TCP flaws may lead to DoS attacks, say researchers

Two researchers in Sweden have found multiple flaws in the TCP stack that could lead to massive denial-of-service attacks if exploited. At present there is no workaround and there are no patches available.

The TCP stack defines a set of rules by which a computer can communicate over any network. Robert E Lee, chief security officer for Outpost24, told ZDNet.co.uk sister site CNET News that "the vendors we are in talks with seem to be taking the threat seriously".

The discovery follows a test using a port scanner called 'Unicornscan', which Lee and senior security researcher Jack Louis created. The tool is used for vulnerability assessment and penetration testing at Outpost24. Lee said in a Swedish podcast that, when they couldn't get a port scan done soon enough, they decided to move the TCP stack into the program to make it more distributed. That's when Louis started noticing strange behaviour.

"Jack found some anomalies in which machines would stop working in some very specific circumstances while being scanned," Lee told CNET News.com. One of the behaviours experienced was packet loss, where the packets repeatedly kept trying, creating, more or less, a denial of service (DoS) on that machine.

There doesn't appear to be just one vulnerability, but several, according to Robert Hansen, chief executive of SecTheory. Hansen said these vulnerabilities, as he understands them, if exploited, have the potential to result in great damage. He added that fixing the vulnerabilities will require co-ordination with vendors of operating systems, firewalls and web-enabled devices.

To exploit the flaws, to see if the TCP vulnerabilities were real, Lee and Louis created a program called 'Sockstress' that intentionally did some wrong things with the TCP/IP handshake process. The Sockstress program was very effective in producing DoS attacks. The pair have no plans to release Sockstress.

Watch this

Behind the Dutch e-passport hack

Lee said he doesn't plan to hold a big, public-disclosure press conference, as Dan Kaminsky did with the DNS flaw this summer. "We plan to work with vendors to ensure they understand the issues fully and have adequate solutions in place before publicly sharing details on the issues. Since there are multiple issues, we may be able to share information on individual issues as they are individually addressed."

Asked whether someone else could figure this out before the patches are out, Lee said "even though I think Jack Louis is exceptionally brilliant, Outpost24 doesn't have a monopoly on bug-finding abilities. It is a matter of time before someone else independently figures it out".