Massive TCP Flaw Looming

Written by rmogull | Filed under Non-Geek, Security Research, Vulnerabilities | 7 comments



Yesterday, following up after recording the podcast on clickjacking, I was talking with Robert Hansen about the TCP flaw some contacts of his found over in Sweden. He wrote it up in his column on Dark Reading, and Dennis Fisher over at TechTarget also has some information up.

Basically, it’s a massive unpatched denial of service attack that can take down nearly anything that uses TCP, in some cases forcing remote systems to reboot or potentially causing local damage. Codified in a tool called “Sockstress”, Robert E. Lee and Jack C. Louis seem to be having trouble getting the infrastructure vendors to pay attention. I can’t but help think it’s because they are with a smaller company in Sweden; had this fallen into the hands of one of the major US vendors/labs methinks the alarm bells would be ringing a tad louder.

From what Robert told me, supported by the articles, this tool allows an attacker to basically take down anything they want from nearly anywhere (like a home connection).

Robert and Jack are trying to report and disclose responsibly, and I sure as heck hope the vendors are listening. Now might be the time for you big end users to start asking them questions about this. It’s hard to block an attack when it takes down your firewall, IPS, and the routers connecting everything.

One interesting tidbit- since this is in TCP, it also affects IPv6.

-Rich

Posted on October 1

7 comments

  1. Rory Mccune Oct 2

    It’ll be interesting to get additional information on this, some of the stories about it are making very dire predictions, but at the moment I’m not quite seeing it.

    I’ve read the slides presented at Sec-T and from that what it seemed to me to be is a neat way to allow a single machine to do a TCP-level DoS which would previously have required a larger number of machines, but not something which couldn’t be done by anyone with a rented botnet…

  2. rmogull Oct 2

    Yeah, that’s what it looks like, and I’m about to do another post on it…

  3. Albert Oct 3

    you guys see what fyodor had to say about it?

  4. rmogull Oct 3

    Yep- and a few others. I just put up an updated post. Bad, but not terrible.

  1. Why The TCP Attack Is Likely Bad, But Not That Bad | securosis.com
  2. * Contact Email: rmogull@securosis.com Twitter: rmogull * Projects and Papers Understanding and Selecting a DLP Solution ipfw Rules Set Understanding and Selecting a DAM Solution * Search * LiveChat AIM : Online Skype : Online mutube ยป IM Online * SANS A
  3. Bill’s Security Blog » Blog Archive » Last week in Infosec - 2008-10-06

Leave a reply

Related Posts

Why The TCP Attack Is Likely Bad, But Not That Bad
Security Researchers Discover … 5 Stages of Disclosure Grief
Network vs. Application Security