Secret Repairs Preceded TCP Flaw Release

April 2004

Only the math had changed. But the emergence of a workable exploit for an old TCP security hole prompted a secret initiative to fix the Internet, giving network operators a week to secure vulnerable routers. The clandestine repair effort livened an already intense period for security pros already juggling a bevy of Windows security patches.

The TCP issue publicized yesterday was publicly known as early as 1998. It allows an attacker to reset an existing TCP session using specially crafted TCP packets. Most TCP sessions are short-lived, so the vulnerability has little impact, but certain critical protocols, such as Border Gateway Protocol (BGP), depend on long-lived sessions. The weakness, which affects widely-used Cisco and Juniper routers, can be addressed by using MD5 authentication to secure BGP sessions, a step most ISPs had never taken because an exploit seemed mathematically implausible.

Paul Watson came up with a more efficient way of exploiting the vulnerability, making the attack much faster, particularly for attackers controlling "bot networks" of compromised machines. The clock began ticking March 14, when Watson announced plans to present a paper on "specific security problems in the TCP protocol" at the CanSecWest conference on April 21.

Watson shared his plans with government computer security officials in the US and UK, who coordinated a response with vendors and major network operators. "We have known about the fixes for about a week and implemented them last weekend," said Bill Hancock, Chief Security Officer for Savvis Communications, which operates the former Cable & Wireless US network backbone. Communication was handled through back-channels established in February 2001 to deploy patches for the SNMP protocol, Hancock said.