[Csci551-talk] Re: Csci551-talk Digest, Vol 4, Issue 14

bhavin shukla bshukla at usc.edu
Wed Apr 21 14:57:38 PDT 2004 

oops i forgot to add that 

1)this looks like a special case of the TCP Hijacking problem to me where you basically hijack a connection by guessing a port on which you expect TCP communications to be taking place and then just send a RESET to it. 

2)And that since BGP uses TCP then is this attack were directed towards a BGP router then BGP routers would also be affected as they rely on persistent connections.

3)Also if you check the advisories then they say that you can get over this problem by using IPSEC(so TCP info will not be seen) OR by not publishing TCP source port info on the web.

----- Original Message -----
From: csci551-talk-request at mailman.isi.edu
Date: Wednesday, April 21, 2004 12:00 pm
Subject: Csci551-talk Digest, Vol 4, Issue 14

> Send Csci551-talk mailing list submissions to
> 	csci551-talk at mailman.isi.edu
> 
> To subscribe or unsubscribe via the World Wide Web, visit
> 	http://mailman.isi.edu/mailman/listinfo/csci551-talk
> or, via email, send a message with subject or body 'help' to
> 	csci551-talk-request at mailman.isi.edu
> 
> You can reach the person managing the list at
> 	csci551-talk-owner at mailman.isi.edu
> 
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of Csci551-talk digest..."
> 
> 
> Today's Topics:
> 
>   1. strange article.. (Rahul Pilani)
>   2. Re: strange article.. (mike wakerly)
>   3. Re: strange article.. (mike wakerly)
>   4. Re: strange article.. (rajesh shroff)
> 
> 
> ----------------------------------------------------------------------
> 
> Message: 1
> Date: Wed, 21 Apr 2004 01:21:41 -0700
> From: Rahul Pilani <pilani at usc.edu>
> Subject: [Csci551-talk] strange article..
> To: csci551-talk at mailman.isi.edu
> Message-ID: <40862F15.40201 at usc.edu>
> Content-Type: text/plain; charset=us-ascii; format=flowed
> 
> This is an article from WIRED Magazine regarding a security flaw on the 
> internet. I have edited it a little to remove the unnecessary parts. The 
> whole article can be read at :
> http://www.wired.com/news/technology/0,1282,63143,00.html?tw=wn_tophead_2
> 
> I had some questions regarding the article..
> here it is:
> >>Researchers found a serious security flaw that left core Internet 
> technology vulnerable to hackers.
> >>Experts said the flaw, disclosed Tuesday by the British government, 
> affects the underlying technology for nearly all Internet traffic.
> >>Left unaddressed, they said, it could allow hackers to knock 
> computers offline and broadly disrupt vital traffic-directing devices, 
> called routers,
> >>that coordinate the flow of data among distant groups of computers.
> >>
> >>The flaw affecting TCP, was discovered late last year by a computer 
> researcher in Milwaukee, Paul "Tony" Watson, 36,
> >>who said he identified a method to reliably trick personal computers 
> and routers into shutting down electronic conversations by resetting the 
> machines remotely.
> >>
> 
> Is it similar to age-old hacking techniques like buffer-overflow etc?..
> 
> >>Routers continually exchange important updates about the most 
> efficient traffic routes between large networks.
> 
> How is exchanging routes concerned with TCP ?
> I think what the so called "Technical Writer" is referring to some 
> routing protocol like BGP..
> 
> >>Continued successful attacks against routers can cause them to go 
> into a stand-by mode, known as "dampening," that can persist for hours.
> 
> What is the dampening mode that is being talked about?.. Is it OS 
> specific or is part of any protocol?
> >>
> >>Experts previously maintained such attacks could take between four to 
> 142 years to succeed because they require guessing a rotating number from
> >>roughly 4 billion possible combinations. Watson said he can guess the 
> proper number with as few as four attempts, which can be accomplished 
> within seconds.
> 
> Combinations of what?..
> Does anybody have anymore details of what this article is all about?? or 
> is it just paranoia?..
> 
> Regards,
> Rahul Pilani
> 
> 
> ------------------------------
> 
> Message: 2
> Date: Wed, 21 Apr 2004 01:44:49 -0700
> From: mike wakerly <wakerly at usc.edu>
> Subject: Re: [Csci551-talk] strange article..
> To: csci551-talk at ISI.EDU
