Vulnerabilities / Threats
11/10/2008
02:34 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

Don't Blame TCP/IP

Recently disclosed threats to the Internet's IP infrastructure turn spotlight on the protocols -- but protection hinges more on politics and business than technology

A potentially lethal DNS cache-poisoning flaw. A man-in-the-middle Internet routing attack (PDF). And a mysterious denial-of-service attack using the Transmission Control Protocol (TCP): These recently exposed threats to the Internet are potentially lethal, but do they signal a security meltdown of the underlying Transmission Control Protocol/Internet Protocol (TCP/IP) protocols?

On the surface, it appears that the 30-something TCP/IP protocol stack may finally be showing its age, at least when it comes to security. Revelations of new possible attack risks to the Internet's infrastructure have basically refocused attention on the TCP/IP protocols and, oddly enough, at a time when attackers are mostly setting their sights on application-layer hacks.

But security experts say these attacks don't demonstrate TCP/IP flaws, but instead the vulnerabilities in applications and a lack of secure endpoint communications. Besides, TCP/IP wasn't built with security in mind, they argue.

Dan Kaminsky, who discovered the DNS cache poisoning flaw, says TCP/IP isn't broken, but what makes these TCP/IP-type attacks so significant is their potential scope. "The point is not that TCP/IP is vulnerable. In fact, of all the code out there, TCP/IP doesn't even register anymore as a source of real [security] issues [today]...between browser bugs on the client and endemic cross-site scripting and SQL injection flaws on the server," Kaminsky says. "The point is that when TCP/IP has an issue, so much else is affected."

Kaminsky blames weak endpoint and application security for putting TCP/IP at risk. "In both the BGP [man-in-the-middle] and DNS cases, the impact is so much greater than it has any right to be. It shouldn't matter that a bad guy can read or reroute your traffic; applications should be encrypting and authenticating everything to their intended endpoints," he says.

The DNS cache poisoning flaw Kaminsky found, for example, redirects victims to a malicious Website without their knowing, and the man-in-the middle attack exploits functions of the Border Gateway Protocol (BGP) to reroute Internet traffic remotely.

Meanwhile, ISPs apparently are worried about the risk of these infrastructure-based attacks: They rank DNS cache poisoning as the No. 2 most significant threat during the next 12 months -- just behind botnets and followed by BGP/route hijacking and DDoS attacks on infrastructure services such as VoIP and DNS, according to a report due for release Tuesday by Arbor Networks.

The three newly discovered TCP/IP threats are really not new, however. The DNS cache poisoning and BGP routing attack disclosures exploit flaws that have been known about for years: "The [new] DNS and BGP attacks are better-engineered versions of the sorts of threats we've known about for a long time," says Steven Bellovin, professor of computer science at Columbia University and one of the fathers of the network firewall. Bellovin says he and another researcher first discovered the underlying flaw in BGP 20 years ago, and he wrote about DNS "contamination" in 1990.

These attacks are basically faster. "The speed has changed, not the threats," says Craig Labovitz, chief scientist for Arbor Networks. "The law of physics hasn't changed -- there's just more awareness that you can do the attacks and do them better."

It took Kaminsky only tens of seconds to poison the DNS cache in his research, for example, while it used to take anywhere from tens of minutes to hours to do so, Labovitz notes.

Details of the TCP DoS vulnerability that executes a denial-of-service attack against broadband Internet connections have not yet been disclosed, but the researchers who found it say it's basically a function of vulnerabilities that have been around for some time. "This doesn't mean we're the first to see them," says Robert E. Lee, chief security office of Outpost24, and one of the researchers who discovered the attack.

The flaw lets an attacker take down computers by sending out just a few malicious TCP packets. "The difference between our research and what we've seen others do...they've rarely taken it to the next step, [showing] when you use this attack against an application, what are the consequences?" hints Jack Lewis, a senior researcher with Outpost24, who discovered the attack. "We try to make test cases."

NEXT: How to improve IP instrastructure security Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Previous
1 of 2
Next
Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading December Tech Digest
Experts weigh in on the pros and cons of end-user security training.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-6477
Published: 2014-11-23
Unspecified vulnerability in the JPublisher component in Oracle Database Server 11.1.0.7, 11.2.0.3, 11.2.0.4, 12.1.0.1, and 12.1.0.2 allows remote authenticated users to affect confidentiality via unknown vectors, a different vulnerability than CVE-2014-4290, CVE-2014-4291, CVE-2014-4292, CVE-2014-4...

CVE-2014-4807
Published: 2014-11-22
Sterling Order Management in IBM Sterling Selling and Fulfillment Suite 9.3.0 before FP8 allows remote authenticated users to cause a denial of service (CPU consumption) via a '\0' character.

CVE-2014-6183
Published: 2014-11-22
IBM Security Network Protection 5.1 before 5.1.0.0 FP13, 5.1.1 before 5.1.1.0 FP8, 5.1.2 before 5.1.2.0 FP9, 5.1.2.1 before FP5, 5.2 before 5.2.0.0 FP5, and 5.3 before 5.3.0.0 FP1 on XGS devices allows remote authenticated users to execute arbitrary commands via unspecified vectors.

CVE-2014-8626
Published: 2014-11-22
Stack-based buffer overflow in the date_from_ISO8601 function in ext/xmlrpc/libxmlrpc/xmlrpc.c in PHP before 5.2.7 allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code by including a timezone field in a date, leading to improper XML-RPC encoding...

CVE-2014-8710
Published: 2014-11-22
The decompress_sigcomp_message function in epan/sigcomp-udvm.c in the SigComp UDVM dissector in Wireshark 1.10.x before 1.10.11 allows remote attackers to cause a denial of service (buffer over-read and application crash) via a crafted packet.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Now that the holiday season is about to begin both online and in stores, will this be yet another season of nonstop gifting to cybercriminals?