[69830] in North American Network Operators' Group
Re: TCP RST attack (the cause of all that MD5-o-rama)
daemon@ATHENA.MIT.EDU (vijay gill)
Tue Apr 20 17:53:28 2004
Date: Tue, 20 Apr 2004 21:45:01 +0000
From: vijay gill <vgill@vijaygill.com>
To: Rodney Joffe <rjoffe@centergate.com>
Cc: nanog@merit.edu
In-Reply-To: <4085992F.F1FF17D3@centergate.com>
Errors-To: owner-nanog-outgoing@merit.edu
On Tue, Apr 20, 2004 at 02:42:07PM -0700, Rodney Joffe wrote:
>
>
> vijay gill wrote:
> >
> >
> > Yes it does. About 5 mbit of md5 should peg a juniper at 100% according
> > to my friend alex. I have not verified this in the lab. I suggest
> > you try it out.
> >
> > Also, this is why the GTSM (ttl hack) was written up ;)
>
> So then you're suggesting that the GTSM is the correct work-around?
>
No, the correct workaround is the
http://www.ietf.org/internet-drafts/draft-ietf-tcpm-tcpsecure-00.txt
draft. MD5 is also the correct workaround. However, neither of the
two protect against what is the most vulnerable thing in the internet
infrastructure today - a large amount of PPS at the _router_ (with or
without md5 or tcpsecure) will blow it out of the water. A 10mbits/s
of packets at the juniper without md5 will also destroy it.
GTSM protects against that, the fact that it also works against this
is just an unexpected side benefit.
/vijay
