Re: TCP RST attack (the cause of all that MD5-o-rama)

[Patrick W.Gilmore <patrick () ianai net>]

On Apr 20, 2004, at 1:36 PM, Mike Tancsa wrote:

> http://www.uniras.gov.uk/vuls/2004/236929/index.htm

What is a typical receive window on a router?  I have been told (have 
not confirmed) it was about 14 bits.

Assuming a well randomized starting sequence number (just give me this 
one for the moment), and a source port range of ~4K (one of the router 
vendor's defaults), at 10K pps it would still take ~29 hours on average 
to guess the proper values for everything necessary to RST a BGP 
session.  (You can see my math at the end.  Feel free to correct me if 
I missed something.)

Hitting a router for a full day at 10K pps is likely to be noticed by 
most networks.  If you would not notice this, perhaps you should change 
your monitoring? :)

And, if you twiddle the defaults on the router vendor mentioned above, 
or you use a different router vendor, substituting "2^16" for "4000" in 
the paragraph above leads you to ... 19 days?  (Someone check my math. 
:)

Of course, some of the reports say that ephemeral ports are not well 
randomized for some router vendors. :(


So, while this is an interesting application of technology (if you are 
a h4x0r k1dd13 :), I think if the router vendors used well randomized 
ephemeral ports and sequence numbers, and used the full range of ports 
available to them, most routers will fall over long before someone 
could guess the proper values and reset a single BGP session.  Or at 
least the owners would notice before the reset succeeded.  It would be 
even better if the receive window was tuned downward for BGP - not like 
you need a huge window for data transfer when the hosts are directly 
connected.

Then we could all stop frantically trying to synchronize thousands of 
keys between thousands of networks, an exercise which is destined to 
lose some data, and therefore some connectivity.

--
TTFN,
patrick


Sequence numbers are 32 bits.  Since the miscreant only needs to guess 
once every 14 bits, you get:

  2^32 / 2^14 == 262144

There is a router vendor out there which defaults to source ports 
between 1024 and 5000, or so I have been told.  (This router vendor 
does many things very well and should not be considered a Bad Vendor 
for this one minor error, which I hope they will fix ASAP.)

We now have:

  (5000 - 1024) * 262144 == 1042284544

Let's assume a typical router can take 10K pps to the main CPU without 
falling over.  I know some can take slightly more, and many cannot take 
anywhere near that, but it is a nice round number.  Taking 10K pps, we 
get:

  1042284544 / 10000 == 104228.4544

This means it will take about 29 hours to guess each possibility.

Of course, you will not have to guess each possibility to find the 
answer, so you should divide by two to get the average time to guess 
correctly.  But then you don't know which side is on port 179, so you 
have to multiply by two, which kinda cancels that out.