Firewall Wizards mailing list archives
RE: BGP TCP RST Attacks (was:CIsco PIX vulnerable to TCP RST DOS attacks)
From: "Ahmed, Balal" <balal.ahmed () capgemini com>
Date: Thu, 6 May 2004 09:47:18 +0100
Microsoft targeted Exploits usually arrive on the scene 3 - 8 weeks after a vulnerability has been announced, this TCP RST advisory cannot be looked at in the same light though as it is cross platform/vendor. As stated elsewhere in this thread the largest threat vector will be feeds from the Internet. Given that sasser exploited a known vulnerability for which a patch was available, no patch release from any vendor should be dismissed without due process and risk analysis with buy in from security officers and management. Its very easy to dismiss a vulnerability without assessing the full impact until it is exploited by which time its too late. The decision on patching kit in this case should be based around how important availability is for your information assets. Being security professionals can we afford not patching up the latest release or patches where possible? -----Original Message----- From: firewall-wizards-admin () honor icsalabs com [mailto:firewall-wizards-admin () honor icsalabs com] On Behalf Of Josh Welch Sent: 05 May 2004 16:24 To: firewall-wizards () honor icsalabs com Subject: RE: [fw-wiz] BGP TCP RST Attacks (was:CIsco PIX vulnerable to TCP RST DOS attacks) Mikael Olsson said: <snip>
I still believe that the #1 impact of this vulnerability, as seen in an Internet-wide perspective, is killing BGP sessions in core routers. Do it a few times to trigger route flap detection, and you'll isolate large chunks of the net from eachother, or, worst case, from the rest of the Internet.
The advisories I have seen have made this same statement. However, according to another list I read there are a number of network operators who feel this is not a real threat. A number of them hold that it would be excessively challenging to be able to match up the source-ip:source-port and dest-ip:dest-port and effectively reset a BGP session without generating a large volume of traffic, which should be noticed in and of itself. So, I am wondering what people have been seeing, anyone yet seen evidence of an attempt to exploit this? Thanks, Josh _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards Our name has changed, please update your address book to the following format for the latest identities received "recipient () capgemini com". This message contains information that may be privileged or confidential and is the property of the Capgemini Group. It is intended only for the person to whom it is addressed. If you are not the intended recipient, you are not authorized to read, print, retain, copy, disseminate, distribute, or use this message or any part thereof. If you receive this message in error, please notify the sender immediately and delete all copies of this message. _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- RE: BGP TCP RST Attacks (was:CIsco PIX vulnerable to TCP RST DOS attacks) Ahmed, Balal (May 06)