[69800] in North American Network Operators' Group
Re: TCP Vulnerability makes case for authenticated BGP
daemon@ATHENA.MIT.EDU (Pekka Savola)
Tue Apr 20 14:10:00 2004
Date: Tue, 20 Apr 2004 21:09:15 +0300 (EEST)
From: Pekka Savola <pekkas@netcore.fi>
To: nanog@merit.edu
In-Reply-To: <20040420174951.15842.qmail@web60204.mail.yahoo.com>
Errors-To: owner-nanog-outgoing@merit.edu
On Tue, 20 Apr 2004, tad pedley wrote:
> Although denial of service using crafted TCP packets is a well known
> weakness of TCP, until recently it was believed that a successful
> denial of service attack was not achievable in practice. The reason
> for this is that the receiving TCP implementation checks the
> sequence number of the RST or SYN packet, which is a 32 bit number,
> giving a probability of 1/232 of guessing the sequence number
> correctly (assuming a random distribution).
>
> The discoverer of the practicability of the RST attack was Paul A.
> Watson, who describes his research in his paper “Slipping In The
> Window: TCP Reset Attacks”, presented at the CanSecWest 2004
> conference. He noticed that the probability of guessing an
> acceptable sequence number is much higher than 1/232 because the
> receiving TCP implementation will accept any sequence number in a
> certain range (or “window”) of the expected sequence number. The
> window makes TCP reset attacks practicable.
Believed by whom, is the question.
It has been clearly documented for a long time now that such larger
windows exist. They have even been documented specifically about BGP
(draft-ietf-idr-bgp-vuln-00.txt).
--
Pekka Savola "You each name yourselves king, yet the
Netcore Oy kingdom bleeds."
Systems. Networks. Security. -- George R.R. Martin: A Clash of Kings
