attack against a BGP connection might be successful
    once in 260,000 attempts. An attacker armed with a typical broadband
    connection could send all 260,000 possible attacks in less than 15
    It's not simple or elegant, Watson admitted, but it's effective.  
    Rather than unleashing the sort of massive packet flood that normally
    makes up a denial-of-service attack, an online vandal could send far
    fewer packets and still bring down a site. "You can take e-commerce
    sites offline, but instead of billions and billions of packets, you
    can do it with a whole lot less," he said.
    The U.S. Computer Emergency Response Team (US-CERT) has issued an
    advisory, referencing a similar warning released almost three years
    ago that mentioned comparable attacks.
    Although large Internet service providers are vulnerable "to a very
    low degree," large and medium-size businesses should make sure they
    have assessed their vulnerability to the issue, said Sean Hernan,
    senior member of the technical staff for US-CERT.
    "In addition to the core Internet, this TCP vulnerability affects any
    two endpoints," he said. The vulnerability could affect mail servers,
    the servers that handle domain names and act as the yellow pages for
    the Internet, and other major applications. However, in those
    instances, it is much harder to guess the right sequence numbers,
    Hernan said.
    "This issue turned out to be particularly pernicious against BGP,"  
    Hernan said.
    Both CERT and Watson recommend that companies add a random 128-bit
    number to each packet in a session to identify that data as part of
    the same session--the solution adopted by many major ISPs. Moreover,
    CERT also recommends that companies encrypt their data to further hide
    the information in the session from prying eyes.
    ISN mailing list
    Sponsored by: OSVDB.org

    This archive was generated by hypermail 2b30 : Thu Apr 22 2004 - 03:30:58 PDT