Login  |  Register  |  Contact

Massive TCP Flaw Looming

Yesterday, following up after recording the podcast on clickjacking, I was talking with Robert Hansen about the TCP flaw some contacts of his found over in Sweden. He wrote it up in his column on Dark Reading, and Dennis Fisher over at TechTarget also has some information up.

Basically, it’s massive unpatched denial of service attack that can take down nearly anything that uses TCP, in some cases forcing remote systems to reboot or potentially causing local damage. Codified in a tool called “Sockstress”, Robert E. Lee and Jack C. Louis seem to be having trouble getting the infrastructure vendors to pay attention. I can’t but help think it’s because they are with a smaller company in Sweden; had this fallen into the hands of one of the major US vendors/labs methinks the alarm bells would be ringing a tad louder.

From what Robert told me, supported by the articles, this tool allows an attacker to basically take down anything they want from nearly anywhere (like a home connection).

Robert and Jack are trying to report and disclose responsibly, and I sure as heck hope the vendors are listening. Now might be the time for you big end users to start asking them questions about this. It’s hard to block an attack when it takes down your firewall, IPS, and the routers connecting everything.

One interesting tidbit- since this is in TCP, it also affects IPv6.

—Rich

No Related Posts
Previous entry: Clickjacking The Network Security Podcast | | Next entry: Get Rich Quick With Network Security

Comments:

If you like to leave comments, and aren't a spammer, register for the site and email us at info@securosis.com and we'll turn off moderation for your account.

By Rory Mccune  on  10/01  at  12:12 PM

It’‘ll be interesting to get additional information on this, some of the stories about it are making very dire predictions, but at the moment I’‘m not quite seeing it.

I’‘ve read the slides presented at Sec-T and from that what it seemed to me to be is a neat way to allow a single machine to do a TCP-level DoS which would previously have required a larger number of machines, but not something which couldn’‘t be done by anyone with a rented botnet…

By rmogull  on  10/02  at  12:16 AM

Yeah, that’s what it looks like, and I’‘m about to do another post on it…

By Albert  on  10/03  at  12:29 AM

you guys see what fyodor had to say about it?

By Why The TCP Attack Is Likely Bad  on  10/03  at  12:36 AM

[...] been a bunch of new information coming out the past few days about the potential big TCP denial of service flaw. The three most informative posts I’ve read [...]

By rmogull  on  10/03  at  12:37 AM

Yep- and a few others. I just put up an updated post. Bad, but not terrible.

By * Contact Email: rmogull@securosis.com Twitter: rm  on  10/03  at  07:53 AM

[...] 3, 2008 There’s been a bunch of new information released over the past few days about the potential big TCP denial of service flaw. The three most informative posts I’ve read [...]

Name:

Email:

Remember my personal information

Notify me of follow-up comments?