Fun with tcp.


R. Clayton (rclayton@clayton.cs.monmouth.edu)
(no date)


[George Huber sent this in. You can find Robert Morris' 1985 paper on
 hijacking tcp session at
 ftp://ftp.research.att.com/dist/internet_security/117.ps.Z]

       March 12 - For the second time in as many months, researchers have found
a serious flaw in one of the key pieces of the Internet's software backbone.
Security vendor Guardent on Monday announced it has identified a potentially
huge problem in the inner workings of TCP (Transmission Control Protocol), one
half of the TCP/IP standard that enables Internet traffic to flow across
heterogeneous networks.
       An attacker could guess the ISN, thereby enabling him or her to hijack
the session's traffic, inject false packets into the stream or even launch a
denial-of-service attack against individual Web servers.
       In January, researchers identified several holes in the BIND (Berkeley
Internet Name Domain) software that runs most of the Internet's name servers.
       The latest problem, which is nearly identical to one found in Cisco
Systems' IOS software two weeks ago and first reported by eWEEK, involves the
manner in which machines running TCP select the ISN (Initial Sequence
Number). The ISN, a random value known only to the two machines at either end
of a TCP session, is used to help identify legitimate packets and prevent
extraneous data from muddying a transmission.
        ISN values are exchanged by the sending and receiving hosts and are
supposed to be chosen randomly. Each successive packet then contains a sequence
number that is based on the ISN plus the number of bytes transferred to the
receiving host.
       But if the ISN is not chosen at random or if it is increased by a
non-random increment in subsequent TCP sessions, an attacker could guess the
ISN, thereby enabling him or her to hijack the session's traffic, inject false
packets into the stream or even launch a denial-of-service attack against
individual Web servers.
       Despite Monday's advisory, the INS flaw is hardly a new problem. The
architects of the early Internet knew that the lack of randomness in the ISN
would be a problem as far back as the mid-1980s and warned of the potential
consequences. Indeed, AT&T researchers submitted a paper to the Internet
Engineering Task Force in 1996 proposing a fix for the problem.
       While they acknowledge that it takes a very knowledgeable cracker to
exploit the TCP flaw, Guardent officials say it's only a matter of time before
someone develops a set of tools to do the job and posts them on the Internet.
       "The hard part was the reduction of this from theory to practice," said
Jerry Brady, vice president of research and development at Guardent, in
Waltham, Mass. "But if someone makes a tool for this available, it wouldn't
take a very experienced person to [launch an attack ]."
       Guardent officials alerted CERT and affected vendors to the problem
before making it public - still, they are likely to take some heat for
publicizing the flaw before a fix is ready.
       "We're trying to break new ground here," Brady said. "We were
intentionally vague about the details of the problem. We want to work with the
vendors to fix this."



This archive was generated by hypermail 2.0b3 on Sun May 06 2001 - 20:30:05 EDT