Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Analytics //

Security Monitoring

Some Security Tools Fail With Multipath TCP

Researchers at Black Hat USA will reveal how multipath TCP breaks assumptions about how TCP works -- and the implications for network security.

The need for hardy networking connections has led to the development of Multipath TCP (MPTCP), which allows a Transmission Control Protocol (TCP) connection to use multiple paths to maximize resource usage and increase redundancy. But the explosion in mobile and Internet of Things devices also requires network security tools keep pace with change.

Neohapsis researchers Catherine Pearce and Patrick Thomas say very few security and network management tools are up to that challenge when it comes to MPTCP streams. At a presentation at the upcoming Black Hat USA conference in Las Vegas, the two plan to discuss how MPTCP eviscerates assumptions about TCP that are made by both tools and network engineers alike.

TCP is a foundational protocol for communication on the Internet that has largely stood the test of time, says Thomas. "It's used everywhere; it's used by everything," he says. "It's been around since the dawn of the Internet."

Yet TCP is not set up for the future of the Internet people are seeing now -- a highly-connected world featuring different types of connectivity, says Thomas.

This had led to the development of MPTCP, which allows TCP to talk over multiple paths simultaneously, decoupling it from a specific IP address. Doing this, however, creates a new reality for security. For starters, it affects the ability of intrusion detection systems to inspect, correlate, and reassemble traffic. This can add a new wrinkle to fragmentation attacks, Thomas says.

"An intrusion detection system that is not multipath TCP-aware, sees five different connections coming from different IP addresses, has no conception that they are related, and on each of them it sees complete garbage data," he says.

"If any of your security decisions, tools, thought-processes, manual processes, if they rely on any of... these four things, then something in those is going to break," he says. "Those four things that we've got are: If you expect to see all app layer data within a TCP stream; if you expect to differentiate clients from servers based on the connection direction; if you expect to tamper with or close bad connections midstream; or if attempt to associate logical connections to IP addresses. If you make any security decisions based on any of those, then those security mechanisms are going to break in the face of MPTCP."

During their presentation, which is scheduled for Wednesday at 3:30 p.m., the researchers will show tools and strategies for understanding and mitigating the risk of MPTCP-capable devices on a network.

Multipath TCP changes the way the Internet works at its core, explains Pearce.

"If we're not ready for this the impact of this could be probably at least as great as IPv6," she says, adding that the goal of the talk at Black Hat is to raise awareness.

"We want security to keep up with technology," she says.

 

Brian Prince is a freelance writer for a number of IT security-focused publications. Prior to becoming a freelance reporter, he worked at eWEEK for five years covering not only security, but also a variety of other subjects in the tech industry. Before that, he worked as a ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
anon5663234767
50%
50%
anon5663234767,
User Rank: Apprentice
4/14/2015 | 2:50:07 AM
MPTCP Security

ttp://www.it.uc3m.es/fvalera/t2/D2.4.pdf

Fairly recent paper from EU Trilogy2 project branch with tips and tools for dealing with security around MPTCP

 
 
EricD388
50%
50%
EricD388,
User Rank: Apprentice
8/1/2014 | 4:06:56 PM
Wireless Aggregation of Internet Bandwidth
This technology has been in the works for quite some time.  Delangis has three U.S. patents on this technology dating back to 2002.  Check out 7606156 and 8228801 for starters.
Aviation Faces Increasing Cybersecurity Scrutiny
Kelly Jackson Higgins, Executive Editor at Dark Reading,  8/22/2019
Microsoft Tops Phishers' Favorite Brands as Facebook Spikes
Kelly Sheridan, Staff Editor, Dark Reading,  8/22/2019
Capital One Breach: What Security Teams Can Do Now
Dr. Richard Gold, Head of Security Engineering at Digital Shadows,  8/23/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-15540
PUBLISHED: 2019-08-25
filters/filter-cso/filter-stream.c in the CSO filter in libMirage 3.2.2 in CDemu does not validate the part size, triggering a heap-based buffer overflow that can lead to root access by a local Linux user.
CVE-2019-15538
PUBLISHED: 2019-08-25
An issue was discovered in xfs_setattr_nonsize in fs/xfs/xfs_iops.c in the Linux kernel through 5.2.9. XFS partially wedges when a chgrp fails on account of being out of disk quota. xfs_setattr_nonsize is failing to unlock the ILOCK after the xfs_qm_vop_chown_reserve call fails. This is primarily a ...
CVE-2016-6154
PUBLISHED: 2019-08-23
The authentication applet in Watchguard Fireware 11.11 Operating System has reflected XSS (this can also cause an open redirect).
CVE-2019-5594
PUBLISHED: 2019-08-23
An Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting") in Fortinet FortiNAC 8.3.0 to 8.3.6 and 8.5.0 admin webUI may allow an unauthenticated attacker to perform a reflected XSS attack via the search field in the webUI.
CVE-2019-6695
PUBLISHED: 2019-08-23
Lack of root file system integrity checking in Fortinet FortiManager VM application images of all versions below 6.2.1 may allow an attacker to implant third-party programs by recreating the image through specific methods.