Get Smart about Business Spending
TCP flaws puts Web sites at risk
Two researchers in Sweden have found multiple flaws in the TCP stack that could lead to massive denial-of-service attacks if exploited. At present there is no workaround and there are no patches available.
The TCP stack defines a set of rules by which a computer can communicate over any network. Robert E. Lee, chief security officer for Outpost24, told CNET News, "the vendors we are in talks with seem to be taking the threat seriously."
The discovery follows a test using a port scanner called UnicornScan, which Lee and senior security researcher Jack Louis created. The tool is used for vulnerability assessment and penetration testing at Outpost24. Lee told a Swedish podcast that when they couldn't get a port scan done soon enough, they decided to move the TCP stack into the program to make it more distributed. That's when Louis started noticing strange behavior.
"Jack found some anomalies in which machines would stop working in some very specific circumstances while being scanned," Lee told CNET News. One of the behaviors experienced was packet loss where the packets just kept trying, and trying, and trying, creating, more or less, a denial of service (DoS) on that machine.
There doesn't appear to be just one vulnerability, but several, according to Robert Hansen who first wrote about this Friday. Hansen says the potential for these vulnerabilities, as he understands it, if exploited, could result in great damage. And fixing it will require coordination with vendors of operating systems, firewalls, and Web-enabled devices.
To exploit the flaws, to see if the TCP vulnerabilities were real, Lee and Louis created a program called "sockstress" that intentionally did some wrong things with the TCP/IP handshake process. The sockstress program was very effective in producing DoS attacks. The pair have no plans to release sockstress.
Lee said he doesn't plan to have a big, public disclosure press conference like Dan Kaminsky did with the DNS flaw this past summer. "We plan to work with vendors to ensure they understand the issues fully and have adequate solutions in place before publicly sharing details on the issues. Since there are multiple issues, we may be able to share information on individual issues as they are individually addressed."
Asked whether someone else could figure this out before the patches are out, Lee said "even though I think Jack Louis is exceptionally brilliant, Outpost24 doesn't have a monopoly on bug-finding abilities. It is a matter of time before someone else independently figures it out."
As CNET's resident security expert, Robert Vamosi has been interviewed on the BBC, CNN, MSNBC, and other outlets to share his knowledge about the latest online threats and to offer advice on personal and corporate security. Listen to his podcast at securitybites.cnet.com or e-mail Robert with your questions and comments. 
Someone can spam call your phone to create a denial service attack.
People need to get a grip, and not over-react. What types of computers, and which operating systems were they using? Were they clients, servers, or other? Were all ports open? Where they using an old industry standard port that used to be intended for firmware access? Why did the network traffic stop the computers from working, and what is the definition of stop? Did stop communicating, shut down? WHAT!
"I have no doubt that I'll be thoroughly impressed once details of the attack are finally released. It does however make me uncomfortable to know that the clock is ticking and we can only sit on the sidelines to wait and see if motivated attackers are able to beat vendors to the punch and exploit this vulnerability before it can be patched."
Michael Sutton
VP, Security Research
Zscaler
- by biffhenerson October 3, 2008 8:22 AM PDT
- Flaws in TCP that cause unintended DoS were presented during a security session at Microsoft Tech-Ed in 2006. These flaws were reported to the governing agency and no action has been taken as it affects the fundamental foundation/stack.
- Reply to this comment
-
(5 Comments)