April 21, 2004 3:08 PM PDT
Net threat overstated, says security researcher
A flaw in the most widely used protocol for sending data over the Net--TCP, or the Transmission Control Protocol--was addressed by most large Internet service providers during the last two weeks and presents little danger to major networks, said Paul Watson, a security specialist for industry automation company Rockwell Automation. If left unfixed, the weakness could have allowed a knowledgeable attacker to shut down connections between certain hardware devices that route data over the Net.
"The actual threat to the Internet is really small right now," Watson said on Wednesday. "You could have isolated attacks against small networks, but they would most likely be able to recover quickly."
Watson was responding to news reports that ran Tuesday, after Britain's national emergency response team, the National Infrastructure Security Co-ordination Centre, released an advisory about the issue based on his research. Watson, who's scheduled to present that research here at the CanSecWest 2004 conference this week, referred to the media reaction as an "inordinate level of attention in respect to the amount of risk."
At greatest risk, he said, may be e-commerce sites that manage their own routers--those sites may not believe they're vulnerable to attack and may not have implemented a fix. Sites that have routers that share information on the most efficient paths through the Internet--using the Border Gateway Protocol, or BGP--are most vulnerable to the attacks.
Networking-gear maker Cisco Systems said Wednesday that it had released updated software that addresses how the flaw affects its products. Other gear makers, including Juniper Networks, Hitachi and NEC, have been investigating the issue. Information on each company's conclusions can be found in the vendor information section of the NISCC's advisory.
Get Up to Speed on...
Get the latest headlines and
company-specific news in our
expanded GUTS section.
People have known for at least a decade about problems with the way Internet servers and network devices maintain connections with each other. "I am not the first person to notice the issues," Watson said. "I sort of pulled together all the pieces."
The problem, said Watson, involves numbers that identify data packets being sent over the Net. Many network appliances and software programs rely on a continuous stream of packets from a single source--called a session. The packets are identified and grouped together using so-called sequence numbers, and, theoretically, if someone could guess the next number in a session and send a packet with that identifier, he or she could substitute illicit commands for authorized ones, Watson said.
The odds against a correct guess were commonly thought to be staggering: about one in 4.3 billion. However--and here's the issue--Watson found that certain applications of TCP sessions, such as routers using the border gateway protocol, relied on long connection times, creating a much larger window of sequence numbers that could be valid. Instead of a one in 4 billion chance to guess the right number, a single-packet attack against a BGP connection might be successful once in 260,000 attempts. An attacker armed with a typical broadband connection could send all 260,000 possible attacks in less than 15 seconds.
It's not simple or elegant, Watson admitted, but it's effective. Rather than unleashing the sort of massive packet flood that normally makes up a denial-of-service attack, an online vandal could send far fewer packets and still bring down a site. "You can take e-commerce sites offline, but instead of billions and billions of packets, you can do it with a whole lot less," he said.
The U.S. Computer Emergency Response Team (US-CERT) has issued an advisory, referencing a similar warning released almost three years ago that mentioned comparable attacks.
Although large Internet service providers are vulnerable "to a very low degree," large and medium-size businesses should make sure they have assessed their vulnerability to the issue, said Sean Hernan, senior member of the technical staff for US-CERT.
"In addition to the core Internet, this TCP vulnerability affects any two endpoints," he said. The vulnerability could affect mail servers, the servers that handle domain names and act as the yellow pages for the Internet, and other major applications. However, in those instances, it is much harder to guess the right sequence numbers, Hernan said.
"This issue turned out to be particularly pernicious against BGP," Hernan said.
Both CERT and Watson recommend that companies add a random 128-bit number to each packet in a session to identify that data as part of the same session--the solution adopted by many major ISPs. Moreover, CERT also recommends that companies encrypt their data to further hide the information in the session from prying eyes.