TCP attack warning issued
p2pnet.net News:- Hackers with malicious intent could wreak online havoc through the TCP core network protocol used in most networked computer systems today.
That’s the effect of a vulnerability warning issued today by Britain’s National Infrastructure Security Co-ordination Centre.
The Transmission Control Protocol has a flaw that varies by vendor and application, "but in some deployment scenarios it is rated critical," says the NISCC warning here.
"If exploited, the vulnerability could allow an attacker to create a Denial of Service condition against existing TCP connections, resulting in premature session termination," says the warning.
"The resulting session termination will affect the application layer, the nature and severity of the effects being dependent on the application layer protocol. The primary dependency is on the duration of the TCP connection, with a further dependency on knowledge of the network (IP) addresses of the end points of the TCP connection.
"The Border Gateway Protocol (BGP) is judged to be potentially most affected by this vulnerability.
"BGP relies on a persistent TCP session between BGP peers. Resetting the connection can result in medium term unavailability due to the need to rebuild routing tables and route flapping. Route flapping may result in route dampening (suppression) if the route flaps occur frequently within a short time interval. The overall impact on BGP is likely to be moderate based on the likelihood of successful attack. If the TCP MD5 Signature Option and anti-spoofing measures are used then the impact will be low as these measures will successfully mitigate the vulnerability.
"There is a potential impact on other application protocols such as DNS (Domain Name System) and SSL (Secure Sockets Layer) in the case of zone transfers and ecommerce transactions respectively, but the duration of the sessions is relatively short and the sessions can be restarted without medium term unavailability problems. In the case of SSL it may be difficult to guess the source IP address.
"Data injection may be possible. However, this has not been demonstrated and appears to be problematic."
The man who found the flaw is Paul A. Watson who plans to present his discovery in his research paper Slipping In The Window: TCP Reset Attacks at the cansecwest conference in Vancouver, Canada, April 21-23.
Watson noticed the probability of guessing an acceptable sequence number is much higher than 1/2-32 because the receiving TCP implementation will accept any sequence number in a certain range (or ‘window’) of the expected sequence number. The window makes TCP reset attacks practicable, says the NISCC, adding:
"Any application protocol which relies on long term TCP connections and for which the source and destination IP addresses and TCP ports are known or can be easily guessed will be vulnerable to at least denial of service attacks."
