KB Article #160908

Denial Of Service to persistent TCP connections by repeatedly injecting a TCP RST packet (CVE-2004-0230)

Problem


TCP, when using a large Window Size, makes it easier for remote attackers to guess sequence numbers and cause a denial of service (connection loss) to persistent TCP connections by repeatedly injecting a TCP RST packet, especially in protocols that use long-lived connections, such as BGP.

 

Resolution


The herein referred issue is a known function of TCP. In order to perform a connection reset an attacker would need to know the source and destination IP address and ports as well as being able to guess the sequence number within the window. These requirements seriously reduce the ability to trigger a connection reset on normal TCP connections. A connection reset indicates that the sending side is shutting down the connection immediately. Although, a dedicated attacker stands a fairly good chance of shutting down a connection, it is also important to discuss what the implications of this are. And the answer would be very few, for the most part. In general, the damage caused by a prematurely closed connection is small and it only requires the operation to be restarted. The largest threat is seen to be for applications which use long-lived TCP connections for some important task. An example for such case is the BGP protocol used for much of the core Internet routin because being able to trigger a reset is easier than expected as the end points can be easily determined and large window sizes are used. BGP routing is also significantly affected by having its connections terminated. The major BGP peers have recently switched to requiring md5 signatures which mitigates against this attack.

As far as SecureTransport is concerned it must be noted that ST does not use, does not depend on and does not implement BGP routing. On the other hand if the normal TCP connections to and from ST are prematurely closed, ST will handle these cases gracefully.