(CERT advisory in question: http://www.cert.org/advisories/CA-98-13-tcp-denial-of-service.html) TCP/IP "hole" leads to alert By Jim Hu December 22, 1998, 6:20 p.m. PT http://www.news.com/News/Item/0%2C4%2C30250%2C00.html?sas.mail A "hole" in the underlying language of the Internet could allow hackers to break into systems and cause an array of damage to targeted Web sites, according to a government-funded computer security watchdog. [Remember that he clearly states "break into systems and cause an array of damage..."] Vulnerable systems could encounter intruders who may use their sites as a launch pad for other attacks, according to the Computer Emergency Response Team Coordination Center, best known as CERT, which yesterday issued an advisory about the security concern. ["use their sites as a launch pad" once again.] Most of the hardware running the Internet is not vulnerable to the hole in the TCP/IP protocols, CERT says. But vulnerable systems are subject to "IP spoofing," in which a perpetrator uses the security hole to break into a site and take over its IP address. Once that happens, the intruder can then send packets under the guise of the compromised address. [BUZZ. IP Spoofing does NOT entail breaking into a site, at all.] Intruders can then target other sites, causing machines to "crash, hang, or behave in unpredictable ways," the report said. The method of attack is similar to a "denial of service" attack, in which intruders don't actually break into a site, but block access by flooding it with email or Web traffic. [At first it is a hole that allows entrance into a system.. then it is an IP Spoofing problem.. now it is "similar" to a Denial of Service attack. Three completely different classes of attack.] This kind of attack is worse because it involves an actual break-in, according to security experts. Additionally, intruders can conceal their true location. [The advisory explicity states that remote users may crash or hang the machine. NOT break in.] "Denial of service attacks ... are just aimed at preventing someone from using their own computers," said AT&T Labs Research Fellow Steven Bellovin. "In this case, an enemy can send some packets that will crash certain operating systems." Ironically, "There is rarely any direct benefit to the attacker," Bellovin added. "It's usually the electronic equivalent of kids who walk down the street snapping off car antennas." The exploitation of TCP/IP vulnerabilities are not as rare as many think, according to security experts. But only lately have computer systems focused on developing defenses against them. "There are a lot of IP spoofing methods, and until very recently all systems were vulnerable to this," said Fred Cohen, a security expert at Sandia National Laboratory at Livermore, California. "It's widespread and it has caused a lot of problems." CERT has also posted solutions to the exploit. The group recommends that sites reconfigure their routers or firewalls and install filtering on the routers to prevent IP spoofing attacks. Other experts suggest still more measures. "The solution is to be really anal about the way you deal with trust relationships [with other sites]," said David Kennedy, security analyst at the International Computer Security Association. "Sites should require passwords, or some type of encryption." Systems from Berkeley Software Design and FreeBSD reported that they are vulnerable to the TCP/IP exploit. Hardware manufacturers immune to attacks include: Cisco, Fujitsu, Hewlett-Packard, IBM, Livingston Enterprises, Computer Associates, Microsoft, NEC, Sun Microsystems, and Wind River Systems.