Re: BGP TCP RST Attacks (was:CIsco PIX vulnerable to TCP RST DOS attacks)

[Henning Brauer <hb () bsws de>]

* Josh Welch <jwelch () buffalowildwings com> [2004-05-05 18:45]:
> Mikael Olsson said:
> <snip>
> > I still believe that the #1 impact of this vulnerability, as seen in an
> > Internet-wide perspective, is killing BGP sessions in core routers.
> > Do it a few times to trigger route flap detection, and you'll isolate
> > large chunks of the net from eachother, or, worst case, from the rest
> > of the Internet.
> The advisories I have seen have made this same statement. However, according
> to another list I read there are a number of network operators who feel this
> is not a real threat. A number of them hold that it would be excessively
> challenging to be able to match up the source-ip:source-port and
> dest-ip:dest-port and effectively reset a BGP session without generating a
> large volume of traffic, which should be noticed in and of itself.

hiarious.
please think about it for a minute:
-one port (179) is known
-the other is to be guessed, which is trivial with cisco equipment
-due to their large window size and extremely poor ISNs, guessing
 a sequence number within the window is also rather easy

large volume of traffic? not at all.

-- 
Henning Brauer, BS Web Services, http://bsws.de
hb () bsws de - henning () openbsd org
Unix is very simple, but it takes a genius to understand the simplicity.
(Dennis Ritchie)
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards