The Net isn’t about to melt
p2pnet.net News:- Is the TCP security vulnerability described in a warning from Britain’s National Infrastructure Security Co-ordination Centre about to bring the Net crashing down?
No, says researcher Michael Zalewski whose work in a related field back in 2001 resulted in a CERT advisory.
In his Strange Attractors and TCP/IP Sequence Number Analysis follow-up a year later, he said, "Note that I’m not trying to be alarmistic, the sky is not falling yet, but it’s certainly something worth looking at."
And his opinion hasn’t changed, he told p2pnet.
Yesterday, various reports (including ours : ) said the an NISCC warning here advised that the Transmission Control Protocol (TCP) has a flaw that varies by vendor and application, "but in some deployment scenarios it is rated critical".
This prompted a raft of Chicken Little stories and at least one report described Zalewski as having "discovered one of three flaws identified by Britain’s National Infrastructure Security Coordination Centre (NISCC) on Tuesday as posing a grave risk to the security of the net".
"I did not discover any of the ‘three flaws’ identified by NISCC – particularly since they’ve identified only one to start with," Zalewski says.
"Since the NISCC report implied the vulnerability is new," he told us, "I decided to take a stand and correct this; other reporting bodies, such as US CERT (which is, by all means, a better established security response organization), seem to agree with my assessment and also note the problem is nowhere near being new.
"This is not to say the problem is worth downplaying – but it does not deserve mass hysteria, either."
So what’s it all about? Here’s how Zalewski explained it to p2pnet.
"The threat is relatively simple: an attacker may inject rogue data into existing connections. This is a moderately serious vulnerability, and as I stated before, it is inherent to TCP/IP window design, and had been known to the security community ever since; this is not the first and not the last weakness of this protocol.
"Both CERT advisory and other sources generally acknowledge this fact, CERT is specifically referring to work by Tim Newsham and I back in 2001; NIPCC got carried away claiming this is a new issue. Watson is simply doing a conference speech on a known security issue – and good, vendors should think how to kludge it, there is no reason to blame him.
"The attack may be used both to force certain connections to be dropped, or – with some more effort – to insert malicious contents into downloaded files or other resources. The attack demonstrated by Mr. Watson is – as far as I reckon (I have not seen the presentation itself), a specific incarnation of the problem, dropping BGP sessions; but the technique may very well be used to drop friends you do not like from IRC or other chat networks, or achieve similar effects. Since forcing a BGP connection to be dropped may have adverse effects on the routing infrastructure (by causing certain routes to be temporarily shut down), this attack vector may indeed be relatively nasty.
"That said, the attack is NOT particularly easy, in that you need to know port ranges on the devices you target, as well as the IP addresses of both endpoints. The information may be obtained or approximated with some effort, but means this attack needs to be specifically prepared and a specific connection needs to be targeted, then some time has to be spent on (hopefully) achieving some result. It is not a point-and-click vulnerability to bring the entire Internet down.
"At roughly the same time, two other vulnerabilities (one associated with NetBSD OS TCP/IP stack, and another with SNMP) were published, but this is a wholly different animal.
"In terms of risk, it is a threat, as I said, but I think a new Windows/IIS vulnerability is far more dangerous to the infrastructure than this – because we have no easy way to quickly deal with those problems, and the next DDoS worm may bring the entire Internet to its knees in no time. With this vulnerability, this is not likely to happen."
Now you know.
