Skip to main content

New TCP/IP stack flaws pose serious DDOS attack risk

Whilst scanning the wires for security news, I came across a report on the Scandinavian wires that a couple of researchers there have discovered a swathe of flaws in the TCP/IP stack.

The TCP/IP stack, in case you were wondering, is essentially a set of software rules by which a computer communicates over a network, which is usually IP-based like the Internet.

According to Robert Lee and Jack Louis with Outpost24, when they developed a port scanner called UnicornScan, they moved the TCP stack code into the port scanning environment to speed things up a bit.

Curiously, the pair found some PCs would simply stop working when certain TCP/IP stack conditions occurred.

On investigation, it seems the TCP/IP stack goes into a recurring cycle of failed packets under certain conditions.

In theory at least, this situation should not happen, so Lee and Louis did a bit more digging and realised that the TCP/IP stack had a number of flaws that no-one had previously noticed.

Well, not quite. I remember attending a Novell seminar in the mid-to-late 1990s at a Networks show event in Birmingham, at which Novell techies outlined their gameplan for Intranetware, which was the Internet-enabled version of the firm's popular (at the time) Netware networking software.

I remember an American engineering guy talking about the TCP/IP stack concept being flawed in that malformed packets could be lost under certain conditions.

Unfortunately for Novell and that networking expert, Novell went on to release Netware 5 in late 1998, at which stage the networking company switched its primary NCP interface from the IPX/SPX network protocol to TCP/IP.

IPX/SPX was still supported, of course, but the emphasis shifted to TCP/IP and the Internet slowly took over.

Back at Outpost24 and in the modern world, meanwhile, it seems that the researchers developed a mini-app called Sockstress that created malformed packets during the TCP/IP handshake process.

And guess what? A TCP/IP packet looping condition resulted, creating a highly effective DDOS attack condition.

Wow. This is a really big issue. Lee and Louis appear to know this, and have committed to working with the networking industry to allow them to counter the flaw(s) before they make them public (if at all)

However, I have my doubts that the industry can solve the flaws, as the Novell guy back in 1996/7 said the flaws he had discovered were fundamental to the TCP/IP infrastructure.

Of course, back then, hacking was in its infancy, so no-one really picked up on the Novell findings.

All the same, I think Outpost24 will have its work cut out...