Since this was first disclosed there has been considerable controversy over just how serious and how real this threat is.
Because experts differ I felt it was important to tell my readers about the threat and, because it lies at the core of the Internet I believe this should be considered a critical threat even if it isn?t likely to be exploited.
Although a number of experts, including those at SANS, are now saying this isn?t a big deal, I note that most of them are qualifying that statement by pointing out that vendors have been scrambling for weeks to get it fixed and are recommending that administrators apply patches ASAP. Draw your own conclusions from that.
At this time I feel that enough routers have been patched that this threat is probably no longer a major threat to the Net, although individual networks may be at considerable risk.
It's always difficult to evaluate the actual level of a particular threat, but when one has such potential for world-wide disruption and has recently been discovered to be much easier to implement than previously thought, I feel it is important to remind people that it is out there, waiting to pounce.
Discussion on:
View:
Show:
Spoofing a packet requires knowledge of the source address, destination address, and TCP sequence number. Long ago when LAN was the game in town and everyone used a bus architecture (Thick Ethernet, Thin Ethernet, or 10baseT and hubs), sniffing the stream gave you an opportunity to obtain all three pieces of required information with precision.
Now, most networks are or ought to be using Ethernet switches. These switches hide ongoing TCP/IP streams. You can guess at the sequence number by issuing a dummy connect to the target device and talking to it on a well known port, but how are you going to guess what source IP addresses are talking to it?
The risk to the internet itself exists because a Traceroute reveals the neighbors along a particular path. That gets you a pair of IP addresses that you can be reasonably sure talk to each other. Then presumably you initiate a contact, get the sequence number and hammer away. It has always been possible to do this and it was a parlor trick 20 years ago. While the actual spoofed packed has fake source address, the attack must be preceeded by a legitimate contact in order to discover the sequence number. Any device that refuses to talk on any TCP listener to unknown source addresses would seem to be safe; if you cannot probe for the sequence number, you are going to have to guess it, and even a 64kilobyte window is a tiny drop in the total TCP sequence number space.
The use of huge TCP windows increases the vulnerability. These large windows also increase network loading in a big way if the window must be retransmitted. TCP does not know how to ask for a single missing packet; it can only ask the sender to start transmitting from a particular sequence number (by ACKing that sequence number indicating interest in it).
Beware the temptation to ignore resets; that creates a different opportunity for hackers to append themselves to a session that is supposed to be closed.
Cisco Easy VPN is an interesting critter that uses UDP for transport and thus would seem immune along the tunnel to this kind of attack.
Now, most networks are or ought to be using Ethernet switches. These switches hide ongoing TCP/IP streams. You can guess at the sequence number by issuing a dummy connect to the target device and talking to it on a well known port, but how are you going to guess what source IP addresses are talking to it?
The risk to the internet itself exists because a Traceroute reveals the neighbors along a particular path. That gets you a pair of IP addresses that you can be reasonably sure talk to each other. Then presumably you initiate a contact, get the sequence number and hammer away. It has always been possible to do this and it was a parlor trick 20 years ago. While the actual spoofed packed has fake source address, the attack must be preceeded by a legitimate contact in order to discover the sequence number. Any device that refuses to talk on any TCP listener to unknown source addresses would seem to be safe; if you cannot probe for the sequence number, you are going to have to guess it, and even a 64kilobyte window is a tiny drop in the total TCP sequence number space.
The use of huge TCP windows increases the vulnerability. These large windows also increase network loading in a big way if the window must be retransmitted. TCP does not know how to ask for a single missing packet; it can only ask the sender to start transmitting from a particular sequence number (by ACKing that sequence number indicating interest in it).
Beware the temptation to ignore resets; that creates a different opportunity for hackers to append themselves to a session that is supposed to be closed.
Cisco Easy VPN is an interesting critter that uses UDP for transport and thus would seem immune along the tunnel to this kind of attack.
- Keyboard Shortcuts:
- Prev
- Next
- Toggle