> Message-ID: <268B8748-9370-11D8-8E13-000A95A6AAA6 at usc.edu>
> Content-Type: text/plain; charset=US-ASCII; format=flowed
> 
> On Apr 21, 2004, at 1:21 AM, Rahul Pilani wrote:
> > Is it similar to age-old hacking techniques like buffer-overflow etc?..
> 
> No, the flaw is not nearly as general. It seems that many TCP stacks 
> incorrectly handle RST commands in a TCP connection, and as a 
> consequence, could be tricked into closing a connection. It is 
> important to realize that this seems to be an implementation flaw -- 
> TCP doesn't need to be changed, but some stacks may.
> 
> > >>Routers continually exchange important updates about the most 
> > efficient traffic routes between large networks.
> >
> > How is exchanging routes concerned with TCP ?
> > I think what the so called "Technical Writer" is referring to some 
> > routing protocol like BGP..
> 
> Right, I think something I read earlier today about this mentioned BGP 
> explicitly. Whatever that article was, it suggested BGP connections 
> could be targeted because (1) they are generally left open (eg, 
> long-lived), and (2) resetting and hence killing such a connection 
> could cause wider-spread disconnection -- at least until, say, 
> withdrawn routes are re-advertised.
> 
> > >>Continued successful attacks against routers can cause them to go 
> > into a stand-by mode, known as "dampening," that can persist for 
> > hours.
> >
> > What is the dampening mode that is being talked about?.. Is it OS 
> > specific or is part of any protocol?
> 
> No idea :)
> 
> > >>Experts previously maintained such attacks could take between four 
> > to 142 years to succeed because they require guessing a rotating 
> > number from
> > >>roughly 4 billion possible combinations. Watson said he can guess 
> > the proper number with as few as four attempts, which can be 
> > accomplished within seconds.
> >
> > Combinations of what?..
> > Does anybody have anymore details of what this article is all about?? 
> > or is it just paranoia?..
> 
> To simplify, injecting a packet into a TCP flow is hard because 
> predicting the sequence number is hard. The flaw here is that someone 
> observed a TCP implementation that accepts RST packets with not only 
> the next sequence number, but any sequence number within a certain 
> window. By reducing the space of acceptable sequence numbers, the 
> difficulty in injecting a packet is reduced.
> 
> I'd say this is mostly paranoia. It's an easy problem to fix, and in 
> the meantime, not likely to be terribly widespread.
> 
> Cheers,
> Mike
> 
> 
> 
> ------------------------------
> 
> Message: 3
> Date: Wed, 21 Apr 2004 01:52:14 -0700
> From: mike wakerly <wakerly at usc.edu>
> Subject: Re: [Csci551-talk] strange article..
> To: Rahul Pilani <pilani at usc.edu>
> Cc: csci551-talk at mailman.isi.edu
> Message-ID: <2F4D95AE-9371-11D8-8E13-000A95A6AAA6 at usc.edu>
> Content-Type: text/plain; charset=US-ASCII; format=flowed
> 
> On Apr 21, 2004, at 1:21 AM, Rahul Pilani wrote:
> > Watson said he can guess the proper number with as few as four 
> > attempts, which can be accomplished within seconds.
> 
> PS: From this admission, you can guess that he found a TCP 
> implementation that accepts any sequence number within an 8-bit window. 
> (First guess is in [0,2**8)], next in [2**8,2**16), and so on..)
> 
> Cheers,
> Mike
> 
> 
> 
> ------------------------------
> 
> Message: 4
> Date: Wed, 21 Apr 2004 02:13:58 -0700
> From: rajesh shroff <rshroff at usc.edu>
> Subject: Re: [Csci551-talk] strange article..
> To: mike wakerly <wakerly at usc.edu>
> Cc: csci551-talk at ISI.EDU
> Message-ID: <9ed98f012400.4085d8e6 at usc.edu>
> Content-Type: text/plain; charset=us-ascii
> 
> Dampening is a feature introduced for the routing protocols to consider a 
> router down and not available for routing of packets till that router is 
> stable (no flapping). 
> Browsing further through the CISCO IOS SOFTWARE RELEASES
> Link: 
> http://www.cisco.com/en/US/products/sw/iosswrel/ps1839/products_feature_guide09186a0080110bc8.html#wp1024977
> This para is imp:
> The IP Event Dampening feature introduces a configurable exponential decay 
> mechanism to suppress the effects of excessive interface flapping events 
> on routing protocols and routing tables in the network. This feature 
