Serious flaw in TCP identified
Researchers have found a serious flaw in one of the key pieces of the Internet's software backbone.
But despite Monday's advisory, the ISN flaw is hardly a new problem. The architects of the early Internet knew that the lack of randomness in the way that ISN (Initial Sequence Numbers) are chosen would be a problem as far back as the mid-1980s and warned of the potential consequences. AT&T Corp. researchers submitted a paper to the Internet Engineering Task Force in 1996 proposing a fix for the problem.
Security vendor Guardent Inc. on Monday announced it has identified a potentially huge problem in the inner workings of TCP (Transmission Control Protocol), one half of the TCP/IP standard that enables Internet traffic to flow across heterogeneous networks.
The problem, which is nearly identical to one found in some implementations of Cisco Systems Inc.'s IOS software two weeks ago and first reported by eWEEK, involves the manner in which machines running TCP select the ISN. The ISN, a random value known only to the two machines at either end of a TCP session, is used to help identify legitimate packets and prevent extraneous data from muddying a transmission.
ISN values are exchanged by the sending and receiving hosts and are supposed to be chosen randomly. Each successive packet then contains a sequence number that is based on the ISN plus the number of bytes transferred to the receiving host.
But if the ISN is not chosen at random or if it is increased by a non-random increment in subsequent TCP sessions, an attacker could guess the ISN, thereby enabling him or her to hijack the session's traffic, inject false packets into the stream or even launch a denial of service attack against individual Web servers.
However, any attacker looking to exploit this vulnerability would likely have a hard time, security experts say. Not only is it inordinately difficult to identify machines that are vulnerable, but the attacks themselves are quite hard to execute.
And because the flaw has been known for so long, it's unlikely that there are many TCP implementations that are still vulnerable to such attacks.
"This is extremely difficult to do. It's a theoretical attack," said security expert Steve Gibson, of Gibson Research Corp. in Laguna Hills, Calif. "It's weird that they're talking about something like this. It's as old as the hills."
While they acknowledge that it takes a very knowledgeable cracker to exploit the TCP flaw, Guardent officials defended the timing of their advisory and said it's only a matter of time before someone develops a set of tools to do the job and posts them on the Internet.
"The hard part was the reduction of this from theory to practice," said Jerry Brady, vice president of research and development at Guardent, of Waltham, Mass. "But if someone makes a tool for this available, it wouldn't take a very experienced person to [launch an attack]."
Guardent officials alerted CERT and the affected vendors to the problem before making it public.
"We're trying to break new ground here," Brady said. "We were intentionally vague about the details of the problem. We want to work with the vendors to fix this."