Firewall Wizards mailing list archives
Re: BGP TCP RST Attacks (was:CIsco PIX vulnerable to TCP RST DOS attacks)
From: Chuck Swiger <chuck () codefab com>
Date: Wed, 5 May 2004 12:30:12 -0400
On May 5, 2004, at 11:23 AM, Josh Welch wrote:
A number of them hold that it would be excessively challenging to be able to match up the source-ip:source-port anddest-ip:dest-port and effectively reset a BGP session without generating alarge volume of traffic, which should be noticed in and of itself.
You (or they) are right that the ability to exploit this vulnerability depends on knowing or guessing the data you mention above, as well as picking a sequence # within the connection window.
Traditionally, you could do this feasibly only by sniffing the traffic, but it turns out for the case of BGP sessions, three of the four pieces of data are published, and it's not too hard to try beating on low source port #'s given the way source ports are typically allocated. Randomizing the source port allocated by the system helps a great deal, as does the proposed RFC which requires that the sequence # of a RST match exactly rather than just falling within the window.
TCP RST attacks are low on the list of vulnerabilities in terms of exploitability under most circumstances, but persistent connections are vulnerable given enough time. All of that being said, if you have a machine which is directly connected to the Internet, expect that it will see hostile traffic going by. For the case of BGP peering, it's not hard to find effective workaround, like enabling the MD5 checksum option or using the TTL trick. [Set your routers to use a default TTL of 255, and drop BGP connections which are too many hops away to be valid given your topology...]
-- -Chuck _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- CIsco PIX vulnerable to TCP RST DOS attacks Ahmed, Balal (May 05)
- <Possible follow-ups>
- Re: CIsco PIX vulnerable to TCP RST DOS attacks Paul D. Robertson (May 05)
- Re: CIsco PIX vulnerable to TCP RST DOS attacks Shimon Silberschlag (May 05)
- RE: CIsco PIX vulnerable to TCP RST DOS attacks Melson, Paul (May 05)
- Re: CIsco PIX vulnerable to TCP RST DOS attacks Mikael Olsson (May 05)
- RE: BGP TCP RST Attacks (was:CIsco PIX vulnerable to TCP RST DOS attacks) Josh Welch (May 05)
- Re: BGP TCP RST Attacks (was:CIsco PIX vulnerable to TCP RST DOS attacks) Chuck Swiger (May 05)
- RE: BGP TCP RST Attacks (was:CIsco PIX vulnerable to TCP RST DOS attacks) Gwendolynn ferch Elydyr (May 05)
- Re: BGP TCP RST Attacks (was:CIsco PIX vulnerable to TCP RST DOS attacks) Henning Brauer (May 06)
- RE: BGP TCP RST Attacks (was:CIsco PIX vulnerable to TCP RST DOS attacks) Josh Welch (May 05)
- RE: CIsco PIX vulnerable to TCP RST DOS attacks Ahmed, Balal (May 05)
- CIsco PIX vulnerable to TCP RST DOS attacks Dario Calia (May 05)