> allows the network operator to configure a router to automatically 
> identify and selectively dampen a local interface that is flapping. 
> Dampening an interface removes the interface from the network until the 
> interface stops flapping and becomes stable. Configuring the IP Event 
> Dampening feature improves convergence times and stability throughout the 
> network by isolating failures so that disturbances are not propagated, 
> which reduces the utilization of system processing resources by other 
> devices in the network and improves overall network stability.
> 
> After reading through this it also now makes sense with the statement in 
> the article as :
> 
> """> > >>Continued successful attacks against routers can cause them to go 
> > > into a stand-by mode, known as "dampening," that can persist for 
> > > hours."""
> 
> So now as Mike said killing such an active BGP connection would cause 
> wider-spread disconnection -- at least until, say, withdrawn routes are re-
> advertised.
> And as per this feature of dampening, this perticular router will not be 
> available to the network for routing purposes and hence will disrupt the 
> normal routing procedure.
> 
> does this not make more sense now.....
> 
> 
> ----- Original Message -----
> From: mike wakerly <wakerly at usc.edu>
> Date: Wednesday, April 21, 2004 1:44 am
> Subject: Re: [Csci551-talk] strange article..
> 
> > On Apr 21, 2004, at 1:21 AM, Rahul Pilani wrote:
> > > Is it similar to age-old hacking techniques like buffer-overflow etc?..
> > 
> > No, the flaw is not nearly as general. It seems that many TCP stacks 
> > incorrectly handle RST commands in a TCP connection, and as a 
> > consequence, could be tricked into closing a connection. It is 
> > important to realize that this seems to be an implementation flaw -- 
> > TCP doesn't need to be changed, but some stacks may.
> > 
> > > >>Routers continually exchange important updates about the most 
> > > efficient traffic routes between large networks.
> > >
> > > How is exchanging routes concerned with TCP ?
> > > I think what the so called "Technical Writer" is referring to some 
> > > routing protocol like BGP..
> > 
> > Right, I think something I read earlier today about this mentioned BGP 
> > explicitly. Whatever that article was, it suggested BGP connections 
> > could be targeted because (1) they are generally left open (eg, 
> > long-lived), and (2) resetting and hence killing such a connection 
> > could cause wider-spread disconnection -- at least until, say, 
> > withdrawn routes are re-advertised.
> > 
> > > >>Continued successful attacks against routers can cause them to go 
> > > into a stand-by mode, known as "dampening," that can persist for 
> > > hours.
> > >
> > > What is the dampening mode that is being talked about?.. Is it OS 
> > > specific or is part of any protocol?
> > 
> > No idea :)
> > 
> > > >>Experts previously maintained such attacks could take between four 
> > > to 142 years to succeed because they require guessing a rotating 
> > > number from
> > > >>roughly 4 billion possible combinations. Watson said he can guess 
> > > the proper number with as few as four attempts, which can be 
> > > accomplished within seconds.
> > >
> > > Combinations of what?..
> > > Does anybody have anymore details of what this article is all about?? 
> > > or is it just paranoia?..
> > 
> > To simplify, injecting a packet into a TCP flow is hard because 
> > predicting the sequence number is hard. The flaw here is that someone 
> > observed a TCP implementation that accepts RST packets with not only 
> > the next sequence number, but any sequence number within a certain 
> > window. By reducing the space of acceptable sequence numbers, the 
> > difficulty in injecting a packet is reduced.
> > 
> > I'd say this is mostly paranoia. It's an easy problem to fix, and in 
> > the meantime, not likely to be terribly widespread.
> > 
> > Cheers,
> > Mike
> > 
> > 
> 
> 
> 
> ------------------------------
> 
> _______________________________________________
> Csci551-talk mailing list
> Csci551-talk at mailman.isi.edu
> http://mailman.isi.edu/mailman/listinfo/csci551-talk
> 
> 
> End of Csci551-talk Digest, Vol 4, Issue 14
> *******************************************
>

More information about the Csci551-talk mailing list