Network Security Blog

Here’s a link to an article from SearchSecurity.com on the nature of the TCP vulnerability disclosed earlier this week. The article has several good links directly to the sources of information on the vulnerability and how to defend against it. It presents the vulnerability as another reason to be cautious, but urges us not to panic.

I agree with this point of view. We need to be aware of the vulnerability and take appropriate steps to mitigate the problem. The solution to the vulnerability is simple, a minor configuration change to enable MD5 signatures on BGP traffic. What worries me is this now becomes another configuration line we have to remember to in each and every edge router from now on. Another entry in the ‘Best Practices’ manual. This stuff continues to build up.

Someone, somewhere, soon is going to get hit on this one, hopefully not in too harmful of a way. I hope most companies are taking the time to defend themselves now, before the automated tools hit the mainstream. We don’t need to panic, but we need to be aware that the script kiddie tools will come out and we need to be protected before they do. How’s the saying go? “Plan for the worst, hope for the best.”

I’ve included the full text of the article in the extended entry to preserve the links. Please refer to the original article if your going to do any linking.

TCP protocol flaw: The sky isn’t falling

By Shawna McAlearney, News Writer
21 Apr 2004 | SearchSecurity.com

A critical vulnerability, affecting multiple vendors, has been
identified in the Transmission Control Protocol (TCP) used for
Internet connections, mainly routing infrastructure including
networked operating systems and network equipment. However, experts
say the problem is being corrected and isn’t that big of a deal.

“It is a design flaw of TCP, so it is as old as the Internet,” said
Alan Paller, director of the Bethesda, Md.-based SANS Institute. “The
folks at the core have been fixing their systems for about four
weeks. For me, the bottom line is that the sky is not falling.”

The TCP injection vulnerability, combined with a vulnerability in the
Border Gateway Protocol, can allow a remote attacker to terminate
network sessions. US-CERT said sustained exploitation could lead to a
denial of service, affecting large portions of the Internet. Routing
operations would recover quickly after such attacks ended, US-CERT
said.

Another flaw, the TCP/IP Initial Sequence Number vulnerability, could
allow Web sites and services that rely on constant TCP sessions to be
attacked and suffer from data corruption, session hijacking or
denial-of-service. According to the UK National Infrastructure
Security Coordination Centre, such session terminations “will affect
the application layer, the nature and severity of the effects being
dependent on the application layer protocol. The primary dependency
is on the duration of the TCP connection, with a further dependency
on knowledge of the network (IP) addresses of the end points of the
TCP connection.”

Products from Certicom, Check Point Software Technologies and Cisco
Systems are among those vulnerable to the flaws. More information on
specific vendors can be found at
http://www.uniras.gov.uk/vuls/2004/236929/index.htm .

“Any router engineer has known about these issues for years and
should know how to protect against them,” James H. Edwards, a routing
and security administrator at Internet at Cyber Mesa in New Mexico,
said in a posting to the Full-Disclosure security mailing list.
“There is really nothing new here, but I hope this big press blowup
will force more engineers to do what they already should have done a
long time ago.”

A TCP/IP Initial Sequence Number vulnerability identified in 2001
(http://www.kb.cert.org/vuls/id/498440 ) is just one example of how
an attacker could inject TCP packets into a session. An attacker
sending a reset packet, for example, could cause the TCP session
between two endpoints to terminate without any further communication.

But a spokesman at Atlanta-based Internet Security Systems said it
considers “network infrastructure providers and enterprises’ internal
networks to be the most vulnerable to potential
denial-of-service/distributed denial-of-service attacks that can
cause significant outages and downtime to users and customers.”

Experts recommend immediately applying patches issued by affected
vendors. Workarounds include: ingress and egress filtering;
prohibiting externally initiated inbound connections to
non-authorized services and preventing machines providing public
services from initiating outbound connections to the Internet;
deploying and using cryptographically secure protocols, such as
IPSec; and network isolation. Specific details on these
recommendations can be found at
http://www.us-cert.gov/cas/techalerts/TA04-111A.html .