Re: TCP/BGP vulnerability - easier than you think

[Iljitsch van Beijnum <iljitsch () muada com>]

On 21-apr-04, at 15:21, Daniel Roesen wrote:

> As you didn't specify where to apply these filters, I guessed on the
> edges. I would have never thought that someone would really suggest
> to deliberately break RST for valid BGP sessions.

Try me.  :-)  But don't forget the borders, those are more important.

> > So I believe filtering out all BGP RSTs on all edges is
> > probably a good idea.

> RST and SYN.

I can live with legitimate RSTs as collateral damage, but legitimate 
SYNs are probably best left alone... Unfortunately, at the receiving 
end there is no way to determine whether a packet is spoofed, so we 
must allow all pertinent SYNs through.

> But that's still patchwork. Do anti-spoofing filtering
> in general, not only mitigating _this_ thread. Don't allow packets
> from source IPs of your originated IP spaces enter your network,

Of course. The problem is that this offers no protection against remote 
spoofers.

> ADDITIONALLY to securing the transport via TCP MD5 authentication or
> even better with IPSEC.

I'm not recommending this for "small" peers as the crypto DoS risk is 
worse than what happens when the attack is executed successfully.

> Having always two lines of defense is good
> security practise, especially if the doors to properly close are
> many (edge interfaces).

No disagreement there.