[69895] in North American Network Operators' Group
Re: TCP/BGP vulnerability - easier than you think
daemon@ATHENA.MIT.EDU (Daniel Roesen)
Wed Apr 21 08:39:12 2004
Date: Wed, 21 Apr 2004 14:38:37 +0200
From: Daniel Roesen <dr@cluenet.de>
To: nanog@merit.edu
Mail-Followup-To: nanog@merit.edu
In-Reply-To: <20040421134707.Y45123-100000@sequoia.muada.com>; from iljitsch@muada.com on Wed, Apr 21, 2004 at 02:10:05PM +0200
Errors-To: owner-nanog-outgoing@merit.edu
On Wed, Apr 21, 2004 at 02:10:05PM +0200, Iljitsch van Beijnum wrote:
> > "The issue described in this advisory is the practicability of
> > resetting an established TCP connection by sending suitable TCP
> > packets with the RST (Reset) or SYN (Synchronise) flags set."
>
> And:
>
> "It is also possible to perform the same attack with SYN (synchronise)
> packets. An established connection will abort by sending a RST if it
> receives a duplicate SYN packet with initial sequence number within the
> TCP window."
>
> So the attacker sends a spoofed SYN to router A, and router A sends an
> RST to router B and router B terminates the BGP session.
Correct.
> The good part here is that filtering RSTs should still work.
It doesn't. The RST are then being sent by the authorized sender and
your edge anti-spoof filtering for RST doesn't help a single millimeter.