[69888] in North American Network Operators' Group
Re: TCP/BGP vulnerability - easier than you think
daemon@ATHENA.MIT.EDU (Iljitsch van Beijnum)
Wed Apr 21 07:04:09 2004
In-Reply-To: <20040421104414.GA83652@latency.net>
Cc: nanog@merit.edu
From: Iljitsch van Beijnum <iljitsch@muada.com>
Date: Wed, 21 Apr 2004 13:00:07 +0200
To: Adam Rothschild <asr+nanog@latency.net>
Errors-To: owner-nanog-outgoing@merit.edu
On 21-apr-04, at 12:44, Adam Rothschild wrote:
> All things considered, I think MD5 authentication will lower the bar
> for attackers, not raise it. I'm sure code optimizations could fix
> things to some degree, but that's just not the case today.
> Which begs the question, what is one to do,
How about:
access-list 123 deny tcp any any eq bgp rst log-input
access-list 123 deny tcp any eq bgp any rst log-input
Unfortunately, not all vendors are able to look at the RST bit when
filtering...
