Vulnerabilities / Threats
11/10/2008
02:34 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

Don't Blame TCP/IP

Recently disclosed threats to the Internet's IP infrastructure turn spotlight on the protocols -- but protection hinges more on politics and business than technology

A potentially lethal DNS cache-poisoning flaw. A man-in-the-middle Internet routing attack (PDF). And a mysterious denial-of-service attack using the Transmission Control Protocol (TCP): These recently exposed threats to the Internet are potentially lethal, but do they signal a security meltdown of the underlying Transmission Control Protocol/Internet Protocol (TCP/IP) protocols?

On the surface, it appears that the 30-something TCP/IP protocol stack may finally be showing its age, at least when it comes to security. Revelations of new possible attack risks to the Internet's infrastructure have basically refocused attention on the TCP/IP protocols and, oddly enough, at a time when attackers are mostly setting their sights on application-layer hacks.

But security experts say these attacks don't demonstrate TCP/IP flaws, but instead the vulnerabilities in applications and a lack of secure endpoint communications. Besides, TCP/IP wasn't built with security in mind, they argue.

Dan Kaminsky, who discovered the DNS cache poisoning flaw, says TCP/IP isn't broken, but what makes these TCP/IP-type attacks so significant is their potential scope. "The point is not that TCP/IP is vulnerable. In fact, of all the code out there, TCP/IP doesn't even register anymore as a source of real [security] issues [today]...between browser bugs on the client and endemic cross-site scripting and SQL injection flaws on the server," Kaminsky says. "The point is that when TCP/IP has an issue, so much else is affected."

Kaminsky blames weak endpoint and application security for putting TCP/IP at risk. "In both the BGP [man-in-the-middle] and DNS cases, the impact is so much greater than it has any right to be. It shouldn't matter that a bad guy can read or reroute your traffic; applications should be encrypting and authenticating everything to their intended endpoints," he says.

The DNS cache poisoning flaw Kaminsky found, for example, redirects victims to a malicious Website without their knowing, and the man-in-the middle attack exploits functions of the Border Gateway Protocol (BGP) to reroute Internet traffic remotely.

Meanwhile, ISPs apparently are worried about the risk of these infrastructure-based attacks: They rank DNS cache poisoning as the No. 2 most significant threat during the next 12 months -- just behind botnets and followed by BGP/route hijacking and DDoS attacks on infrastructure services such as VoIP and DNS, according to a report due for release Tuesday by Arbor Networks.

The three newly discovered TCP/IP threats are really not new, however. The DNS cache poisoning and BGP routing attack disclosures exploit flaws that have been known about for years: "The [new] DNS and BGP attacks are better-engineered versions of the sorts of threats we've known about for a long time," says Steven Bellovin, professor of computer science at Columbia University and one of the fathers of the network firewall. Bellovin says he and another researcher first discovered the underlying flaw in BGP 20 years ago, and he wrote about DNS "contamination" in 1990.

These attacks are basically faster. "The speed has changed, not the threats," says Craig Labovitz, chief scientist for Arbor Networks. "The law of physics hasn't changed -- there's just more awareness that you can do the attacks and do them better."

It took Kaminsky only tens of seconds to poison the DNS cache in his research, for example, while it used to take anywhere from tens of minutes to hours to do so, Labovitz notes.

Details of the TCP DoS vulnerability that executes a denial-of-service attack against broadband Internet connections have not yet been disclosed, but the researchers who found it say it's basically a function of vulnerabilities that have been around for some time. "This doesn't mean we're the first to see them," says Robert E. Lee, chief security office of Outpost24, and one of the researchers who discovered the attack.

The flaw lets an attacker take down computers by sending out just a few malicious TCP packets. "The difference between our research and what we've seen others do...they've rarely taken it to the next step, [showing] when you use this attack against an application, what are the consequences?" hints Jack Lewis, a senior researcher with Outpost24, who discovered the attack. "We try to make test cases."

NEXT: How to improve IP instrastructure security Kelly Jackson Higgins is Senior Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise Magazine, ... View Full Bio

Previous
1 of 2
Next
Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Cartoon
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-4262
Published: 2014-07-28
svnwcsub.py in Subversion 1.8.0 before 1.8.3, when using the --pidfile option and running in foreground mode, allows local users to gain privileges via a symlink attack on the pid file. NOTE: this issue was SPLIT due to different affected versions (ADT3). The irkerbridge.py issue is covered by CVE-...

CVE-2013-4840
Published: 2014-07-28
Unspecified vulnerability in HP and H3C VPN Firewall Module products SECPATH1000FE before 5.20.R3177 and SECBLADEFW before 5.20.R3177 allows remote attackers to cause a denial of service via unknown vectors.

CVE-2013-7393
Published: 2014-07-28
The daemonize.py module in Subversion 1.8.0 before 1.8.2 allows local users to gain privileges via a symlink attack on the pid file created for (1) svnwcsub.py or (2) irkerbridge.py when the --pidfile option is used. NOTE: this issue was SPLIT from CVE-2013-4262 based on different affected versions...

CVE-2014-2974
Published: 2014-07-28
Cross-site request forgery (CSRF) vulnerability in php/user_account.php in Silver Peak VX through 6.2.4 allows remote attackers to hijack the authentication of administrators for requests that create administrative accounts.

CVE-2014-2975
Published: 2014-07-28
Cross-site scripting (XSS) vulnerability in php/user_account.php in Silver Peak VX before 6.2.4 allows remote attackers to inject arbitrary web script or HTML via the user_id parameter.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Sara Peters hosts a conversation on Botnets and those who fight them.