Even though the Outpost24 researchers that claim to have found a vulnerability in the TCP/IP protocol intend to keep the details secret until there are some solutions available, they are giving so many interviews that some details are bound to get out into the open. Yesterday I speculated that it might be related to the TCP handshake; there are some more details available today.

The extra information I’ve found comes from Robert E. Lee’s own blog, the Finnish CERT, and Ars. If you combine the information in all articles publishes so far, you get this:

  • The problem is described as a “trust problem”, and occurs in TCP connections¬†after the three-way handshake is completed. So UDP only services appear to be safe.
  • The vulnerability is based on “a denial of service on the TCP connection queue” of a target host.
  • It can be exploited by sending about 10 packets per second for about four minutes; note that these numbers come from two different sources, so this number might be off by a bit.
  • At least one of the symptoms is that the attacked host keeps sending packets back to the attacking hosts, and this won’t stop until the host is rebooted. Again, this is not said directly, but it is described as the way the researchers found the problem.

There is some contradicting information here; as I understand it, the TCP connection queue is only used for connection attempts that have not completed the handshake yet. So my best bet is that they are doing something with the sockstress tool to make the DOS’ed host think the handshake was completed, but have it resend the SYN+ACK packet. Maybe by re-sending the SYN packet, or otherwise indicating the ACK packet wasn’t received, such as indicating the MTU has been exceeded.

Anyway, there is a lot more information available now than some people might realize. I’m sure that I am not the only one looking forward to the more detailed explanation that is supposed to presented on the 17th!