Re: [fw-wiz] BGP TCP RST Attacks (was:CIsco PIX vulnerable to TCP RST DOS attacks)

From: Chuck Swiger (chuck_at_codefab.com)
Date: 05/05/04

  • Next message: Gwendolynn ferch Elydyr: "RE: [fw-wiz] BGP TCP RST Attacks (was:CIsco PIX vulnerable to TCP RST DOS attacks)" 
    To: "Josh Welch" <jwelch@buffalowildwings.com>
Date: Wed, 5 May 2004 12:30:12 -0400

    On May 5, 2004, at 11:23 AM, Josh Welch wrote:
    > A number of them hold that it would be excessively
    > challenging to be able to match up the source-ip:source-port and
    > dest-ip:dest-port and effectively reset a BGP session without
    > generating a
    > large volume of traffic, which should be noticed in and of itself.

    You (or they) are right that the ability to exploit this vulnerability
    depends on knowing or guessing the data you mention above, as well as
    picking a sequence # within the connection window.

    Traditionally, you could do this feasibly only by sniffing the traffic,
    but it turns out for the case of BGP sessions, three of the four pieces
    of data are published, and it's not too hard to try beating on low
    source port #'s given the way source ports are typically allocated.
    Randomizing the source port allocated by the system helps a great deal,
    as does the proposed RFC which requires that the sequence # of a RST
    match exactly rather than just falling within the window.

    TCP RST attacks are low on the list of vulnerabilities in terms of
    exploitability under most circumstances, but persistent connections are
    vulnerable given enough time. All of that being said, if you have a
    machine which is directly connected to the Internet, expect that it
    will see hostile traffic going by. For the case of BGP peering, it's
    not hard to find effective workaround, like enabling the MD5 checksum
    option or using the TTL trick. [Set your routers to use a default TTL
    of 255, and drop BGP connections which are too many hops away to be
    valid given your topology...] 

    -- 
-Chuck
_______________________________________________
firewall-wizards mailing list
firewall-wizards@honor.icsalabs.com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
  • Next message: Gwendolynn ferch Elydyr: "RE: [fw-wiz] BGP TCP RST Attacks (was:CIsco PIX vulnerable to TCP RST DOS attacks)"

    Relevant Pages

    • Re: [fw-wiz] dual ISP connections
      ... I had BGP links at my last job. ... Load balancing is ... If the connections are through 2 separate ISP's then you need to run BGP ... You must have /24 as the internet routing tables do not support routes ...
      (Firewall-Wizards)
    • Re: denyhosts is always denying
      ... specifically at the source port number. ... tool (and don't read Python that well, but it is just Python scripts). ... and need to permit access to your ssh server ... because I can't see any reason to allow connections from you or anyone ...
      (comp.os.linux.setup)
    • IIS outgoing http vulnerability
      ... related to the security of ServerXMLHttp on an IIS 6 webserver. ... Their current policy is to restrict all outgoing connections and only ... Here is a link to the type of vulnerability: ... "Buffer overruns should be handled by a good firewall. ...
      (microsoft.public.inetserver.iis.security)
    • [Full-Disclosure] Clarification on Xitami DoS
      ... As a result, the vulnerability can ... Unsetting a limit you may have on HTTP connections will not ... systems with limits set will exceed ... handles Keep-Alive connections. ...
      (Full-Disclosure)
    • Re: connect(): Operation not permitted
      ... If you want a stateless rule, append 'no state'. ... connections much earlier than the states was full, ... I'd be willing to bet it's because you're reusing the source port on a ... You'll know if you check the state-mismatch counter. ...
      (freebsd-stable)