Speculation surrounds DoS vulnerability in the TCP protocol
A potential TCP protocol design flaw can apparently be exploited to render any server on the internet inaccessible. Robert E. Lee and Jack C. Louis of Outpost24 claim to have discovered this vulnerability some time ago while testing the Unicorn Scan tool. A narrowband internet connection is said to be enough to throw a server connected via broadband off the net.
No details about the vulnerability, also called "TCP sockstress vulnerability" and "TCP state table manipulation vulnerability", have emerged so far, but more information is expected to become available at the upcoming T2´08 Information Security Conference.
There is plenty of speculation about the potential cause of the vulnerability. According to Robert Graham of Errata Security, Lee and Louis found a way of opening a TCP connection in such a way that it is never closed. If the maximum number of connections is established this way, the server is no longer able to respond to other clients' connection requests because earlier connections have not been terminated.
To achieve this, attackers need to trick the TCP stack into assuming that the connection speed is getting slower and slower until the stack believes it "would take years to complete the transmission", said Graham. This forces the stack to try and send individual packets over a long period of time. Once established, the connections remain intact, he said, adding that only a system reboot can resolve the situation.
Robert Lee officially only revealed that the DoS attack, which can be carried out in less than five minutes, takes advantage of the way resources are allocated immediately after a successful three-way handshake. This makes it possible to claim so many resources that the compromised system crashes as a result, making conventional measures to counteract DoS attacks ineffective, he said.
According to reports, Lee and Louis have not found a TCP/IP implementation that isn't vulnerable. All the affected vendors have reportedly been informed about the problem and received the "Sockstress" test tool for their own analysis and investigation.
- TCP DoS (probably) real, blog entry by Robert Graham
- New DOS Attack Is a Killer, report by R.Snake at Dark Reading