Vulnerabilities / Threats
11/10/2008
02:34 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

Don't Blame TCP/IP

Recently disclosed threats to the Internet's IP infrastructure turn spotlight on the protocols -- but protection hinges more on politics and business than technology

A potentially lethal DNS cache-poisoning flaw. A man-in-the-middle Internet routing attack (PDF). And a mysterious denial-of-service attack using the Transmission Control Protocol (TCP): These recently exposed threats to the Internet are potentially lethal, but do they signal a security meltdown of the underlying Transmission Control Protocol/Internet Protocol (TCP/IP) protocols?

On the surface, it appears that the 30-something TCP/IP protocol stack may finally be showing its age, at least when it comes to security. Revelations of new possible attack risks to the Internet's infrastructure have basically refocused attention on the TCP/IP protocols and, oddly enough, at a time when attackers are mostly setting their sights on application-layer hacks.

But security experts say these attacks don't demonstrate TCP/IP flaws, but instead the vulnerabilities in applications and a lack of secure endpoint communications. Besides, TCP/IP wasn't built with security in mind, they argue.

Dan Kaminsky, who discovered the DNS cache poisoning flaw, says TCP/IP isn't broken, but what makes these TCP/IP-type attacks so significant is their potential scope. "The point is not that TCP/IP is vulnerable. In fact, of all the code out there, TCP/IP doesn't even register anymore as a source of real [security] issues [today]...between browser bugs on the client and endemic cross-site scripting and SQL injection flaws on the server," Kaminsky says. "The point is that when TCP/IP has an issue, so much else is affected."

Kaminsky blames weak endpoint and application security for putting TCP/IP at risk. "In both the BGP [man-in-the-middle] and DNS cases, the impact is so much greater than it has any right to be. It shouldn't matter that a bad guy can read or reroute your traffic; applications should be encrypting and authenticating everything to their intended endpoints," he says.

The DNS cache poisoning flaw Kaminsky found, for example, redirects victims to a malicious Website without their knowing, and the man-in-the middle attack exploits functions of the Border Gateway Protocol (BGP) to reroute Internet traffic remotely.

Meanwhile, ISPs apparently are worried about the risk of these infrastructure-based attacks: They rank DNS cache poisoning as the No. 2 most significant threat during the next 12 months -- just behind botnets and followed by BGP/route hijacking and DDoS attacks on infrastructure services such as VoIP and DNS, according to a report due for release Tuesday by Arbor Networks.

The three newly discovered TCP/IP threats are really not new, however. The DNS cache poisoning and BGP routing attack disclosures exploit flaws that have been known about for years: "The [new] DNS and BGP attacks are better-engineered versions of the sorts of threats we've known about for a long time," says Steven Bellovin, professor of computer science at Columbia University and one of the fathers of the network firewall. Bellovin says he and another researcher first discovered the underlying flaw in BGP 20 years ago, and he wrote about DNS "contamination" in 1990.

These attacks are basically faster. "The speed has changed, not the threats," says Craig Labovitz, chief scientist for Arbor Networks. "The law of physics hasn't changed -- there's just more awareness that you can do the attacks and do them better."

It took Kaminsky only tens of seconds to poison the DNS cache in his research, for example, while it used to take anywhere from tens of minutes to hours to do so, Labovitz notes.

Details of the TCP DoS vulnerability that executes a denial-of-service attack against broadband Internet connections have not yet been disclosed, but the researchers who found it say it's basically a function of vulnerabilities that have been around for some time. "This doesn't mean we're the first to see them," says Robert E. Lee, chief security office of Outpost24, and one of the researchers who discovered the attack.

The flaw lets an attacker take down computers by sending out just a few malicious TCP packets. "The difference between our research and what we've seen others do...they've rarely taken it to the next step, [showing] when you use this attack against an application, what are the consequences?" hints Jack Lewis, a senior researcher with Outpost24, who discovered the attack. "We try to make test cases."

NEXT: How to improve IP instrastructure security Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Previous
1 of 2
Next
Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading, January 2015
To find and fix exploits aimed directly at your business, stop waiting for alerts and become a proactive hunter.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-7402
Published: 2014-12-17
Multiple unspecified vulnerabilities in request.c in c-icap 0.2.x allow remote attackers to cause a denial of service (crash) via a crafted ICAP request.

CVE-2014-5437
Published: 2014-12-17
Multiple cross-site request forgery (CSRF) vulnerabilities in ARRIS Touchstone TG862G/CT Telephony Gateway with firmware 7.6.59S.CT and earlier allow remote attackers to hijack the authentication of administrators for requests that (1) enable remote management via a request to remote_management.php,...

CVE-2014-5438
Published: 2014-12-17
Cross-site scripting (XSS) vulnerability in ARRIS Touchstone TG862G/CT Telephony Gateway with firmware 7.6.59S.CT and earlier allows remote authenticated users to inject arbitrary web script or HTML via the computer_name parameter to connected_devices_computers_edit.php.

CVE-2014-7170
Published: 2014-12-17
Race condition in Puppet Server 0.2.0 allows local users to obtain sensitive information by accessing it in between package installation or upgrade and the start of the service.

CVE-2014-7285
Published: 2014-12-17
The management console on the Symantec Web Gateway (SWG) appliance before 5.2.2 allows remote authenticated users to execute arbitrary OS commands by injecting command strings into unspecified PHP scripts.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Join us Wednesday, Dec. 17 at 1 p.m. Eastern Time to hear what employers are really looking for in a chief information security officer -- it may not be what you think.