[Dshield] Vulnerability Issues in TCP

Peter Stendahl-Juvonen peter.stendahl-juvonen at welho.com
Thu Apr 22 17:03:11 GMT 2004

list-bounces at lists.dshield.org <mailto:list-bounces at lists.dshield.org> wrote on Thursday, April 22,
2004 6:51 PM UTC+3 on behalf of Rick Klinge

| Our upstream provider has quit using BGP over 2 years ago and we have never
| used it.  Does this still mean that "ANY Persistent TCP" connection could be
| disrupted??
| TNX,
| ~Rick

Rick et al.

IMHO, yes.

Please see following excerpts (further below with respective links)-

Several security-related sources stress on the importance of patches from vendor(s) or mitigation

- Pete

  "They believe that nothing will happen 
                  because they have closed their doors."
             Maurice Maeterlinck (1862-1949); Belgian author.

II. Impact

Sustained exploitation of the TCP injection vulnerability with regard to the BGP vulnerability
could lead to a denial-of-service condition that could affect a large segment of the Internet
community. Normal operations would most likely resume shortly after the attack stopped.

Since the TCP/IP Initial Sequence Number vulnerability (VU#498440) has been proven more viable of
an attack, any services or sites that rely on persistent TCP sessions could also be affected by
this vulnerability. Impacts could range from data corruption or session hijacking to a
denial-of-service condition.

III. Solution
Apply a patch from your vendor

Please see your vendor's statement regarding the availability of patches, updates and mitigation


* Deploy and Use Cryptographically Secure Protocols
* Ingress filtering
* Network Isolation
* Egress filtering



The impact of this vulnerability varies by vendor and application, but in some deployment scenarios
it is rated critical. Please see the vendor section below for further information. Alternatively
contact your vendor for product specific information.

If exploited, the vulnerability could allow an attacker to create a Denial of Service condition
against existing TCP connections, resulting in premature session termination. The resulting session
termination will affect the application layer, the nature and severity of the effects being
dependent on the application layer protocol. The primary dependency is on the duration of the TCP
connection, with a further dependency on knowledge of the network (IP) addresses of the end points
of the TCP connection.

The Border Gateway Protocol (BGP) is judged to be potentially most affected by this vulnerability.

BGP relies on a persistent TCP session between BGP peers. Resetting the connection can result in
medium term unavailability due to the need to rebuild routing tables and route flapping.  Route
flapping may result in route dampening (suppression) if the route flaps occur frequently within a
short time interval.  The overall impact on BGP is likely to be moderate based on the likelihood of
successful attack. If the TCP MD5 Signature Option and anti-spoofing measures are used then the
impact will be low as these measures will successfully mitigate the vulnerability.

There is a potential impact on other application protocols such as DNS (Domain Name System) and SSL
(Secure Sockets Layer) in the case of zone transfers and ecommerce transactions respectively, but
the duration of the sessions is relatively short and the sessions can be restarted without medium
term unavailability problems. In the case of SSL it may be difficult to guess the source IP

Data injection may be possible. However, this has not been demonstrated and appears to be


But researchers later noticed that ISNs were not completely random. A very good pair of papers by
Michael Zalewski (Strange Attractors and TCP/IP Sequence Number Analysis  and Strange Attractors
and TCP/IP Sequence Number Analysis - One Year Later) describe why the less than random behavior of
standard TCP/IP implementations can be a security problem. Zalewski's analysis is that modern
operating systems could be successfully attacked with less than 200 trials. That's not a lot of
traffic, and depending on how closely your security staff scrutinizes IDS logs, it could be
somewhat difficult to detect.

The recent report from Paul Watson exacerbates an already difficult situation. The new results
indicate attackers do not have to successfully guess an initial sequence number, merely a value
within a particular window of acceptable ISNs.

Network users are advised to check with their OS vendors for patches or work-arounds.


More information about the list mailing list