Massive TCP Flaw Looming

By Rich

Yesterday, following up after recording the podcast on clickjacking, I was talking with Robert Hansen about the TCP flaw some contacts of his found over in Sweden. He wrote it up in his column on Dark Reading, and Dennis Fisher over at TechTarget also has some information up.

Basically, it’s massive unpatched denial of service attack that can take down nearly anything that uses TCP, in some cases forcing remote systems to reboot or potentially causing local damage. Codified in a tool called “Sockstress”, Robert E. Lee and Jack C. Louis seem to be having trouble getting the infrastructure vendors to pay attention. I can’t but help think it’s because they are with a smaller company in Sweden; had this fallen into the hands of one of the major US vendors/labs methinks the alarm bells would be ringing a tad louder.

From what Robert told me, supported by the articles, this tool allows an attacker to basically take down anything they want from nearly anywhere (like a home connection).

Robert and Jack are trying to report and disclose responsibly, and I sure as heck hope the vendors are listening. Now might be the time for you big end users to start asking them questions about this. It’s hard to block an attack when it takes down your firewall, IPS, and the routers connecting everything.

One interesting tidbit- since this is in TCP, it also affects IPv6.

No Related Posts

[...] 3, 2008 There’s been a bunch of new information released over the past few days about the potential big TCP denial of service flaw. The three most informative posts I’ve read [...]

By * Contact Email: Twitter: rm

Yep- and a few others. I just put up an updated post. Bad, but not terrible.

By rmogull

[...] been a bunch of new information coming out the past few days about the potential big TCP denial of service flaw. The three most informative posts I’ve read [...]

By Why The TCP Attack Is Likely Bad

you guys see what fyodor had to say about it?

By Albert

Yeah, that’s what it looks like, and I’‘m about to do another post on it…

By rmogull

It’‘ll be interesting to get additional information on this, some of the stories about it are making very dire predictions, but at the moment I’‘m not quite seeing it.

I’‘ve read the slides presented at Sec-T and from that what it seemed to me to be is a neat way to allow a single machine to do a TCP-level DoS which would previously have required a larger number of machines, but not something which couldn’‘t be done by anyone with a rented botnet…

By Rory Mccune

If you like to leave comments, and aren’t a spammer, register for the site and email us at and we’ll turn off moderation for your account.