ISPs have diffused most of the potential for large-scale DoS (denial of service) attacks based on the “flaw” in the TCP reported yesterday. But that doesnt mean that network managers should be totally unconcerned about it.
The TCP flaw allows an attacker to reset an existing TCP session by sending a Syn (synchronization) packet that has an identification number that falls within an expected “window” of numbers. Theoretically, the attack could be used to reset sessions between Internet routers, causing them to dump routing information.
The immediate concern among many Internet security experts was that the flaw could be used for an “information warfare” attack on the Internets infrastructure. But the attack could also be used much in the same way as “Syn Flood” attacks have been used in the past—as part of a DoS attack (like those that have been directed against SCO in recent months), as part of an attempt to hijack a TCP session, or in an effort to reroute traffic to another host.
“Being able to snipe a TCP session can be an important component of many attack scenarios,” says Scott Blake, vice president of information security at BindView. “For example, if I want to try to get someone to come over to my spoofed Web server instead of the one they would normally use, one technique I could use is to watch for their load of the existing page, kill their connection and redirect it over to my server.”
The vulnerability in TCP is hardly new; the feature of the protocol that allows TCP sessions to be reset has been known about for years. “This one has been lurking around for a long time,” says Dr. Kelly Jones, senior vice president of technology and client operations at Evergreen Assurance, a disaster recovery company based in Annapolis, Md. “I think the reason it hasnt been exploited yet is that you have to have a pretty good knowledge of TCP to do it.” It was also assumed that an attacker would need intimate knowledge of the traffic passing between two systems—knowledge that generally was only in the hands of network engineers.
Unfortunately, that assumption proved to be only partially correct. Yesterdays vulnerability warning came after a researcher showed that the flaw could be exploited more easily than previously thought through scripted attacks that throw “spoofed” TCP packets at a target until it generates one with an identification number that falls into the expected range for that session.
Be sure to add our eWEEK.com security news feed to your RSS newsreader or My Yahoo page: