This article originally appeared in TidBITS on 2004-04-26 at 12:00 p.m.
The permanent URL for this article is:
Include images: Off

Serious TCP Weakness Identified

by Glenn Fleishman

We've become accustomed to being in a constant state of emergency on the Internet. Stories appear about the potential for massive disruption of the Internet and we file them away as more hype that never materializes, like the Y2K threat. Unfortunately, the latest very technical - but very real - short-term threat to the Internet shouldn't be dismissed so easily.

Paul Watson, an information security specialist in Milwaukee, Wisconsin, has discovered and demonstrated that a previously known weakness in the integrity of how data flows between two connected systems over TCP, the lingua franca of the Internet, can be exploited up to a billion times more easily than suspected as recently as three years ago.

< 111A.html>

While this flaw might not ever touch your personal computer - and Microsoft has already said they don't plan to patch Windows XP - it has a small potential to hurt less-sophisticated segments of the Internet, and a medium-to-high potential of disrupting corporate and academic networks and internal ISP networks.

A Lurking Weakness -- TCP and its cousin UDP are specifications for bundling data (protocols) that sit in the transport layer of the abstract model of networking: they deal with delivering data of varying kinds. When you transmit a length of data, like a file, it has to be broken into smaller pieces or packets, labeled with a destination address, and then handed off over a physical medium like Ethernet, Wi-Fi, or a DSL line for transportation.

Application protocols, such as HTTP (for Web pages) and FTP (for file transfer), work above TCP and UDP. HTTP requests, for instance, are broken down into TCP packets. IP (Internet Protocol) sits below TCP and allows TCP packets to be addressed to particular recipients.

To create a connection between two points on the Internet to carry out any task, the sender initiates a TCP connection over IP to the other point. If the receiver is listening at a particular location, a numbered local address known as a TCP port (kind of like an apartment in an apartment building), and it likes what it hears from the sending point, a connection is opened in both directions.

Because the Internet always has many paths by which packets may be sent from one point to another, TCP packets can be received and reassembled in any order with some constraints. A sending and a receiving machine negotiate how many packets they send in a given chunk or window. When two machines agree that four packets will be sent, packets 1 through 4 could arrive as 3, 1, 2, 4 or 4, 3, 2, 1, or even 1, 2, 3, 4 and be reassembled into the original order.

If the receiver misses a packet, it can ask for a retransmission depending on the packet's particular data type and protocol. (Some data types, like streaming media, tolerate omissions; others handle retransmission at a layer above TCP.)

The initial number in a sequence isn't 1, however; instead, it is derived from an extremely large potential set (2 raised to the 32nd power) and created in a more or less random fashion. Any attempt to tamper with a given stream of data from one point to another must be able to generate an appropriate sequence number that's not a duplicate, as duplicates are typically ignored, and that falls within the range of the chunk size or "window" that the sender and receiver negotiated.

Here's the weakness: the faster the connection between the two machines, the bigger the window, the longer the sequence, and the fewer tries it can take to generate a packet that has a sequence number that's unique and that the receiving device will accept. The trick is that any sequence number that's legitimate for the entire length of the window can be generated and accepted.

Before 2001, researchers thought this didn't pose a problem. They viewed it as a guess-what-number-I'm-thinking game, where the number guessed turned out to always be wrong.

In 2001, researchers discovered new information about the problem that made them change the game. It became, "I'm thinking of a number between one and four billion." It would take four days to four years to win that game randomly, they said.

Now, however, the latest weakness could be stated as, "I'm thinking of a billion numbers between one and four billion. Guess any one of those." Computationally, it's a much easier problem to solve, with probabilities as high as 1 in 4.

If an attacker gains the ability to insert arbitrary packets in the data stream, he can send a packet set with a connection reset or synchronize flag. In the former case, this disrupts the connection entirely; in the latter, it can cause backing-off behavior that makes it less and less likely that any packets would be accepted from the legitimate sender over longer periods of time, even hours with some routers.

This exploit requires that the source and destination IP addresses are spoofed, which is a technique that dates back to 23-Jan-95. Spoofing lets you create packets containing arbitrary addresses. Smart ISPs and companies and router firms have patched or modified their configurations long ago (or changed the default out of the box configuration) to avoid this. But spoofing is still a widespread problem because of the computational load it adds to routers.


With this capability in hand, crackers could use distributed denial of service attacks using machines all over the world that have been hijacked through worms and viruses and turned into zombies for running these sorts of attacks. The machines would need to be on networks on which IP spoofing hasn't been protected against. But given a large enough pool of machines, there are likely to be millions that meet those characteristics, and a tiny number is ultimately all that's needed to perform massive top-level disruption.

Paul Watson, in his research, showed that it could require as little as 15 seconds to exploit this weakness on a router or other system connected via a T1 line.

What Can Be Done about It? Fortunately, when this latest exploit was discovered, secret meetings took place among government and industry officials in several countries to try to patch the problem before it could be exploited at the highest levels of the Internet.

While the explanations quickly become ridiculously complicated for those of us who don't specialize in Internet protocols, several solutions are available.

So, Will the Internet Collapse? It's highly likely that network attackers armed with this information are building tools right now, and that attacks will be launched. It's also highly likely that these attacks will be successful on machines belonging to people who are napping. The most vulnerable parts of the Internet - unpatched, insecure, spoofable segments - will drop off until the operators of those segments figure out the difference between their heads and a packet in the ground.

Individual machines, while they could be affected, are unlikely targets, but they are likely to be turned into weapons by crackers from previous virus or worm infections. But the solutions that fix this problem at higher Internet levels will protect against most of the methods by which this attack can be carried out.

In university networks, which have lots of trust and many different kinds of users, there's a high likelihood that without proper internal controls, malevolent souls will be able to disrupt operations, even if the university has the right fixes on their Internet routers.

Likewise, within companies that allow any outside access and on Internet service provider networks in which local checks might be less sophisticated or severe than checks outside the local network, disruption is a possibility and might be hard to track down.

Long term, as always, the Internet will route around problems. Areas that can't be reached may go dark, but it's a short-term problem that requires upgrades and intelligence, not a reworking of the Internet.

PayBITS: Was Glenn's explanation of the TCP weakness helpful?
Consider thanking him with a few bucks via PayPal!
Read more about PayBITS: <>