Core Internet technology found vulnerable

[Dr Toker]

In addition I thought people might be interested in what Major ISP's are doing to deterr this kinda of attack. Enter md5 authentication. Look it up.. you might be surprised how simple a concept it is.


Best info i found on this vulnerability.


http://www.uniras.gov.uk/vuls/2004/236929/index.htm

[MrLinus]

For those interested, the source for the tool posted by TheRealAphex is now on K-otik.

[kruptos]

Hey all,

I get the security updates from Watchguard because I have a firebox 700 and like to see the updates, usually the updates are pretty boring, but thought this one was kind of interesting.

Article talkes about the flaws of TCP (hehe wow.. really .. a flaw in TCP...how canny is that.... :-) )

Anyway its a good read and short on TCP-BGP-Watchguard.....and also relates to routers that run BGP as a protocol.

Enjoy!!


TCP Attack Affects Firebox Models
Severity: Medium
22 April, 2004

Summary
On Tuesday April 20, several network security news outlets released information about a new Internet attack technique, in anticipation of a major speech on the subject delivered today. Subsequently, many major media outlets distorted the significance of the attack technique. The technique can be used to cause instability and Denial of Service in network routing infrastructures. WatchGuard customers are encouraged to understand the limits and the nature of this attack and take appropriate steps to protect themselves.

Overview
On Tuesday April 20, 2004, numerous network security information outlets released an advisory about a "new" Denial of Service (DoS) attack exploiting a weakness in the TCP protocol, one of the building blocks of the Internet. This attack technique is, in fact, not new. It was first brought to light in May 1998 at a Congressional hearing on network security (and has been discussed in some form since the founding of the Internet). What is new is that researcher and statistician Paul A. Watson has shown that exploiting the vulnerability is easier than was previously thought. Major router vendors have known about this new attack for at least four weeks and have been working with their customers to develop patches and get them deployed before public disclosure of the new attack.

In brief, if an attacker knows the source address and port, and the destination address and port (a four-tuple) for a long-lived TCP session, under certain circumstances the attacker could use this information to reset the connection. Resetting the connection constitutes a DoS against the service.

What does this mean to me?
The short answer: Not a lot, unless you're an ISP or you have an unusual network.

While in theory all applications that use TCP are vulnerable to this attack, in practical terms, the exposure is quite limited because most TCP sessions do not last long enough to readily enable the attack. The application that is most susceptible to this attack is called Border Gateway Protocol (BGP), the most common routing protocol on the Internet. BGP provides a way for routers to share information with one another about what addresses they route for. BGP uses a long lived, TCP connection to share this information. Central to BGP is the notion of a peer. Peers exchange information about the networks they route traffic for.

If an attacker were to reset the connection between two BGP peers, both of them would start the process of rebuilding their routing tables. While the routers are doing that, their ability to route traffic is impaired. If an attacker does this to enough routers with large enough routing tables he could effectively "disconnect" those routers and all of the people who rely on them from the Internet. Since one vulnerable router can disrupt all of its peers whether they are vulnerable or not and the vast majority of ISPs connect their routers with each other using BGP, the major ISPs are taking this very seriously.

Because BGP is an advanced routing protocol, most small to mid-size organizations don't have the sort of network where BGP is used. For modestly sized networks, BGP is generally more trouble than it's worth. In the typical small to mid-size network, any impact from this attack will probably be indirect, experienced as an inability to get to certain parts of the Internet or, if the attack is directed at the organization's ISP, inability to access the Internet at all.

How are WatchGuard firewalls affected?
We believe there are only two aspects of Firebox functionality that would be affected by this new attack.

A Firebox Vclass configured as a BGP peer.
As discussed above, BGP is particularly susceptible to this new attack. BGP is one of the dynamic routing protocols the Firebox Vclass supports, and therefore a Vclass product implementing BGP is vulnerable. In order to mitigate the effects of the attack we recommend that you:

Implement ingress and egress filtering to check that the traffic entering or leaving the network has a source IP address that is expected on the router/firewall interface that receives the traffic.

Limit the amount of information available through network diagnostic tools and DNS resource records, being careful not to expose TCP port information unnecessarily.
Note that your Vclass firewall can also be impacted by this new attack if a router with which it peers is successfully attacked. The impact of this attack against the Vclass or the peer would be a disruption in routes handled by BGP.

The Firebox logging channel
The Firebox logging channel for Firebox II/III/X maintains a single, long-lived TCP connection, and the source/destination ports and addresses are easily discovered or guessed. This means the Firebox logging channel meets the criteria required for this attack to work. However, since the logging channel will cache log entries on the Firebox until a connection can be re-established, or fail over to a secondary log server in the event the connection between the Firebox and the log server is broken, an attack against the logging channel would have minimal impact on the performance of the network and the ability of an administrator to receive the logs.

Conclusion
While the potential impact of this issue is far-reaching for the Internet as a whole, and should cause some concern for all Internet users, most users of WatchGuard products are not likely to be directly impacted by it.

[THEJRC]

heh I should check back on my threads more often...

While the flaw is serious in nature... and BGP keeps getting brought up (along with the gotta know source and destination ports blah blah blah and exploit tool blah blah) I'd like to bring up one important thing to keep in mind.....

This attack only works on connections with lengthy windows (BGP for instance) while there could be serious threats to DNS, SMTP, and the like.. nobody seems to have prodded much.... in reality, theres a million wide open machines out there on high speed home broadband links which can be quickly compromised (if they havent been already) by much quicker tools, and can launch more effective attacks with much less effort. we're looking at another fun skiddie sploit and thats really about it.

We need to focus on awareness of mitigation for the masses (uh laymans that means we need to teach jim home user to update his damn antivirus) more than anything at this point. If the other much much smaller (and already patched) vulnerabilities were nonexistant (because users patch and update) then maybe we would have cause for alarm... but of course it doesnt take much to launch any flood based denial of service from a bunch of zombied machines... and this is just another denial of service vulnerability (although more direct and complicated).

Just my 2 cents... and now I'm broke...