[69889] in North American Network Operators' Group
Re: TCP/BGP vulnerability - easier than you think
daemon@ATHENA.MIT.EDU (Daniel Roesen)
Wed Apr 21 07:20:36 2004
Date: Wed, 21 Apr 2004 13:19:51 +0200
From: Daniel Roesen <dr@cluenet.de>
To: nanog@merit.edu
Mail-Followup-To: nanog@merit.edu
In-Reply-To: <0D4157D6-9383-11D8-A922-000A95CD987A@muada.com>; from iljitsch@muada.com on Wed, Apr 21, 2004 at 01:00:07PM +0200
Errors-To: owner-nanog-outgoing@merit.edu
On Wed, Apr 21, 2004 at 01:00:07PM +0200, Iljitsch van Beijnum wrote:
> > All things considered, I think MD5 authentication will lower the bar
> > for attackers, not raise it. I'm sure code optimizations could fix
> > things to some degree, but that's just not the case today.
>
> > Which begs the question, what is one to do,
>
> How about:
>
> access-list 123 deny tcp any any eq bgp rst log-input
> access-list 123 deny tcp any eq bgp any rst log-input
>
> Unfortunately, not all vendors are able to look at the RST bit when
> filtering...
The general ignorance to the fact that SYN works as well is
astonishing. :-)
