[69892] in North American Network Operators' Group
Re: TCP/BGP vulnerability - easier than you think
daemon@ATHENA.MIT.EDU (Daniel Roesen)
Wed Apr 21 07:32:10 2004
Date: Wed, 21 Apr 2004 13:27:42 +0200
From: Daniel Roesen <dr@cluenet.de>
To: nanog@merit.edu
Mail-Followup-To: nanog@merit.edu
In-Reply-To: <20040421132253.R45123-100000@sequoia.muada.com>; from iljitsch@muada.com on Wed, Apr 21, 2004 at 01:23:54PM +0200
Errors-To: owner-nanog-outgoing@merit.edu
On Wed, Apr 21, 2004 at 01:23:54PM +0200, Iljitsch van Beijnum wrote:
>
> On Wed, 21 Apr 2004, Daniel Roesen wrote:
>
> > > access-list 123 deny tcp any any eq bgp rst log-input
> > > access-list 123 deny tcp any eq bgp any rst log-input
>
> > > Unfortunately, not all vendors are able to look at the RST bit when
> > > filtering...
>
> > The general ignorance to the fact that SYN works as well is
> > astonishing. :-)
>
> What are you talking about?
http://www.uniras.gov.uk/vuls/2004/236929/index.htm
First paragraph of the summary:
"The issue described in this advisory is the practicability of resetting
an established TCP connection by sending suitable TCP packets with the
RST (Reset) or SYN (Synchronise) flags set."
You can break TCP sessions not only be injecting harmfully crafted
RST packets, but also with SYN packets.
All talk I see going on is always about harmful RST packets only. Seems
like noone realized that the thread is equally intense with SYN packets.
