Hackable bug found in net's heart

The net's basic plumbing has a leak

One of the net's central technologies has a serious security vulnerability warn UK and US infrastructure protection agencies.

Anyone exploiting the loophole could cause widespread disruption by subverting the way the internet ensures data reaches its intended destination.

The discovery has led to a large-scale and private effort to plug the hole before it becomes widely known.

So far there have been no reports of the vulnerability being exploited.

Serious problem

"Exploitation of this vulnerability could have affected the glue that holds the internet together," said Roger Cumming, head of the UK's National Infrastructure Security Coordination Centre.

The NISCC issued an alert about the vulnerability on Tuesday and was swiftly followed by the US Department of Homeland Security.

In its alert the DHS said the vulnerability: "could lead to a denial-of-service condition that could affect a large segment of the internet community."

But it added: "Normal operations would most likely resume shortly after the attack stopped."

The vulnerability was found in the Transmission Control Protocol (TCP) that underpins the working of the internet.

It emerges because of the way that the net passes data around the net.

Security researcher Paul Watson has found a way to quickly discover the code numbers used to preserve streams of data travelling, for example, from a particular website to your net browser.

By crafting TCP data packets with the correct numbers and injecting them into the right traffic flow it becomes possible to end that datastream prematurely.

Widespread abuse of the bug could mean some parts of the web are cut off.

Before Mr Watson discovered the vulnerability it was thought that the time it would take to guess these large code numbers would make it impossible to mount such an attack.

Even after the discovery the UK's NISCC had doubts that any attack using it would be easy to mount.

It said there were numerous work arounds for the bug the broad principles of which have been known for some time.

Mr Watson will present a paper about his discovery at the CanSecWest conference due to take place from 21-23 April in Vancouver, Canada.

"It's a significant risk," said Paul Vixie of the Internet Systems Consortium.

"Internet providers are jumping on this big time," he said, "It's really important this just gets fixed before the bad guys start exploiting it for fun and recognition."

Many makers of net hardware have already issued patches to customers that close the loophole.

Large net service providers have had advance notice of the bug and are thought to have taken steps to prevent their networks falling victim to it.