TCP vulnerability: cancel red alert [LWN.net]

The mainstream press has been quick to proclaim a new vulnerability which threatens the entire Internet. CNN, for example, tells us: "Flaw could shut down Internet traffic". A bit of time spent actually understanding the problem will quickly make it clear, for most users, there is little to worry about.

There are several parameters which identify a particular TCP packet. The source and destination addresses are exactly that: who sent the packet, and who is to receive it. The destination port number allows the packet to be routed to the proper process on the receiving system; on the server side of a connection, the destination port will usually be a well-known number assigned to a specific service. For example, the process which receives electronic mail will be expecting it to arrive on port 25. The source port identifies the process which sent the packet. On the client (initiating) side of a connection, the source port is ostensibly a random number, though, in practice, they tend to be assigned in a sequential (and thus predictable) way. Yet another parameter is the sequence number, which describes where the packet fits within the overall stream. The initial sequence numbers for a connection are assigned randomly; they then increase as data is sent over the connection.

TCP packets also have a "flags" field for control purposes. One of those flags is called "reset" or "RST"; it indicates that the sending side is shutting down the connection immediately. Resets typically happen when one side receives a packet for a connection it knows nothing about. Suppose you log into a remote system with ssh, then go out for lunch; while you are eating, the remote system is rebooted. When you return and try to type over the connection, the remote system will have no record of it, so it will send back a reset packet. That's when you get that fun "connection reset by peer" message.

Suppose you were an Internet vandal looking to shut down other people's connections. This could be accomplished by sending the right sort of reset packet. Crafting this packet is not an entirely easy thing to do: you have to match all five of the parameters listed above. Presumably coming up with source and destination addresses would not be too hard, if you know which connection you are targeting. One of the two port numbers will probably be a well-known service number, and thus easily accessible. The other port number will require a guess, but the range of possible numbers is, in many cases, small. The hardest part is the sequence number; it is a randomly-chosen, 32-bit number. In the past, poor initial sequence number generation has allowed protocol attacks, but most of those problems are long since fixed. To mount a reset attack against a modern TCP implementation, the attacker must work through the entire space of 4 billion possible sequence numbers; by the time that has been accomplished, chances are the target connection will have shut down normally anyway.

Except, as it turns out, that is not entirely true. TCP uses a "receive window" to control the flow of data. The window gives a range of sequence numbers for which the destination is prepared to receive data; this window can vary widely between systems, but 32KB is a fairly common size. Since the two sides of a TCP connection may not share the exact same idea of what the current sequence number is (one side may have sent packets that the other has not received), a reset packet with a sequence number that falls anywhere inside the receive window will be honored. Thus an attacker need not try every possible sequence number; attempts may, instead, be spaced as widely as the probable receive window. That changes the situation significantly; if the other four parameters are correct, a usable sequence number can be found with less than 100,000 attempts. It does not take very long to send that many (very short) packets, even over a relatively slow connection.

So, a dedicated attacker stands a fairly good chance of shutting down a connection. What are the implications of this? Very few, for the most part. In general, the damage caused by a prematurely closed connection is small; the user swears and restarts their download operation. It would be hard to use this technique to shut down a web server; HTTP connections tend to be short-lived to begin with. That is why the largest threat is seen to be for applications which use long-lived TCP connections for some important task. The BGP protocol used for much of the core Internet routing is one such case; most of the affected systems have already been fixed, however.

For those who are in a situation where this sort of attack could pose a threat, there are a few things which can be done, including using IPSec, which is not vulnerable to this sort of problem, or configuring networking to use a smaller window size (but be aware that performance can be reduced). The IETF has also come up with a proposed protocol change which addresses the problem: when a reset packet is received which, while falling within the receive window, does not exactly match the sequence number, the receiving side will send an acknowledgment rather than immediately resetting the connection. That acknowledgment will contain the current sequence number as seen by the side receiving the reset, which will allow the sending of a second reset packet with the exact sequence number.

