Synopsis: Vulnerabilities in TCP due to Sequence Number Guessing

References:
NISCC 236929
CERT TA04-111A

Products affected: All ST-series routers running software built prior to May 14, 2004.

Description: A TCP session between two peers can be exploited by an attacker. The attacker can generate many forged packets in an attempt to guess an acceptable TCP sequence number on an existing session. The sequence number and associated packet will be accepted by some implementations as long as it falls within the TCP window size. By sending packets at a high rate while varying the TCP sequence number, the attacker increases the likelihood of correctly guessing a valid sequence number, especially on TCP sessions that remain open for extended periods of time. The forged packets can be used to inject disruptive data or to reset the TCP session.

The BGP4 routing protocol uses TCP to establish sessions for exchanging control traffic including routing information. Therefore, an attacker can potentially use this technique to exploit a BGP session on a router and disrupt the routing of traffic through an internetwork such as the Internet.

Solution: There is no way to completely eliminate this vulnerability due to the way in which TCP was designed. Below are three recommendations that can be followed to minimize the chances of such an attack.

If customers require additional protection beyond what is provided by the below three recommendations, it is recommended that they contact the DND Technical Assistance Center (TAC) for a software patch. The software patch implements changes to the TCP protocol that result in more stringent acceptance of protocol packets.

1. ECI recommends that MD5 authentication be configured for all BGP peering sessions. All versions of ECI's Shadetree software for the ST200 router support MD5 authentication for BGP in accordance with RFC2385. This technique protects a BGP peer against spoofed segments by requiring that a signature accompany control messages. The signature is based on a shared secret or password configured on each peer. This greatly reduces the chances of exploitation since the attacker would not only have guess the correct sequence number, but also determine the password. The password is never sent over the connection stream. MD5 authentication is also supported for the Label Distribution Protocol (LDP), another TCP-based protocol.

2. Ingress filtering can be configured on ST200 routers to restrict the traffic that is admitted into the network based on various fields in the IP and TCP headers. Egress filtering can be also configured on ST200 routers to restrict traffic as it leaves a network under certain administrative control.

3. Isolation of network management functions to an out-of-band network can ensure that protocols such as Telnet and FTP will not be used as a vehicle to exploit a router's TCP stack. The ST200 router has completely separate in-band and out-of-band TCP/IP stacks.