nanog mailing list archives
Re: TCP/BGP vulnerability - easier than you think
From: Iljitsch van Beijnum <iljitsch () muada com>
Date: Wed, 21 Apr 2004 16:06:25 +0200
On 21-apr-04, at 15:21, Daniel Roesen wrote:
As you didn't specify where to apply these filters, I guessed on the edges. I would have never thought that someone would really suggest to deliberately break RST for valid BGP sessions.
Try me. :-) But don't forget the borders, those are more important.
So I believe filtering out all BGP RSTs on all edges is probably a good idea.
RST and SYN.
I can live with legitimate RSTs as collateral damage, but legitimate SYNs are probably best left alone... Unfortunately, at the receiving end there is no way to determine whether a packet is spoofed, so we must allow all pertinent SYNs through.
But that's still patchwork. Do anti-spoofing filtering in general, not only mitigating _this_ thread. Don't allow packets from source IPs of your originated IP spaces enter your network,
Of course. The problem is that this offers no protection against remote spoofers.
ADDITIONALLY to securing the transport via TCP MD5 authentication or even better with IPSEC.
I'm not recommending this for "small" peers as the crypto DoS risk is worse than what happens when the attack is executed successfully.
Having always two lines of defense is good security practise, especially if the doors to properly close are many (edge interfaces).
No disagreement there.
Current thread:
- Re: TCP/BGP vulnerability - easier than you think, (continued)
- Re: TCP/BGP vulnerability - easier than you think E.B. Dreger (Apr 21)
- Re: TCP/BGP vulnerability - easier than you think E.B. Dreger (Apr 22)
- Re: TCP/BGP vulnerability - easier than you think Iljitsch van Beijnum (Apr 21)
- Re: TCP/BGP vulnerability - easier than you think Daniel Roesen (Apr 21)
- Re: TCP/BGP vulnerability - easier than you think Iljitsch van Beijnum (Apr 21)
- Re: TCP/BGP vulnerability - easier than you think Daniel Roesen (Apr 21)
- Re: TCP/BGP vulnerability - easier than you think Iljitsch van Beijnum (Apr 21)
- Re: TCP/BGP vulnerability - easier than you think Daniel Roesen (Apr 21)
- Re: TCP/BGP vulnerability - easier than you think Iljitsch van Beijnum (Apr 21)
- Re: TCP/BGP vulnerability - easier than you think Daniel Roesen (Apr 21)
- Re: TCP/BGP vulnerability - easier than you think Iljitsch van Beijnum (Apr 21)
- Re: TCP/BGP vulnerability - easier than you think Paul Jakma (Apr 21)
- Re: TCP/BGP vulnerability - easier than you think Iljitsch van Beijnum (Apr 21)
- Re: TCP/BGP vulnerability - easier than you think Paul Jakma (Apr 21)
- RE: TCP/BGP vulnerability - easier than you think David Luyer (Apr 21)
- Re: TCP/BGP vulnerability - easier than you think Crist Clark (Apr 22)
- Re: TCP/BGP vulnerability - easier than you think John Kristoff (Apr 21)
- Re: TCP/BGP vulnerability - easier than you think E.B. Dreger (Apr 21)
- Re: TCP/BGP vulnerability - easier than you think Iljitsch van Beijnum (Apr 22)
- Re: TCP/BGP vulnerability - easier than you think Paul Jakma (Apr 23)
- Re: TCP/BGP vulnerability - easier than you think E.B. Dreger (Apr 21)