CYBERSPACE — Another core internet protocol is vulnerable to attack, researchers said, and this flaw is a doozy.A bug in the transmission control protocol (TCP) puts broadband servers and routers at risk of suffering crippling denial-of-service attacks, researchers discovered. Not only that, but the flaw could allow the equipment to remain paralyzed even after an attack has stopped. The vulnerability can be exploited using very little bandwidth, but a DoS attack would consume an enormous amount of resources on the receiving end, the researchers said.

“If you use the internet and you serve a TCP-based service that you value the availability for, then this affects you,” Robert E. Lee, chief security officer for Sweden-based Outpost24, told The Register. “That may not be every internet user, but that’s certainly any IT manager, that’s certainly any website operator, mail server operator or router operator.

“We haven’t found anybody who has a TCP stack that runs TCP based services that isn’t vulnerable,” he added. “If they make a TCP stack, then it’s probably still going to be vulnerable to one or all of these attacks because this is something fundamental in how TCP works.”

Lee and an Outpost24 colleague, Jack Louis, discovered the bug in 2005, but they decided to keep the problem secret until they could find a solution. Three years later, they continue to struggle with a fix, so they went public in hopes others can help.

Now that they are aware of the vulnerability, other security experts have said it appears to be very real and every bit as serious as Lee indicated. He and his Outpost24 colleagues have remained vague about details in order to avoid alerting “black hats” to the potential for mischief-making.

The new flaw joins several others on a short list of core internet threats. In July, security researcher Dan Kaminsky revealed a core vulnerability that enabled hackers to attack the Web’s addressing system. The flaw was patched relatively quickly, although a few un-patched computers remain connected to the Web. In August, another group of researchers outlined a vulnerability that could allow Web traffic to be hijacked and tampered with.

Lee and Louis began notifying hardware and software manufacturers about their discovery, but manufacturers are still in the early stages of understanding the problem.

“They’re still trying to do triage and understand the individual attack types that we’ve identified for them,” Lee told The Register on October 1st. “We’re still trying to get them to back up a step. It’s a class of attack, not necessarily individual things that the vendors need to be focusing on.”

Currently, the only workaround is to forbid anonymous connections, which defeats the purpose of the World Wide Web. Once under attack, the only cure is to reboot the affected equipment.