A vulnerability found in Transmission Control Protocol TCP implementation could allow an attacker to terminate existing TCP connections causing a Denial of Service condition.
As per the TCP implementation according to RFC 793 a TCP sessions can be reset by sending RST and SYN packets, with spoofed source IP address and TCP port.
Although this is a well known weakness of TCP, until recently it was believed that it is not exploitable, since the receiving TCP implementation also checks the sequence number of the RST or SYN packet. The sequence no is a 32 bit number, giving a guessing probability of 1/2 32 .
A recent research paper published by Paul A. Watson has revealed that the probability of guessing an acceptable sequence number is much higher than 1/2 32 because the receiving TCP implementation will accept any sequence number in a certain range or "window" of the expected sequence number. The window makes TCP reset attacks practicable. If the ISN of an existing connection can be determined within some practical range, a malicious agent may be able to close or hijack the connection.
The Border Gateway Protocol BGP is found to be potentially most affected by this vulnerability. BGP depends on a persistent TCP session between BGP peers. Resetting the connection can result in medium term unavailability due to the need to rebuild routing tables and route flapping. Route flapping may result in route dampening suppression if the route flaps occur frequently within a short time interval.
The various workarounds suggested are as follows:
- Implement IP Security IPSEC which will encrypt traffic at the network layer, so TCP information will not be visible
- Reduce the TCP window size although this could increase traffic loss and subsequent retransmission
- Do not publish TCP source port information
- Apply proper egress/Ingress filtering.
The information provided herein is on "as is" basis, without warranty of any kind.