Security pros question flaw find

Two Internet software developers who said they have uncovered a way to cause entire networks of computers to freeze or shut down may have simply rediscovered an old network issue.

The network performance issues are described in a series of Web site forum postings recently publicized within the security community. The poster, who uses the alias NT Canuck, said he created a tool, with the help of another developer, that can shut down entire networks.

		Get Up to Speed on... Enterprise security Get the latest headlines and company-specific news in our expanded GUTS section.

However, security researchers at the Computer Emergency Response Team (CERT) Coordination Center downplayed the issue, saying that the program simply inundates a network with so much data that computers have problems functioning correctly.

"We don't see any specific vulnerability being discovered here," said Jason Rafail, an Internet security analyst at the center. He described the issue as "resource starvation," in which a computer cannot keep allocating memory or processor time to handle a vast quantity of network data. He confirmed that the issue is similar to an advisory the group published in 1996.

The CERT Coordination Center's opinion on the matter unravels more than two months of speculation on whether a flaw existed and what its effects could be. Initial posts to the Web forum painted a potential catastrophe for the Internet, affecting firewalls, network devices, servers and PCs.

"During tests we saw hardware firewall appliances fail/freeze/crash as well as software firewalls," one tester stated in early December. "What's more, it affects other hardware too, so it's not (the) kind of info one would release 'in the wild.' Otherwise, the whole Net may reach a grinding halt--not kidding."

According to the Web posts, while developing software, the programmers found that certain circumstances could be created that would cause a network of computers to freeze, and in some cases fail. The developers contacted Microsoft and the CERT Coordination Center to report the flaw. Both organizations confirmed that they were contacted in November.

However, Microsoft's Security Response Center (MSRC) has not been able to replicate the discoverers' exact findings, said Stephen Toulouse, senior program manager for the MSRC.

"We have been talking with (one of them) since late November," he said. "We have had some difficultly reproducing the scenario, aside from some flooding." The issues took more than two months to check because of those difficulties and the discoverers' unwillingness to provide source code, he added.

Toulouse said that the person who contacted Microsoft seemed knowledgeable but that the tool the company was given merely caused a network slowdown because of excess traffic. He said the program sent large quantities of fragmented data using a standard known as the User Datagram Protocol (UDP).

Some researchers said the alerts were an elaborate hoax, while others believed that the programmers who found the flaw might not have known that it was a previously recognized issue. Security community members have criticized the researchers for presenting too little detail to support their warnings of a flaw that poses a danger to the Internet.

"It's too easy to make claims like this with no evidence whatsoever," one skeptic stated.

However, the two researchers distanced themselves from any interpretation about their findings, instead stressing that they were only reporting certain circumstances that result in network instabilities.

"We were not deliberately seeking this discovery," one developer, who asked to remain anonymous, told CNET News.com in an e-mail exchange. He disputed the notion that the problems witnessed by the small circle of testers could be an old UDP issue. "I conclude that if this is a simple UDP flood, it is time we take a closer look at what newer technology can do."

That developer and NT Canuck pointed to two papers that reported similar findings: one published in the Association of Computing Machinery's Transaction on Computer Systems and another presented at the Gigabit Networking Workshop in 1999 by researchers from Bell Labs.

Perhaps the most controversial claims are that the attack crashed, and sometimes crippled, network hardware. While many attacks can freeze a system or a network device, in almost every case, simply turning the power off and then on can solve the problem.

CERT's Rafail believes the systems that crashed did so because they had older hardware that simply failed under a stress test.

While NT Canuck acknowledged in a Web posting that many of the computers that suffered failure were older machines, he still believes the hardware failures are something to be concerned about.

"Three labs in three entirely different locations have noted lost machinery immediately during or after" running the attack tool, he said. "It was mentioned because it's so unusual for something like this to happen at all."

Other researchers continue to examine the issue.