Security flaws occupy router vendors, ISPs

Router vendors and their ISP customers last week scurried to patch two security holes that could enable denial-of-service attacks and knock out Internet service to enterprise users.

The first vulnerability, in TCP, would let hackers create a DoS attack by interrupting Border Gateway Protocol (BGP) sessions that use TCP, according to the U.K.'s National Infrastructure Security Co-Ordination Centre (NISCC). BGP is the main routing protocol the Internet uses.

The second was specific to Cisco routers, through which the majority of Internet traffic flows. The vendor discovered a flaw in the way certain versions of its IOS software process SNMP traffic that could corrupt router memory and force the device to restart unexpectedly, disrupting service to enterprise and service provider customers.

Some users considered the TCP/BGP problem the more serious of the two. Argonne National Laboratory, a U.S. Department of Energy research facility in Chicago, has decided to accelerate and broaden the rollout of packet authentication on some of its BGP routes to help thwart DoS attacks.

"Picking up the pace on that is a good thing to do," says Scott Pinkerton, network solutions manager at the lab.

Rockwell Automation information security specialist Paul Watson, who discovered the TCP vulnerability, shared his findings last week at the CanSec West conference in Vancouver in his presentation "Slipping in the Window: TCP Re-Set Attacks." The NISCC was the first to issue a public alert, followed hours later by the U.S. Department of Homeland Security with assistance from CERT.

Watson revealed a new twist on "classic attacks against TCP," and one that primarily affects BGP routers, says Shawn Hernan, senior member of the technical staff at CERT. If the attacker can guess the packet sequence in the range known as the "window size," he can spoof the port number and source address and put a packet on the wire that the receiver will accept as a valid packet.

If it's a re-set packet, the spoofed packet can cause the session to be torn down. To prevent this exploitation, ISPs and large corporations that use BGP routers are urged to make use of what's called the MD5 hash - a cryptographic process for checking packet authenticity from the sender to the receiver, although some in the industry have expressed concern regarding MD5's processing overhead (www. nwfusion. com, DocFinder: 1750).

Whether MD5 is the remedy, some ISPs are fortifying their networks proactively. Without providing details because of security concerns, MCI says it is working with its vendors and customers to ensure its network remains secure, a spokeswoman says.

MCI's network was operating normally last week, she says. AT&T and Sprint did not comment by press time.

Meanwhile, among the router vendors, Cisco last week issued security advisories, software fixes and planned fixes, and workarounds on the TCP vulnerability for its IOS-based and non-IOS-based systems. As of last week, no Cisco customers reported any exploitations to the vendor, a spokesman says.

Juniper also says it is not aware of any customers having been affected by this vulnerability. The vendor says it modified its TCP stack to reduce the likelihood of a successful attack.

Avici Systems says the TCP vulnerability is "not a realistic attack mechanism" for carrier core routers because most carriers do not make it possible to reach the BGP applications on the core router via the Internet. As a result, none of Avici's customers have been affected, says Esmeralda Swartz, Avici director of product and strategic marketing.

But Cisco customers had to grapple with an IOS SNMP message handling vulnerability in addition to the TCP hole. According to Cisco, the SNMP breach affects routers and switches running IOS versions 12.0 through 12.3.

Cisco says that it patched the flaw and published information on updating IOS with new versions of the operating system.

Oliver Fredrichs, senior manager with Symantec security response, says code to launch a DoS attack is available on the Web. "We consider this a serious threat, but that being said, a number of our customers have had access to the patch for this vulnerability for sometime now," he says.

The IDG News Service contributed to this report.

Learn more about this topic

Vulnerability Issues in TCP

The NISCC bulletin.
Insider Shootout: Best security tools for small business
Join the discussion
Be the first to comment on this article. Our Commenting Policies