Re: [fw-wiz] BGP TCP RST Attacks (was:CIsco PIX vulnerable to TCP RST DOS attacks)
From: Chuck Swiger (chuck_at_codefab.com)
To: "Josh Welch" <firstname.lastname@example.org> Date: Wed, 5 May 2004 12:30:12 -0400
On May 5, 2004, at 11:23 AM, Josh Welch wrote:
> A number of them hold that it would be excessively
> challenging to be able to match up the source-ip:source-port and
> dest-ip:dest-port and effectively reset a BGP session without
> generating a
> large volume of traffic, which should be noticed in and of itself.
You (or they) are right that the ability to exploit this vulnerability
depends on knowing or guessing the data you mention above, as well as
picking a sequence # within the connection window.
Traditionally, you could do this feasibly only by sniffing the traffic,
but it turns out for the case of BGP sessions, three of the four pieces
of data are published, and it's not too hard to try beating on low
source port #'s given the way source ports are typically allocated.
Randomizing the source port allocated by the system helps a great deal,
as does the proposed RFC which requires that the sequence # of a RST
match exactly rather than just falling within the window.
TCP RST attacks are low on the list of vulnerabilities in terms of
exploitability under most circumstances, but persistent connections are
vulnerable given enough time. All of that being said, if you have a
machine which is directly connected to the Internet, expect that it
will see hostile traffic going by. For the case of BGP peering, it's
not hard to find effective workaround, like enabling the MD5 checksum
option or using the TTL trick. [Set your routers to use a default TTL
of 255, and drop BGP connections which are too many hops away to be
valid given your topology...]
-- -Chuck _______________________________________________ firewall-wizards mailing list email@example.com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards