Re: TCP RST attack
From: Dragos Ruiu (dr_at_kyx.net)
Date: 04/20/04
- Previous message: Dag-Erling Smørgrav: "Re: TCP RST attack"
- In reply to: Dag-Erling Smørgrav: "Re: TCP RST attack"
- Next in thread: Dag-Erling Smørgrav: "Re: TCP RST attack"
- Reply: Dag-Erling Smørgrav: "Re: TCP RST attack"
- Reply: Jacques A. Vidrine: "Re: TCP RST attack"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: des@des.no (Dag-Erling Smørgrav), Mike Tancsa <mike@sentex.net> Date: Tue, 20 Apr 2004 11:13:27 -0700
On April 20, 2004 10:44 am, Dag-Erling Smørgrav wrote:
> Mike Tancsa <mike@sentex.net> writes:
> > http://www.uniras.gov.uk/vuls/2004/236929/index.htm
>
> The advisory grossly exaggerates the impact and severity of this
> fea^H^H^Hbug. The attack is only practical if you already know the
> details of the TCP connection you are trying to attack, or are in a
> position to sniff it. The fact that you can attack a TCP connection
> which passes through a network you have access to sniff should not be
> a surprise to anyone; the remaining cases require spoofing of a type
> which egress filtering would prevent, if only people would bother
> implementing it.
>
This is not true. The attack does not require sniffing.
> I don't believe BGP sessions are as exposed as the advisory claims
> they are, either. The possibility of insertion attacks (which are
> quite hard) was predicted six years ago, when RFC 2385 (Protection of
> BGP Sessions via the TCP MD5 Signature Option) was written. RST
> attacks may cause route flapping, but that can be avoided with a short
> hysteresis (though this may be impractical for backbone routers)
>
While I might agree that the real world practicability of the attack needs
to be carefully estimated, as there are a couple of complicating factors
(window size, and frequency of updates which fight against each other).
This does require much further analysis. I've been working with several
people to try to get better analysis and correlation/verification of Paul's
data... and the results are inconclusive.
This MIGHT not be as big a problem as it seems, but the lab data that
Paul has indicates it's something to seriously look at anyway.
Cisco PSIRT will be doing a Q&A on the topic after Paul's presentation
and we'll have some very sharp technical guys in the audience, including
some folks from very large ISPs that are most likely to be affected, so I
will wait untill I hear from people smarter than I analyzing this.
The discussion should prove interesting and informative I hope.
cheers,
--dr
-- Top security experts. Cutting edge tools, techniques and information. Vancouver, Canada April 21-23 2004 http://cansecwest.com pgpkey http://dragos.com/ kyxpgp _______________________________________________ freebsd-security@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-security To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org"
- Previous message: Dag-Erling Smørgrav: "Re: TCP RST attack"
- In reply to: Dag-Erling Smørgrav: "Re: TCP RST attack"
- Next in thread: Dag-Erling Smørgrav: "Re: TCP RST attack"
- Reply: Dag-Erling Smørgrav: "Re: TCP RST attack"
- Reply: Jacques A. Vidrine: "Re: TCP RST attack"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
