TCP catastrophe?

Last week’s announcement hit the security community like a love tap from a sumo wrestler. Nearly every router on the Internet, even those only distantly connected, was vulnerable to a potential exploitthat could shut down whole sections of a network and maybe even the Internet itself. Worse, the vulnerability was something so basic — the design of TCP itself — that the problem touches everyone. (You can find a detailed, very technical description at Cisco.)

In brief, the vulnerability allows a TCP connection to be reset. This isn’t a big deal most of the time, but if enough such resets happen quickly, the device that is terminating the session (a switch, router, firewall, or something similar) can be effectively shut down and will then be removed from the Internet routing tables. If the device is the only means to access a network segment, then that segment is effectively removed from the Internet.

Until now, the assumption was that it would be impossible for someone to guess the information required to attack a device and cause these session resets to happen, but it turns out it’s not so hard after all.

Fortunately, this vulnerability is only a potential problem at this point. That doesn’t mean it’s not important — obviously, now that the word is out, somebody somewhere will create some malware to carry out the exploit.

You can imagine how this will work. A worm, like those we see many times a day, is propagated by an attacker. After it has had time to spread, the worm will be told to attack routers all over the world. Even if most of the attacks are ultimately unsuccessful (traffic can be rerouted, after all), the results could still be significant slowdowns on the Internet, and it’s likely that some areas will be without service entirely.

Fortunately, device manufacturers are working on the problem. Cisco was already posting fixed softwarethe day after the problem was announced; other manufacturers are doing the same thing. But now it’s your turn: You must install that new software on your devices. Which devices? Cisco says that anything with an IP stack is vulnerable, so that means pretty much everything on your network.

And yes, that means you’ll have to download (or have your maintenance provider download) the new code from Cisco or your network device vendor, and upload the patch. By itself, this isn’t all that big a deal, but you will have to keep track of which devices have been patched and make sure you get everything. If you have a vulnerability scanner on your network, your job will be a lot easier. If you don’t, you’ll wish you did.

You must ensure that you patch everything, even the stuff inside your firewall. Firewalls and even network address translators don’t pick up the reset flags on the attack packets, so any device that terminates a TCP session could be a target. If you start the update process now, at least your gear won’t contribute to the problems caused by all those procrastinators out there.