How to Prepare Your Enterprise for the Recently Disclosed TCP Denial of Service Vulnerability
The TCP Denial of Service vulnerability that was recently partially disclosed by Outpost24 has left many InfoSec managers wondering whether any action is required to protect their enterprise. While there are no patches available, and no workarounds have been discovered, now is the time to begin preparations for actions that may need to be taken at a later time.
In general, InfoSec organizations should be doing much of the planning that should have been done previously. Now is the time to review patch management policies, discuss staffing issues with operations teams, and make sure that disaster recovery and business continuity plans are ready to deal with any crisis that may (or may not) happen in the future.
The Denial of Service Issue Explained
Robert E. Lee and Jack Louis of Outpost24, a Swedish security firm, recently disclosed fundamental problems with the TCP protocol that could lead to a Denial of Service. They’re currently working with many different vendors to create patches and/or workaround solutions, but none are currently available. As a result, the issue has only been partially disclosed, and the seriousness of the issue hasn’t even begun to be evaluated yet.
Denial of Service issues with Internet protocols are nothing new, and quite a few have been discovered over the years. The difference with the Outpost24 discovery is the few resources that are required by the attacking host to successfully accomplish a Denial of Service. According to Robert E. Lee, “from under forty packets per second, we could probably take off most TCP services that we interact with.” He goes on to note that there are several different attack scenarios, several of which will result in the attacked host being taken offline until it is rebooted.
The important part of the discovery is that all hosts that have been tested by Outpost24 have been found vulnerable, including Windows, Linux, and BSD servers, as well as routers, firewalls, and other network components.
The best source for information about the issue is the two podcasts that Robert E. Lee has recently done. CurbRisk has created and posted transcripts of the original podcast with a Dutch blog, as well as a followup with SC Magazine.
What this Means to Enterprise IT
Patching is certainly nothing new to enterprises. Any enterprise that uses computers has had to deal with Microsoft’s “Patch Tuesdays”, and other patches being released for other operating systems. The DNS vulnerability announced by Dan Kaminsky earlier this year was somewhat unusual, as it affected all DNS servers on multiple operating systems. This issue is very unique, as it affects all network-connected devices running any service on any operating system. IT organizations have never faced the challenge of patching all servers and networking devices simultaneously. As a result, it’s unlikely that many enterprises have plans in place to accomplish such a significant, previously unheard-of scenario.
Steps IT Organizations Should be Taking Now
Although the impact of this issue has yet to be fully understood, and it’s unknown whether vendors will be providing patches, it’s important to be prepared for anything that might happen as a result of this vulnerability.
Asset Prioritization
Update your list of assets, and ensure that you have full awareness of any critical part of the infrastructure. Be sure to include critical servers, routers, firewalls, IDS and IPS sensors, and any other part of the infrastructure that is important to the organization.
Create a Patching Plan
Work with your operations team to create a plan to quickly patch all of the critical assets in your organization. Identifying each asset in the order of its importance will make it easier to get the patches out to the most important systems first. In most cases, your network devices will be the most critical items. Also consider whether it’s appropriate to start patching your Internet-facing assets first, if your organization relies heavily on email or websites to communicate with clients.
Check your Business Continuity Plans
Make sure they account for the possibility of a sustained outage of the entire corporate network, or even an outage of the Internet. While it’s unlikely this vulnerability will take down the entire Internet, it’s a possibility that should be considered, and planned for. Even if this issue isn’t the “internet killer” that some have hyped it to be, there’s always the possibility of another vulnerability down the road with that devastating effect.
Verify Redundancy
If your organization does not have multiple carriers for Internet access, now might be the time to add some redundancy to your connectivity. Multi-homed Internet access is a best practice for any organization that relies upon its Internet connectivity for business. If someone manages to use this vulnerability to take down the routers at your primary carrier, you’ll want to have another for backup purposes.
Consider Using a Content Delivery Network
Content Delivery Networks like Akamai have the ability to cache your website content in many locations throughout the world. If your business relies on its websites to be available, a CDN might prove to be a valuable option to keep your sites available during a potential attack. It would be best to protect your source server, as the CDN will need to contact it to build and update its cache.
Plan to get Operations Staff to Colocation Facilities
If you rely on “remote hands” staff at a colocation facility, understand that they’re likely to be completely overwhelmed by the volume of requests if a massive, critical multi-vendor patch is released. At some facilities, they’re likely to be tied up managing the patches for the facility itself, and may not have time to work on client equipment. If your colocation facility isn’t in close proximity to your operations staff, start planning how you’ll get them onsite to handle patches.
Start Communicating Within IT
Begin the process of speaking to IT executives, to let them know that you’re on top of the situation. If and when this story starts making the rounds of the mainstream media, it’s always best to be sure that executives know that you’re already aware of the potential for an issue, and planning is in process.
It’s also time to start alerting the operations teams that something big may be coming, so they can consider staffing needs, and begin their own planning.
Communicate to your Users
Your users don’t need to know the specifics of this issue, or even that there is a potential issue. However, as part of your regular security awareness communications to users, stress the need for them to be very aware of anything they download from the Internet. If this vulnerability starts making its way into botnet or malware code, you want to ensure that your users aren’t likely to take down your network with that great game they found while browsing the web.
Don’t Panic
There’s much to be learned about this vulnerability as time progresses. It’s very possible that this is an urgent, serious issue that may have a tremendous impact on enterprises. It’s also possible that there’s an easy workaround, or the issue isn’t as serious as it seems. Start planning now, so that you don’t need to panic later.
If you enjoyed this post, please consider leaving a comment or subscribing to our RSS feed to get future articles delivered to your feed reader. You can also click "Buzz Up" or "ShareThis" above to share this post via email or social networking sites.
Comments
No comments yet.
Leave a comment