Some vendors (mostly router manufacturers) are issuing software updates to implement the IETF suggestion. Most of us, however, can sit back and look for something else to worry about.

(Log in to post comments)

TCP vulnerability: cancel red alert

Posted Apr 22, 2004 13:02 UTC (Thu) by pflugstad (subscriber, #224) [Link]

That's fine for most things but for BGP it's a problem. BGP is driven by announcemnts - routers announce to their peers the routes they are providing. If the TCP connection is reset a router has to remove the announcements that peer was making to it. This could easily cause loss of connectivity for large portions of the Internet.

TCP vulnerability: cancel red alert

Posted Apr 22, 2004 15:46 UTC (Thu) by MathFox (guest, #6104) [Link]

I'm feeling somewhat uncomfortable when reading more about BGP: It looks like the protocol is also sensitive to data insertion attacks. Would it be possible to reroute the TCP connection you attack through a man-in-the-middle router? I really need some tea now to get the bad taste out of my mouth!

TCP vulnerability: cancel red alert

Posted Apr 22, 2004 18:03 UTC (Thu) by pflugstad (subscriber, #224) [Link]

Most BGP operators use MD5 signatures on their BGP sessions, using a shared secret between the two BGP peers. This effectively adds fairly string authentication over the connection. It also mitigates this attack. The recent NANOG discussion covers this.

TCP vulnerability: cancel red alert

Posted Apr 22, 2004 11:05 UTC (Thu) by jbh (subscriber, #494) [Link]

A protocol change seems overkill for a problem that should be rather simple to fix. Any of these would do:

- Make ISPs implement ingress filtering to kill off spoofed source addresses. This is good against all DoS attacks, and I really don't understand why there's not more pressure to do so. Pressure == refusal to peer with ISPs without filtering.

- More randomness in transient port selection. Would make this kind of guessing a few orders of magnitude harder, ie. not practical. I mean, this is hardly a new attack it just haven't been considered practical before.

- Specifically protecting BGP or other vulnerable protocols by either (1) ingress source filtering, (2) ingress TTL filtering (3) md5 signing of packets

Finally, to quote (from memory) davem: Anyone who suggests replying to an RST doesn't understand tcp.

TCP vulnerability: cancel red alert

Posted Apr 22, 2004 13:16 UTC (Thu) by pflugstad (subscriber, #224) [Link]

This doesn't work except at the very edge of the network. And it creates problems with multi-homed networks where traffic could be going out one connection and back in another. It can't be used on the core of anyones network at all, which is where this type of attack would be most effective. NANOG has had extensive discussions on this subject in the last few months - see their mailing lists. NANOG has also been discussing this problem for the last few days.

Also, with the large number of Zombie systems out there, spoofing IP addresses is not needed for DDoS attacks.

TCP vulnerability: cancel red alert

Posted Apr 22, 2004 18:28 UTC (Thu) by jbh (subscriber, #494) [Link]

All true. Anti-spoof-filtering must be done at the edge. Very few ISPs currently do this, because there is no pressure for them to do so. There is no advantage in doing it. But if everybody did, everybody would be better off. Prisoner's dilemma. Needs "outside" pressure to get to best solution.

Regarding DoS though, while a DoS doesn't require spoofed source addresses, it does make it much much harder to stop.

ingress filtering to stop source address spoofing

Posted Apr 23, 2004 21:28 UTC (Fri) by giraffedata (subscriber, #1954) [Link]

This doesn't work except at the very edge of the network.

Doing it at the edge would probably be sufficient.

In fact, I thought it already was already done there. Can an AOL or Earthlink or Road Runner home Internet user send packets with arbitrary source IP addresses into the Internet? Have we had Internet hacks recently using spoofed IP source addresses?

It doesn't have to be the very edge, does it? Just beyond the point where the Internet becomes a tree. I assume most of the Internet nodes are in that outer region.