Re: BGP TCP RST Attacks (was:CIsco PIX vulnerable to TCP RST DOS attacks)

[Chuck Swiger <chuck () codefab com>]

On May 5, 2004, at 11:23 AM, Josh Welch wrote:
> A number of them hold that it would be excessively
> challenging to be able to match up the source-ip:source-port and
> dest-ip:dest-port and effectively reset a BGP session without 
> generating a
> large volume of traffic, which should be noticed in and of itself.

You (or they) are right that the ability to exploit this vulnerability 
depends on knowing or guessing the data you mention above, as well as 
picking a sequence # within the connection window.

Traditionally, you could do this feasibly only by sniffing the traffic, 
but it turns out for the case of BGP sessions, three of the four pieces 
of data are published, and it's not too hard to try beating on low 
source port #'s given the way source ports are typically allocated.  
Randomizing the source port allocated by the system helps a great deal, 
as does the proposed RFC which requires that the sequence # of a RST 
match exactly rather than just falling within the window.

TCP RST attacks are low on the list of vulnerabilities in terms of 
exploitability under most circumstances, but persistent connections are 
vulnerable given enough time.  All of that being said, if you have a 
machine which is directly connected to the Internet, expect that it 
will see hostile traffic going by.  For the case of BGP peering, it's 
not hard to find effective workaround, like enabling the MD5 checksum 
option or using the TTL trick.  [Set your routers to use a default TTL 
of 255, and drop BGP connections which are too many hops away to be 
valid given your topology...]

--
-Chuck

_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards