Skip Links

Security flaws occupy router vendors, ISPs

By , and Phil Hochmuth, Network World
April 26, 2004 12:14 AM ET

Network World - Router vendors and their ISP customers last week scurried to patch two security holes that could enable denial-of-service attacks and knock out Internet service to enterprise users.

The first vulnerability, in TCP, would let hackers create a DoS attack by interrupting Border Gateway Protocol (BGP) sessions that use TCP, according to the U.K.'s National Infrastructure Security Co-Ordination Centre (NISCC). BGP is the main routing protocol the Internet uses.

The second was specific to Cisco routers, through which the majority of Internet traffic flows. The vendor discovered a flaw in the way certain versions of its IOS software process SNMP traffic that could corrupt router memory and force the device to restart unexpectedly, disrupting service to enterprise and service provider customers.

Some users considered the TCP/BGP problem the more serious of the two. Argonne National Laboratory, a U.S. Department of Energy research facility in Chicago, has decided to accelerate and broaden the rollout of packet authentication on some of its BGP routes to help thwart DoS attacks.

"Picking up the pace on that is a good thing to do," says Scott Pinkerton, network solutions manager at the lab.

Rockwell Automation information security specialist Paul Watson, who discovered the TCP vulnerability, shared his findings last week at the CanSec West conference in Vancouver in his presentation "Slipping in the Window: TCP Re-Set Attacks." The NISCC was the first to issue a public alert, followed hours later by the U.S. Department of Homeland Security with assistance from CERT.

Watson revealed a new twist on "classic attacks against TCP," and one that primarily affects BGP routers, says Shawn Hernan, senior member of the technical staff at CERT. If the attacker can guess the packet sequence in the range known as the "window size," he can spoof the port number and source address and put a packet on the wire that the receiver will accept as a valid packet.

If it's a re-set packet, the spoofed packet can cause the session to be torn down. To prevent this exploitation, ISPs and large corporations that use BGP routers are urged to make use of what's called the MD5 hash - a cryptographic process for checking packet authenticity from the sender to the receiver, although some in the industry have expressed concern regarding MD5's processing overhead (www. nwfusion. com, DocFinder: 1750).

Whether MD5 is the remedy, some ISPs are fortifying their networks proactively. Without providing details because of security concerns, MCI says it is working with its vendors and customers to ensure its network remains secure, a spokeswoman says.

MCI's network was operating normally last week, she says. AT&T and Sprint did not comment by press time.

Meanwhile, among the router vendors, Cisco last week issued security advisories, software fixes and planned fixes, and workarounds on the TCP vulnerability for its IOS-based and non-IOS-based systems. As of last week, no Cisco customers reported any exploitations to the vendor, a spokesman says.

Our Commenting Policies
Latest News
rssRss Feed
View more Latest News