TCP Flaw No Cause for Alarm

While word of a major vulnerability in the fabric of the Internet leaked out a bit sooner than folks at the Department of Homeland Security would have liked, there isnt a whole lot to panic about.

The threat posed by an exploit of the TCP has already been addressed where it matters most—at the core of the Internet. Unless youre heavily using the BGP (Border Gateway Protocol) to manage routing of your network traffic to ISPs, odds are that youre not at risk.

The potential problem only applies to applications that rely on having a long-term TCP session between two points. But few applications use TCP for such applications—streaming video and audio, for example, typically rely on the UDP (User Datagram Protocol) instead.

Unfortunately, one place where such long-term TCP sessions are common is communication between routers over BGP. The greatest vulnerability is at “peer border routers”—the routers at the edge of an ISPs network that link pairs of ISPs together.

“If BGP peers get knocked off, it can take some time to rebuild those connections,” says Peter Stapleton, director of product marketing for Computer Associates International Inc.

By sending a “spoofed,” or faked, TCP message, an attacker could reset the TCP session between two border routers; that would reset the BGP session between them as well, and any routing information built between the routers would have to be rebuilt. If carried out repeatedly, the attack could stop traffic between two ISPs by way of that peer connection.

/zimages/4/28571.gifFor insights on security coverage around the Web, check out eWEEK.com Security Center Editor Larry Seltzers Weblog.

Fortunately, most ISPs have already taken steps to secure the traffic between their peer border routers. “Its something weve known about in the operations community for over a week now,” says Bill Woodcock, research director of the Packet Clearing House, a nonprofit organization that promotes Internet stability by working with ISPs.

In that time, ISPs have been working with each other to secure each of their peer links “using an MD5 (Message Digest 5) Hash to protect each session,” says Woodcock, “putting a unique password on every interconnection between each pair of ISPs.”

The MD5 algorithm, designed by Ron Rivest in 1991, has been available for some time; it was defined as an optional extension to BGP in the Internet Engineering Task Forces RFC 2358 back in 1998. “Its been around for a while,” says Stapleton, “but as far as being a common practice, thats another matter. Up until now, it hasnt been used that much.”

That has changed in the last week. “All of the big guys got this done days ago,” says Woodcock. “Its come down to the last couple of small guys who are harder to pay attention—the vulnerability will only affect smaller ISPs that are less concerned about security.”

/zimages/4/28571.gifCheck outeWEEK.coms Security Centerat http://security.eweek.com for security news, views and analysis.
Be sure to add our eWEEK.com security news feed to your RSS newsreader or My Yahoo page:http://us.i1.yimg.com/us.yimg.com/i/us/my/addtomyyahoo2.gif