Flaw in TCP leaves entire internet vunerable to attack

Toggle sidebar Toggle sidebar
FoBoT

FoBoT

No Lifer
Apr 30, 2001
63,084
15
81
fobot.com
i ain't patching the whole stinkin internet, way too much work
screw all them users

the UK site linked on /. is getting hammered
 
M

MacBaine

Banned
Aug 23, 2001
9,999
0
0
Watson, who runs the www.terrorist.net Web site, predicted that hackers will understand how to begin launching attacks "within five minutes of walking out of that meeting."

"It's fairly easy to implement," Watson said. "Someone walking out of the conference would immediately understand. No matter how vague I am, people will figure it out."
Click to expand...

Hearing this, I think telling everybody what this secret is would be the best course of action.
 
D

DWW

Platinum Member
Apr 4, 2003
2,030
0
0
Anyone who codes (sockets) or has a better appreciation and undestanding of TCP/IP implementations will know that TCP/IP stacks vary system to system in a WIDE way. Luckily the Intarweb is comprised of many types of systems and hopefully this will only work on specific ones. Standards aren't always followed and it isn't just Microsoft but many others.

Bleh if you grok nmap you already know what I'm talking about....that is how it -works- based on the inconsistencies between systems and versions.
 
R

RagingBITCH

Lifer
Sep 27, 2003
17,618
2
76
$20 says he'll mysteriously be found dead before the conference. Or a bomb threat shuts down the conference :)
 
FoBoT

FoBoT

No Lifer
Apr 30, 2001
63,084
15
81
fobot.com
this may be enough info to figure it out

Summary

The issue described in this advisory is the practicability of resetting an established TCP connection by sending suitable TCP packets with the RST (Reset) or SYN (Synchronise) flags set.

The packets need to have source and destination IP addresses that match the established connection as well as the same source and destination TCP ports.

The fact that TCP sessions can be reset by sending suitable RST and SYN packets is a design feature of TCP according to RFC 793, but a reset attack is only possible at all because the source IP address and TCP port can be forged or ?spoofed?.
Click to expand...

lets all go read RFC 793 :D
 
S

SSP

Lifer
Oct 11, 1999
17,727
0
0
Originally posted by: MacBaine
Watson, who runs the www.terrorist.net Web site, predicted that hackers will understand how to begin launching attacks "within five minutes of walking out of that meeting."

"It's fairly easy to implement," Watson said. "Someone walking out of the conference would immediately understand. No matter how vague I am, people will figure it out."
Click to expand...

Hearing this, I think telling everybody what this secret is would be the best course of action.
Click to expand...

That guy is an attention whore.
 
K

Kilrsat

Golden Member
Jul 16, 2001
1,072
0
0
Originally posted by: SSP
Originally posted by: MacBaine
Watson, who runs the www.terrorist.net Web site, predicted that hackers will understand how to begin launching attacks "within five minutes of walking out of that meeting."

"It's fairly easy to implement," Watson said. "Someone walking out of the conference would immediately understand. No matter how vague I am, people will figure it out."
Click to expand...

Hearing this, I think telling everybody what this secret is would be the best course of action.
Click to expand...

That guy is an attention whore.
Click to expand...

He discovered the flaw a year ago and has been working with various companies to insure that vital systems are already patched and prepared.

For example, something that just came across the UW campus administrator list:

"DoIT and WiscNet, and other major network providers and ISPs, are
already aware of the issue and its prevention. No end user action is
required."
 
S

spidey07

No Lifer
Aug 4, 2000
65,469
5
76
from briefly reading the article the flaw is in tcp leaving BGP and the keepalives used in it. To put a "dampen" a route is to suspend it because of flapping. So if an attacker could trick a router into removing and inserting paths by causing neighbor state changes it could cause dampening.

but anybody with a grain of salt uses authentication with BGP so I just don't see this happening.

-edit- more reading. it talks about 4 billion combinations and guessing them. what he's proposed is guessing/predicting the source and destination tcp ports.

-edit- whoops. they're talking about a TCP syn attack. that aint good if they can hit BGP

-edit- cert has it up.
http://www.us-cert.gov/cas/techalerts/TA04-111A.html

RFC 2385 has addressed the concern with MD5 header authentication, now let's see how many are using it. My guess would be any competent ISP is. Paul Wilson (cisco systems) initialy discovered it.
 
T

techfuzz

Diamond Member
Feb 11, 2001
3,107
0
76
Just great, on Monday email dies and on Friday the Internet dies. This is turning out to be one great week.

techfuzz
 
D

DWW

Platinum Member
Apr 4, 2003
2,030
0
0
For those who don't understand the problem or the extent: don't worry about it. At most it will have the potential to interrupt your internet communication but it won't be able to overflow the TCP/IP stack itself or something and root your box :)
 
Y

Yax

Platinum Member
Feb 11, 2003
2,866
0
0
Well,

Time to go pull out that old CNE certificate and add a couple of grand into Novell's stock.
 
S

spidey07

No Lifer
Aug 4, 2000
65,469
5
76
Originally posted by: cheapbidder01
Well,

Time to go pull out that old CNE certificate and add a couple of grand into Novell's stock.
Click to expand...

the big concern is internet routers and their ability to keep the tables/paths stable.
 
You must log in or register to reply here.

TRENDING THREADS

COMPANY
RESOURCES
FOLLOW
Top Bottom