A pair of security experts are now discussing
several fundamental issues with the TCP protocol that can be exploited to
cause denials of service and resource consumption on virtually any remote
machine that has a TCP service listening for remote connections. The problems,
which were identified as far back as 2005, are not simply vulnerabilities in
products from one or two vendors, but are issues with the ways in which routers,
PCs and other machines handle TCP connection requests from unknown, remote
machines. The attacks can be carried out with very little bandwidth, such as
that available on a cable modem, and there don't appear to be any workarounds or
fixes for the problems at this point.
Lee and Louis, who will present their findings at the T2 Conference in Helsinki
in mid-October, are not releasing the details of the flaws, but Lee said that
they evolve from the way that Web servers and other machines handle the
three-way TCP handshake at the beginning of a new connection. Their attacks
enable them to consume all of the resources of a given TCP service. In some
cases, the attacks can cause the remote machine to reboot. Lee said that Louis
discovered the issue when the pair were doing large-scale penetration tests that
required them to scan tens of thousands of IP addresses. To make life easier,
Louis wrote a tool called Unicornscan , which is a distributed TCP/IP stack that
can be used for TCP scanning. It was while reviewing packet dumps from scans
with the tool that Louis noticed some anomalies.