RE: BGP TCP RST Attacks (was:CIsco PIX vulnerable to TCP RST DOS attacks)

["Ahmed, Balal" <balal.ahmed () capgemini com>]

Microsoft targeted Exploits usually arrive on the scene 3 - 8 weeks after a
vulnerability has been announced, this TCP RST advisory cannot be looked at
in the same light though as it is cross platform/vendor. 

As stated elsewhere in this thread the largest threat vector will be feeds
from the Internet. Given that sasser exploited a known vulnerability for
which a patch was available, no patch release from any vendor should be
dismissed without due process and risk analysis with buy in from security
officers and management. Its very easy to dismiss a vulnerability without
assessing the full impact until it is exploited by which time its too late.

The decision on patching kit in this case should be based around how
important availability is for your information assets. Being security
professionals can we afford not patching up the latest release or patches
where possible?


-----Original Message-----
From: firewall-wizards-admin () honor icsalabs com
[mailto:firewall-wizards-admin () honor icsalabs com] On Behalf Of Josh Welch
Sent: 05 May 2004 16:24
To: firewall-wizards () honor icsalabs com
Subject: RE: [fw-wiz] BGP TCP RST Attacks (was:CIsco PIX vulnerable to TCP
RST DOS attacks)

Mikael Olsson said:
<snip>
> I still believe that the #1 impact of this vulnerability, as seen in an
> Internet-wide perspective, is killing BGP sessions in core routers.
> Do it a few times to trigger route flap detection, and you'll isolate
> large chunks of the net from eachother, or, worst case, from the rest
> of the Internet.
The advisories I have seen have made this same statement. However, according
to another list I read there are a number of network operators who feel this
is not a real threat. A number of them hold that it would be excessively
challenging to be able to match up the source-ip:source-port and
dest-ip:dest-port and effectively reset a BGP session without generating a
large volume of traffic, which should be noticed in and of itself. So, I am
wondering what people have been seeing, anyone yet seen evidence of an
attempt to exploit this?
Thanks,
Josh

_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards



Our name has changed, please update your address book to the following format for the latest identities received 
"recipient () capgemini com".

This message contains information that may be privileged or confidential and is the property of the Capgemini Group. It 
is intended only for the person to whom it is addressed. If you are not the intended recipient,  you are not authorized 
to read, print, retain, copy, disseminate,  distribute, or use this message or any part thereof. If you receive this  
message in error, please notify the sender immediately and delete all  copies of this message.

_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards