Internet security experts yesterday warned of a serious security vulnerability in Transmission Control Protocol (TCP) – a critical communications protocol used on the majority of the world's computer networks, according to the UK's National Infrastructure Security Co-Ordination Centre (NISCC).
The hole exists in all implementations of TCP that comply with the Internet Engineering Task Force's TCP specification. By exploiting the holes, malicious hackers could cause TCP sessions to end prematurely, creating a "denial of service," or DOS attack. The vulnerability could also disrupt communications between routers on the Internet by interrupting BGP (Border Gateway Protocol) sessions that use TCP, NISCC said.
The US-CERT Coordination Center issued a warning on Tuesday about the vulnerability. The warning cited an almost three-year-old advisory and said that sustained exploitation of the hole could lead to denial of service affecting "portions of the Internet community."
BGP is the most commonly used routing protocol used by major external routers on the Internet. Major ISPs (Internet service providers) use BGP to configure redundant high-speed connections and to coordinate with other ISPs and other peers, said Dan Ingevaldson, research director at Internet Security Systems (ISS).
"It's the protocol that handles the big pipes on the Internet," he said.
NISCC and US-CERT issued their warnings after security researcher Paul Watson described the problem in a paper called "Slipping in the Window: TCP Reset Attacks." Watson will be presenting the paper at the CanSecWest 2004 security conference in Vancouver, Canada, this week.
I've got your number
Watson discovered that the current TCP standard allows a malicious hacker to easily guess a unique 32-bit number needed to reset an established TCP connection because the standard allows sequence numbers in a range of values to be accepted rather than just exact matches, according to the NISCC advisory.
By spoofing the source IP (Internet Protocol) address and the TCP port, then randomly guessing the unique sequence number, an attacker could cause an active TCP session to terminate.
Networking experts have known about the potential for such attacks for almost 20 years. However, as Internet use and the use of broadband Internet connections has grown over the years, ISPs and others have gradually increased the size of the "window," or range of acceptable sequence numbers that they permit to reset a connection, making a successful DOS attack more plausible, Ingevaldson said.
BGP sessions are particularly vulnerable to such attacks because they are longer, more predictable connections that often take place between two devices with published IP addresses, he said.
"Attackers know where they are and where they're going, they know the ports on either side that are being used and the window," he said.
ISS notified its customers about the hole and said that network infrastructure providers and enterprises' internal networks are the most vulnerable to DOS attacks that use the vulnerability.
Leading networking equipment vendors Cisco Systems and Juniper Networks are expected to release advice for their customers this week that explain which of their products contain BGP code vulnerable to attack and to offer updated versions of operating system software for those devices that fix the problem.
Despite the dire warnings, the impact of the TCP hole will probably be small, Ingevaldson said.
Leading networking vendors have probably been in conversation with US-CERT and the NISCC far in advance of the news becoming public, giving those companies time to prepare a patch. Also, the BGP protocol was designed to be resistant to attack and to support digital signatures using algorithms such as MD5 that can prevent spoofing, he said.
"This is a serious issue because it's widespread, but there probably won't be a widespread impact," he said.