nanog mailing list archives
Re: TCP/BGP vulnerability - easier than you think
From: Pete Kruckenberg <pete () kruckenberg com>
Date: Wed, 21 Apr 2004 11:42:39 -0600 (MDT)
Interesting that Cisco uses random port selection with SNMP (http://www.cisco.com/warp/public/707/cisco-sa-20040420-snmp.shtml, see the Detail selection) but not with TCP. Too bad that TCP ports aren't randomized even with the "fixed" IOS versions. Would seem that as long as you're implementing security features like TCP RST confirmation, might as well implement randomized source ports.
From Theo de Raadt at OpenBSD:
http://archives.neohapsis.com/archives/openbsd/2004-04/1351.html This entire thing is being "sold" as `cross-vendor problem'. Sure. Some vendors have a few small issues to solve in this area. Minor issues. For us, those issues are 1/50000 smaller than they are for other vendors. Post-3.5, we have fixes which make the problem even smaller. But one vendor -- Cisco -- has an *UTTERLY GIGANTIC HUGE* issue in this regard, and as you can see, they have not yet made an announcement see.. You are being told "lots of people have a problem". By not seperating out the various problems combined in their notice, or the impact of those problems, you are not being told the whole truth. --- Pete. On Wed, 21 Apr 2004, Todd Vierling wrote:
Date: Wed, 21 Apr 2004 11:37:04 -0400 (EDT) From: Todd Vierling <tv () duh org> To: David Luyer <david () luyer net> Cc: 'Patrick W.Gilmore' <patrick () ianai net>, nanog () merit edu Subject: Re: TCP/BGP vulnerability - easier than you think On Wed, 21 Apr 2004, David Luyer wrote: : > You missed the "(assuming the attacker can accurately guess both : > ports)" part. : A significant number of BGP sessions will be with a source : port of 11000, 11001 or 11002; BGP sessions are generally : quite stable and Cisco routers start the source port at : 11000. If true, *that* would be a security risk in Cisco's port selection algorithm. Many modern OS's do not do simple sequential allocation of ports, making this point invalid.
Current thread:
- Re: TCP/BGP vulnerability - easier than you think, (continued)
- Message not available
- Re: TCP/BGP vulnerability - easier than you think Iljitsch van Beijnum (Apr 23)
- Message not available
- Re: TCP/BGP vulnerability - easier than you think Iljitsch van Beijnum (Apr 23)
- Re: TCP/BGP vulnerability - easier than you think Leo Bicknell (Apr 23)
- Re: TCP/BGP vulnerability - easier than you think Petri Helenius (Apr 23)
- Re: TCP/BGP vulnerability - easier than you think Todd Vierling (Apr 23)
- Re: TCP/BGP vulnerability - easier than you think Priscilla Oppenheimer (Apr 26)
- Re: TCP/BGP vulnerability - easier than you think Iljitsch van Beijnum (Apr 27)
- Re: TCP/BGP vulnerability - easier than you think Priscilla Oppenheimer (Apr 27)
- Re: TCP/BGP vulnerability - easier than you think Simon Leinen (Apr 28)
- Re: TCP/BGP vulnerability - easier than you think Todd Vierling (Apr 21)
- Re: TCP/BGP vulnerability - easier than you think Pete Kruckenberg (Apr 21)
- Vendor TCP oops-es (was Re: TCP/BGP vulnerability) Todd Vierling (Apr 21)
- Re: Vendor TCP oops-es (was Re: TCP/BGP vulnerability) Iljitsch van Beijnum (Apr 21)
- Re: Massive stupidity (Was: Re: TCP vulnerability) Alexei Roudnev (Apr 22)