A pair of security experts are now discussing several fundamental issues with the TCP protocol that can be exploited to cause denials of service and resource consumption on virtually any remote machine that has a TCP service listening
The problems, which were identified as far back as 2005, are not simply vulnerabilities in products from one or two vendors, but are issues with the ways in which routers, PCs and other machines handle TCP connection requests from unknown, remote machines. The attacks can be carried out with very little bandwidth, such as that available on a cable modem, and there don't appear to be any workarounds or fixes for the problems at this point.
"So far there hasn't been a lot of activity on mitigation strategies," said Robert E. Lee, chief security officer of Outpost24, a Swedish vulnerability assessment firm. Jack Louis, a senior security researcher at Outpost24, developed the attacks. Louis discovered the TCP problems and he and Lee have developed an attack framework for the issues. The framework, called Sockstress, enables them to plug in the various attack types at will. "We've been talking to a major router vendor and a supplier of operating systems, but it hasn't gotten very far."
Lee and Louis, who will present their findings at the T2 Conference in Helsinki in mid-October, are not releasing the details of the flaws, but Lee said that they evolve from the way that Web servers and other machines handle the three-way TCP handshake at the beginning of a new connection. Their attacks enable them to consume all of the resources of a given TCP service. In some cases, the attacks can cause the remote machine to reboot.
Lee said that Louis discovered the issue when the pair were doing large-scale penetration tests that required them to scan tens of thousands of IP addresses. To make life easier, Louis wrote a tool called Unicornscan , which is a distributed TCP/IP stack that can be used for TCP scanning. It was while reviewing packet dumps from scans with the tool that Louis noticed some anomalies.
"We noticed that certain systems would start resending certain packet responses continuously until they were rebooted," Lee said. "That was the light bulb going off. We said, There's some sort of state mechanism that we're triggering here."
Many TCP servers use a technique known as a SYN cookie in order to prevent attackers using spoofed IP addresses from launching SYN flood denial-of-service attacks against them. The cookie is essentially a chosen TCP initial sequence number that is calculated using some specific hashed metadata that reflects the details of the specific TCP connection. Once the client returns a correct packet to the server, the server knows that the client isn't using a forged IP address.
Sockstress computes and stores so-called client-side SYN cookies and enables Lee and Louis to specify a destination port and IP address. The method allows them to complete the TCP handshake without having to store any values, which takes time and resources. "We can then say that we want to establish X number of TCP connections on that address and that we want to use this attack type, and it does it," Lee said.
Lee and Louis have been able to execute a number of different attacks, which consumer various resources on the server, including memory, kernel timers and counters, and applications. Lee said that when and if specific vendors develop workarounds for the issues, they will release details of those issues.
"The best advice I have right now is don't allow anonymous connections. Make whitelist so only certain IP addresses can come in," Lee said, acknowledging the impracticality of that for a Web server or mail server or virtually any other TCP-enabled device. "There's no real workaround right now."