There’s been a bunch of new information released over the past few days about the potential big TCP denial of service flaw. The three most informative posts I’ve read are:
- Fyodor’s discussion of either the same, or a similar issue.
- Richard Bejtlich’s overview.
- Rob Graham’s take on the potential attack.
Here’s what I think you need to know:
- It is almost certainly real.
- Using this technique, an attacker with very few resources can lock up the TCP stack of the target system, potentially draining other resources, and maybe even forcing a reboot (Could this trash a host OS? We don’t know yet.).
- Anything that accepts TCP connections is vulnerable. I believe that means passive sniffing/routing is safe.
- The attack is obvious and traceable. Since we are using TCP and creating open connections (not UDP) it means spoofing/anonymous attacks don’t seem possible.
- Thus, I’d be more worried about a botnet that floods your upstream provider than this targeted attack.
- This is the kind of thing we should be able to filter, once our defenses are updated.