It's the worst type of news: a flaw has been discovered in one of the very core technologies that makes the Internet possible, namely TCP (Transmission Control Protocol). If successfully exploited, some warn, it has the potential to literally bring networks to a screeching halt.

The first order of business is to make sure the news isn't a hoax or a very late stab at April 1st tomfoolery. Sadly, the news is true (and not so much "new" just not well publicized). There's a bug in TCP, but no need to panic just yet.

After the visions of routers and switches exploding around you in a spectacular fashion subside, it's time to take stock of the situation and take steps to lessen the potential impact.

First, the sky hasn't fallen on the Internet. After all, you're reading this, aren't you? Secondly, some very big tech firms that have many very big brains on the payroll are hard at work at analyzing the threat and rendering it moot. In fact, Cisco has already released patches.

What to do in the meantime?

For starters, you can check out this week's spotlight forum where admins are sharing their experiences with various types of hardware and how they handle the TCP reset problem.

And you can always join the discussion (AO's forums are free, don't forget) and share your own thoughts, concerns, tips and conspiracy theories.


Note: The opinions expressed below are solely those of the individual posters on the AntiOnline forums.

This week's spotlight thread:
Core Internet technology found vulnerable

groovicus alerts AO of the news. thehorse13, however, isn't completely convinced.

The idea of taking down the Internet's core routers has been around forever. In fact, known BGP (Border Gateway Protocol) vulnerabilities have existed for years. Also, the less technical and probably more effective way to knock out a large section of the Internet is to simply destroy the physical location where the routers are housed.
Guus shares this observation:
In short, it's a way of resetting TCP sessions. In most applications (where TCP-sessions are relatively short) this isn't really frightening. However, applications that depend on continuous TCP sessions are in trouble.
Tiger Shark delivers this thoughtful analysis:
...There are a lot of ways to bring down the Internet. The cleanest and easiest has always been the root servers; kill them and you kill the Internet for anyone that doesn't know the IP address of the place you are trying to contact. It's been tried a few times....

IIRC (if I remember correctly) the best attempt brought down 3 of the 17, degraded another 4 and couldn't touch the remaining 10, that's less than a 50% success rate, but the overall effect was much less felt mainly due to lower level servers caching a lot of stuff that they didn't used to and the fact that the attacker has to maintain the attack for a long period -- the longer the attack is required to be in place the more time defenders have to mitigate it.

This attack, mainly successful against BGP, is a little different insofar as it requires the initial shutdown of the protocol while it rebuilds the routing tables and the routes "settle". Once that has occurred it either has to be re-attacked, (can be mitigated if you keep attacking from the same locations), or constantly attacked to keep the routing tables from being created, (also easily mitigated).

The solution is to make single, coordinated attacks from ever changing IP's, in order or spoof the addresses of the attacker. Ever changing IP's are harder to mitigate especially if the originating IP is spoofing too -- but it's trackable over time and requires a large infrastructure on the attacker's part. Simple spoofing from constant IP's, (less burden on the attacker), is relatively easily mitigated with upstream ACL's applied.

People who come up with exploits are excited about them, they see the potential for "huge" disruption easily - they tend to "overlook" the potential burden on the attacker or the relative ease of mitigation in the real world because it detracts from their discovery.

I don't think that this particular exploit will go much further, or as far as, the root server attack that did relatively little harm. The defenders of the "key points" are pretty good too you know.

THEJRC suggests admins take a deep breath, relax, and read up before losing sleep over this.
Before going off the deep end on this like most people have, please read the SANS ISC report:

http://isc.sans.org/diary.php?date=2004-04-20

...and take a good look at the solutions and what is truly affected. Some vendors have previously, or recently fixed this (or at least fixed to the best of their ability). This report also reiterates the most likely use of this flaw. If you weren't using checksums on your BGP and VPN's everywhere possible you should be now.

On a coincidental note, I wonder what with all the recent major vulnerabilities popping up why the media chose to latch on to this one? It's big but the recent SSL issues and even today's Cisco SNMP issue are just as likely to affect backbones.

The Cisco SNMP reload issue can be found here:

http://www.cisco.com/warp/public/707/cisco-sa-20040420-snmp.shtml

They are right though, when it rains it pours! While we all wait for vendor patches, watch in amazement as 80% of the world doesn't patch, and scream in anguish at the systems we can't patch.

Is the TCP scare giving you nightmares? Discuss it here.


What is AntiOnline?

AntiOnline (AO) is home to many of the most popular network security discussion forums online. Here, participants engage in candid, thought-provoking and enlightening exchanges on the latest hazards and how to protect your systems against them.

We invite you to join the AO community (it's free!), share your wisdom and learn a few things in the process.