Network management Toolkit

Code exists to exploit TCP flaw

Tags:
Symantec,
,
Tcp,
Flaw

Michael Kanellos CNET News.com

Published: 23 Apr 2004 09:10 BST

Malicious code has been unearthed that can exploit a widely reported flaw in a popular Net protocol and possibly disrupt data transmissions, but experts say the risk of real-world problems remains fairly low.

Security-software maker Symantec said on Thursday that it had confirmed that software now exists that can take advantage of the TCP, or Transmission Control Protocol, vulnerability and that the software has been released publicly. Symantec did not create the exploiting software, but it has confirmed it could work.

The vulnerability primarily affects routers and other devices that handle traffic on the Internet. Discovered by Paul Watson, a security specialist for industry automation company Rockwell Automation, the weakness could allow a knowledgeable attacker to shut down connections between routers -- if left unchecked.

Britain's national emergency response team, the National Infrastructure Security Co-ordination Centre, brought attention to the issue on Tuesday when it released an advisory about the issue based on Watson's research, an advisory that triggered a spate of alarmist news reports.

Watson said on Wednesday that the reports were overstated -- a fix exists and most large Internet service providers and other companies have already taken remedial actions.

"The actual threat to the Internet is really small right now," Watson said Wednesday at the CanSecWest 2004 conference in Vancouver, British Columbia. "You could have isolated attacks against small networks, but they would most likely be able to recover quickly."

Symantec agreed with his assessment.

"At this time, Symantec has seen no evidence of systems being widely impacted by this exploit," Vincent Weafer, senior director, Symantec Security Response, said in a statement. "Internet service providers are aware of the TCP flaw, and fixes have been made available for some time by multiple vendors. As a result, Symantec does not feel that this exploit will have an immediate impact on Internet activity, disrupt Internet traffic or cause system outages."

The vulnerability allows for what's known as a reset attack. Many network appliances and software programs rely on a continuous stream of data from a single source -- called a session -- and prematurely ending the session can cause a wide variety of problems for devices.

For years, these attacks were considered unlikely because they were thought to require the attacker to guess the identifier of the next data packet in a session. The odds on that are about one in 4.3 billion.

Watson discovered a method that brings the odds to closer to one success in 260,000 attempts. An attacker armed with a typical broadband connection could send all 260,000 possible attacks in less than 15 seconds. Watson said Web sites that have routers that share information on the most efficient paths through the Internet -- using the Border Gateway Protocol, or BGP -- are most vulnerable to the attacks.