Educated Guesswork: TCP ICMP DoS flaw

« The FDA and breast implants (II) | Main | Remind me again why we need RFID passports? »

April 13, 2005

TCP ICMP DoS flaw

Well, it's happened again. Fernando Gont has discovered that there potential connection reset vulnerability in a number of TCP/IP stacks. (Advisory here). Unlike the last TCP DoS attack this attack uses ICMP messages rather than TCP RSTs.

The Internet Control Message Protocol (RFC 792) is used to send various kinds of control messages to IP-connected hosts. For instance, the ICMP Host Unreachable message, which tells the receiver that the sending router can't forward the packet to the destination. Another example is ICMP Datagram Too Big message which tells the sender that the packet is too big to forward and can't be fragmented (because the Don't Fragment bit is set). This message is used in Path Discovery (RFC1191).

When a TCP implementation receives an ICMP Host Unreachable that tells it it can't talk to the receiver and it needs to terminate the connection. In order to help the sender identify the correct connection and prevent attackers from forging Host Unreachable messages ICMP messages contain the first 64 bits of the offending datagram. Thus, in order to generate a valid message the attacker needs to be able to see the packets of the connection it wants to attack.

In theory this should stop attackers from resetting connections that they can't see. In practice, it turns out that a lot of TCP implementations (in particular Cisco, Juniper, and IBM) don't check the host and port in the ICMP messages but don't check the TCP sequence number. Often the host and port portions are predictable and so if you know about a connection you may be able to reset it. There are also a variety of other attacks involving other ICMP messages. The correct fix is described in draft-gont-tcpm-icmp-attacks-03.txt.

This isn't something to panic about. As with last year's TCP attacks, the scope of this attack is fairly limited. There aren't many TCP-based protocols that simultaneously are high value and rely on long-lived TCP connections. Web transactions, for instance, are basically unaffected. The main example is BGP. Unfortunately, the TCP MD5 fix from last year's attack doesn't seem to prevent this attack--however one of the workarounds--port randomization--does. So, in principle, it's possible to DoS substantial fractions of the Internet routing system. In practice, Cisco has already rolled out fixes and I imagine Juniper and IBM will if they haven't already.

Posted by ekr at April 13, 2005 8:15 PM | Filed under:

Comments

"don't check the host and port in the ICMP messages but don't check the TCP sequence number"

What were you saying about leaving typos in? :-)

Posted by: Wes Felter at April 15, 2005 1:11 PM