The IP spoof problem shouldn't have been such a suprise to anyone. It has
been known publicly known about since 1985 with several papers on the topic
available to anyone. The papers were like telling how it would be possible
to pick the lock on every door in the world and it is more suprising that
that it took so long before someone actually started exploiting the problem.
And with this problem, it is relatively pretty simple to correct so that the
tcp's sequence numbers are not so easy to guess. It is pretty sad that you
have to have enough hackers exploiting a problem before these security
vulnerabilities are addressed and it is unfortunate that many vulnerabilities
are kept quiet by vendors till enough customers have been abused and someone
finally speaks out.
But here is something I find disturbing that you may want to pursue and
correct. I emailed most of the major Unix vendors that have this vulnerability
asking in light of the recent problems, if they were going to be providing
a patch to correct the situation and if so, how long. There was several
types of responses.
In some cases, I have not received a response after
2 days so either their security-alert email alias is overloaded and taking
days or weeks to respond. Or they haven't decided anything yet
or it is going to /dev/null, which may be the attitude of some vendors.
The typical response that I did received was that they were looking into it
and whether it was worth patching anytime soon. One response that did almost
suprise me coming from a major vendor was that because of CERT's stance on
the problem and saying the problem could be corrected by firewalls, they
didn't feel a need to release a patch. They also told me that IP Spoofing
only made your network slightly vulnerable. (I am not sure what could
make your network more vulnerable, Posting every confidental file and password
from your systems to Usenet?)
>From CERT's advisory it does not look like they are encouraging vendors to
provide any sort of patches and the only solution is to block spoofed
packets via firewall/router. I do not know how the majority of you feel,
but I think a more complete solution is needed here, not to just rely
on firewalls and routers. There are too many people on the net that do
not have the comforts of a firewall and even within a large organization,
you do not want your machines vulnerable to attack from anyone else who is
behind your firewall. Not only that, I hope most people realize that a
firewall is not a total solution to security on the net. It can be
in some cases detrimental due to an organization feeling all comfortable
behind their firewall and deceive them into not applying any other security
precautions. There have been quite a few cases where firewall security has
been by-passed and that should be a lesson to not rely on just a firewall.
I hope that other people who rely on vendors for patches tell their own
vendor how they feel and maybe with enough response from customers,
we will see companies come forward and provide needed security patches.
If you feel safe behind your firewall with all your machines insecure, then
you probably won't need to e-mail your vendor. 8-) Or if you rely on
free Unixes like NetBSD, they already have a patch available.
Obviously, the total solution will not be just with firewalls, nor patches.
Cryptography will be a large part of a total and permanent solution so that
network traffic can be properly encrypted and authenicated, but for now,
firewalls and patches can lower your risks to successful attacks a
fairly great amount.
I have written a list of vendors and how to contact their security group and
hope that people use it to discuss with their vendors their security needs.
Hopefully we will see a vendor come forward and provide patches and the
others soon to follow, eh?
To get the list of vendors, it is in Vendor FAQ available on
Christopher William Klaus Voice: (404)441-2531. Fax: (404)441-2431
Internet Security Systems, Inc. Computer Security Consulting
2000 Miller Court West, Norcross, GA 30071