Re: TCP/BGP vulnerability - easier than you think

[Iljitsch van Beijnum <iljitsch () muada com>]

On 23-apr-04, at 8:35, Florian Weimer wrote:

> > So I believe filtering out all BGP RSTs on all
> > edges is probably a good idea.

(Edges and borders.)

> The problem is that even if you filter the RST, the state transition
> occurs at the side which receives the SYN and generates the RST.  This
> means that the connection has been desynchronized and will eventually
> come down, no further data transfer is possible.

Although it doesn't follow from earlier text, on page 71 RFC 793 states 
that an in-window SYN should reset an ESTABLISHED session. So you are 
right. This is very bad.

BTW, anyone seen anything supporting Paul Watson's claim that all it 
takes to break a session is four packets? I assume he's talking about 
this vulnerability that was fixed in FreeBSD in 1998: 
http://ciac.llnl.gov/ciac/bulletins/j-008.shtml

I certainly hope our collective favorite vendors didn't overlook this 
one.