TCP/IP "hole" leads to alert

A "hole" in the underlying language of the Internet could allow hackers to cause an array of disruptions to targeted Web sites and Internet systems.

Jim Hu Staff Writer, CNET News.com
Jim Hu
covers home broadband services and the Net's portal giants.
Jim Hu
2 min read
A "hole" in the underlying language of the Internet could allow hackers to cause an array of disruptions to targeted Web sites and Internet systems, according to a computer security watchdog.

Vulnerable systems could encounter vandals launching so-called "denial-of-service" attacks, according to the CERT (Computer Emergency Response Team), Coordination Center, which Monday issued an advisory about the security threat.

Systems that are vulnerable also can be subject to malicious packets sent to their machines, causing them to "crash, hang, or behave in unpredictable ways," according to the advisory. The attack does not involve any actual system break-ins, however.

As with similar attacks, these most likely would be launched from someone forging an originating address. In order to be protected, systems can and should be closed off so that outsiders cannot use them for forgery, said Shawn Hernan, leader of the vulnerability handling for CERT's operations team.

"It can be a big deal for sites that are running vulnerable systems," Hernan said.

If a machine is vulnerable to this denial-of-service attack, anyone on the Internet who can send packets to that machine is able to crash it, he added. The attacker also could forge the source address of the packets so they would appear to have come from anywhere on the Internet, making it very difficult for the attacked party to determine the true origin of the the packets.

While third parties can't totally spare a vulnerable system from being attacked, they can prevent their systems from being used as launching pads for attacks, by reconfiguring their routers to exclude anyone but approved parties. Security experts constantly urge network administrators to close off their routers so they can't be "hijacked" by third parties.

But such measures can't prevent an intruder from forging packets to make them appear as if they came from another network.

"Denial-of-service attacks...are just aimed at preventing someone from using their own computers," said AT&T Labs Research fellow Steven Bellovin. "In this case, an enemy can send some packets that will crash certain operating systems."

Ironically, he added, "There is rarely any direct benefit to the attacker. It's usually the electronic equivalent of kids who walk down the street snapping off car antennas."

The exploitation of TCP/IP vulnerabilities are not as rare as many think, according to security experts. But only lately have computer systems administrators turned their attention to developing defenses against them.

"There are a lot of IP spoofing methods, and until very recently all systems were vulnerable to this," said Fred Cohen, a security expert at Livermore, California's Sandia National Laboratories. "It's widespread and it has caused a lot of problems."

CERT, for its part, has posted solutions to the exploit on its site. The group recommends that vulnerable Web sites reconfigure their routers or firewalls and install filtering on the routers to prevent IP spoofing attacks.