Main Menu

Login



Support Virus.Org

Help support Virus.Org by donating.
Donating allows us to keep this site free and pay the running costs of all our services.
Multi vendor TCP Timestamp implementation denial of service vulnerability PDF Print E-mail
Written by Editor   
Friday, 01 July 2005 16:33
A vulnerability has been discovered that could cause a denial of service attack aimed at multiple vendors relating to their TCP stacks and the handling of TCP packets containing a timestamp. TCP timestamps are used to measure Round-Trip Time and in the Protect Against Wrapped Sequences (PAWS) algorithm. TCP packets with the SYN flag set are used during setup of new TCP connections. It seems that due to potential TCP implementation issues an attacker could inject a specially crafted TCP packet that could cause a denial of service.

Within the TCP stack with timestamps enabled both communicating hosts maintain an internal timer that is used to regulate traffic flow and detect segment loss. Also the PAWS algorithm uses these timestamps to prevent duplicate or old segments from corrupting an active connection. PAWS uses the internal timer when timestamps are enabled to track the value of the timestamp of incoming segments against the last recorded valid timestamp value. If the timestamp checks out and the sequence number is less than the last acknowledgment sent the internal timer is update with the new timestamp and the segment is passed onwards for further processing. If things do not check out the segment is rejected as too old or duplicate.

The attack is simple, if an attacker can determine the source and the destination ports and the IP addresses of two hosts that are actively communicating, the attacker may be able to inject a specially crafted segment into the connection. When the segment is received the host’s internal timer value is reset to the value in the crafted segment. The denial of service issue occurs because in some TCP implementations the sequence numbers are not validated before the internal timer is updated with the new value. If the value is set to be a large value, assuming it is larger than any timestamp on any subsequently received segments the PAWS algorithm will reject any packets received as too old, and thus causing a denial of service.

Now this vulnerability seems to affect a large number of vendors, including Microsoft, Avaya, FreeBSD and OpenBSD. Some vendors are producing patches and it is suggested that these are installed as soon as they are available. The risk of attack is probably pretty low, but like everything patch it and it isn’t a problem you need to worry about.

If you would like more information on the vulnerability you can see the CERT advisory here and if you want more information on TCP, timestamps and PAWS see RFC 793 and RFC 1323.

Add this page to your favorite Social Bookmarking websites
Digg! Reddit! Del.icio.us! Google! Live! Facebook! Technorati! StumbleUpon! Yahoo!
Last Updated ( Thursday, 14 September 2006 21:51 )