nanog mailing list archives

Re: TCP/BGP vulnerability - easier than you think

From: Daniel Roesen <dr () cluenet de>
Date: Wed, 21 Apr 2004 13:19:51 +0200


On Wed, Apr 21, 2004 at 01:00:07PM +0200, Iljitsch van Beijnum wrote:

All things considered, I think MD5 authentication will lower the bar
for attackers, not raise it.  I'm sure code optimizations could fix
things to some degree, but that's just not the case today.

Which begs the question, what is one to do,


How about:

access-list 123 deny   tcp any any eq bgp rst log-input
access-list 123 deny   tcp any eq bgp any rst log-input

Unfortunately, not all vendors are able to look at the RST bit when 
filtering...


The general ignorance to the fact that SYN works as well is
astonishing. :-)

Current thread:

Re: Massive stupidity (Was: Re: TCP vulnerability), (continued)
- - - Re: Massive stupidity (Was: Re: TCP vulnerability) Patrick W . Gilmore (Apr 20)
    - TCP/BGP vulnerability - easier than you think David Luyer (Apr 20)
    - Re: TCP/BGP vulnerability - easier than you think Patrick W . Gilmore (Apr 20)
    - Re: TCP/BGP vulnerability - easier than you think Rob Thomas (Apr 20)
    - Re: TCP/BGP vulnerability - easier than you think Joe Abley (Apr 20)
    - RE: TCP/BGP vulnerability - easier than you think David Luyer (Apr 20)
    - Re: TCP/BGP vulnerability - easier than you think Adam Rothschild (Apr 21)
    - Re: TCP/BGP vulnerability - easier than you think E.B. Dreger (Apr 21)
    - Re: TCP/BGP vulnerability - easier than you think E.B. Dreger (Apr 22)
    - Re: TCP/BGP vulnerability - easier than you think Iljitsch van Beijnum (Apr 21)
    - Re: TCP/BGP vulnerability - easier than you think Daniel Roesen (Apr 21)
    - Re: TCP/BGP vulnerability - easier than you think Iljitsch van Beijnum (Apr 21)
    - Re: TCP/BGP vulnerability - easier than you think Daniel Roesen (Apr 21)
    - Re: TCP/BGP vulnerability - easier than you think Iljitsch van Beijnum (Apr 21)
    - Re: TCP/BGP vulnerability - easier than you think Daniel Roesen (Apr 21)
    - Re: TCP/BGP vulnerability - easier than you think Iljitsch van Beijnum (Apr 21)
    - Re: TCP/BGP vulnerability - easier than you think Daniel Roesen (Apr 21)
    - Re: TCP/BGP vulnerability - easier than you think Iljitsch van Beijnum (Apr 21)
    - Re: TCP/BGP vulnerability - easier than you think Paul Jakma (Apr 21)
    - Re: TCP/BGP vulnerability - easier than you think Iljitsch van Beijnum (Apr 21)
    - Re: TCP/BGP vulnerability - easier than you think Paul Jakma (Apr 21)

(Thread continues...)