This
story appeared on Network World Fusion at
http://www.nwfusion.com/columnists/2001/0326bradner.html
'Net
Insider:
Old bugs don't die
easily
By Scott
Bradner
Network World, 03/26/01
One
might think that a vulnerability first described in 1985 would not be a factor
in today's Internet, especially if a good way to eliminate the vulnerability
was published in 1996. But, sad to say, that is not the case.
Reports
surfaced recently that Internet consulting company Guardent claims that an old
bug had arisen from a supposed grave.
TCP, described in RFC 793, is
the basic reliable data delivery protocol used in the Internet. TCP uses a data
sequence number as the basis of its reliable delivery process.
When
your computer sends data to another computer on an IP network, it breaks the
data stream into chunks, known as packets, for transmission. When it sends each
packet, it includes a sequence number that represents all the bytes of data
that it has sent up to this time during the specific communication.
The
destination host responds with an acknowledgement packet containing the
sequence number of the next byte of data that it expects to see. The sender
uses this acknowledgement to find out what data has made it to the destination
node.
In many environments, trust relationships are defined between
hosts - for example, between a file server and its clients. An attacker with
the knowledge of what sequence numbers a file server will use and the ability
to forge IP addresses can fool the server into thinking it is talking to a
trusted client when it is talking to the attacker. Computers can be configured
to try to make it difficult to guess what initial sequence number will be used
in a conversation.
But there have been problems in coming up with a
good way to make it hard to guess the initial sequence number. Robert Morris's
February 1985 paper (Click for PostScript version) details the above attack and
makes some suggestions on how to prevent it. A decade later, Steve Bellovin
published a more detailed description and set of recommendations in RFC 1948.
But
just like the users I mentioned in last week's column on Web site security,
system vendors are sometimes not all that good at fixing their software to
avoid vulnerabilities, even when the vulnerabilities have been known for a long
time (centuries in Internet time).
In the case with TCP, vendors
generally tried to plug the security hole after a well-publicized attack in
1994. But they did not then add the additional protections that Bellovin
described two years later in RFC 1948 because they were seen as too hard to
implement.
But Guardent's report indicates that avoiding the hard work
just meant that the problem did not go away. It is a truism in the security
area that good security is not easy. This example should be taken as just
another reminder of that truth for anyone concerned with the security of his
own network and systems.
Disclaimer: Harvard's motto makes a claim for
truth, but the observation in this column is mine.
All contents
copyright 1995-2002 Network World, Inc. http://www.nwfusion.com