nanog mailing list archives
Re: TCP/BGP vulnerability - easier than you think
From: Iljitsch van Beijnum <iljitsch () muada com>
Date: Wed, 21 Apr 2004 15:09:15 +0200
On 21-apr-04, at 14:38, Daniel Roesen wrote:
So the attacker sends a spoofed SYN to router A, and router A sends an RST to router B and router B terminates the BGP session.
Correct.
The good part here is that filtering RSTs should still work.
It doesn't. The RST are then being sent by the authorized sender andyour edge anti-spoof filtering for RST doesn't help a single millimeter.
Now it's your time to overlook something: the filters I listed in my earlier message simply filter RSTs to/from the BGP port without looking at the address fields. Filtering ALL RSTs is probably a bad idea as broken sessions will then have to time out, possibly inconveniencing users (and thereby generating support calls). But for BGP this isn't much of an issue as the BGP hold timer takes care of business here anyway. So I believe filtering out all BGP RSTs on all edges is probably a good idea.
Current thread:
- RE: TCP/BGP vulnerability - easier than you think, (continued)
- RE: TCP/BGP vulnerability - easier than you think David Luyer (Apr 20)
- Re: TCP/BGP vulnerability - easier than you think Adam Rothschild (Apr 21)
- Re: TCP/BGP vulnerability - easier than you think E.B. Dreger (Apr 21)
- Re: TCP/BGP vulnerability - easier than you think E.B. Dreger (Apr 22)
- Re: TCP/BGP vulnerability - easier than you think Iljitsch van Beijnum (Apr 21)
- Re: TCP/BGP vulnerability - easier than you think Daniel Roesen (Apr 21)
- Re: TCP/BGP vulnerability - easier than you think Iljitsch van Beijnum (Apr 21)
- Re: TCP/BGP vulnerability - easier than you think Daniel Roesen (Apr 21)
- Re: TCP/BGP vulnerability - easier than you think Iljitsch van Beijnum (Apr 21)
- Re: TCP/BGP vulnerability - easier than you think Daniel Roesen (Apr 21)
- Re: TCP/BGP vulnerability - easier than you think Iljitsch van Beijnum (Apr 21)
- Re: TCP/BGP vulnerability - easier than you think Daniel Roesen (Apr 21)
- Re: TCP/BGP vulnerability - easier than you think Iljitsch van Beijnum (Apr 21)
- Re: TCP/BGP vulnerability - easier than you think Paul Jakma (Apr 21)
- Re: TCP/BGP vulnerability - easier than you think Iljitsch van Beijnum (Apr 21)
- Re: TCP/BGP vulnerability - easier than you think Paul Jakma (Apr 21)
- RE: TCP/BGP vulnerability - easier than you think David Luyer (Apr 21)
- Re: TCP/BGP vulnerability - easier than you think Crist Clark (Apr 22)
- Re: TCP/BGP vulnerability - easier than you think John Kristoff (Apr 21)
- Re: TCP/BGP vulnerability - easier than you think E.B. Dreger (Apr 21)
- Re: TCP/BGP vulnerability - easier than you think Iljitsch van Beijnum (Apr 22)