A vulnerability found in Transmission Control Protocol (TCP) could allow
an attacker to shut down parts of the Internet, U.S. and U.K. officials said
Tuesday in separate alerts.
The U.K. National Infrastructure Security Coordination (NISCC) said
systems that rely on persistent TCP connections, for example routers
supporting Border Gateway Protocol
(BGP),
vendor and application, according to NISCC, but in some deployment scenarios
it is rated critical.
TCP is one of the main protocols in TCP/IP networks. Whereas the IP
protocol deals only with packets, TCP enables two hosts to establish a
connection and exchange streams of data. TCP guarantees delivery of data and
also guarantees that packets will be delivered in the same order in which
they were sent.
Engineers at Cisco Systems and the NISCC were the first
to find the problem that allows remote attackers to terminate network
sessions. Advisories with NISCC and the CERT Coordination Center suggest
multiple uses of this type of attack could range from data corruption or
session hijacking to a full denial of service
“If an attacker were to send a Reset (RST) packet, for example, they could
cause the TCP session between two endpoints to terminate without any further
communication,” the advisory said. “In the case of BGP systems, portions of the Internet community may be affected. Routing
operations would recover quickly after such attacks ended.”
Both advisories suggest checking with vendors for patches. At press time, Cisco and Juniper Networks issued patches
for Cisco IOS and Juniper JunOS respectively.
If a vendor patch is not available, the advisories suggest:
* Implement IP Security (IPSEC) which will encrypt traffic at the
network layer, so TCP information will not be visible
* Reduce the TCP window size (although this could increase traffic loss
and subsequent retransmission)
* Do not publish TCP source port information
The Internet Engineering Task Force (IETF) has also
published an Internet Draft to coincide with the release of the
advisory.
The advisories and remedies are posted on the NISCC site as well as on the CERT Web
site.