[69896] in North American Network Operators' Group
Re: TCP/BGP vulnerability - easier than you think
daemon@ATHENA.MIT.EDU (Iljitsch van Beijnum)
Wed Apr 21 09:09:56 2004
In-Reply-To: <20040421143837.A23064@homebase.cluenet.de>
Cc: nanog@merit.edu
From: Iljitsch van Beijnum <iljitsch@muada.com>
Date: Wed, 21 Apr 2004 15:09:15 +0200
To: Daniel Roesen <dr@cluenet.de>
Errors-To: owner-nanog-outgoing@merit.edu
On 21-apr-04, at 14:38, Daniel Roesen wrote:
>> So the attacker sends a spoofed SYN to router A, and router A sends an
>> RST to router B and router B terminates the BGP session.
> Correct.
>> The good part here is that filtering RSTs should still work.
> It doesn't. The RST are then being sent by the authorized sender and
> your edge anti-spoof filtering for RST doesn't help a single
> millimeter.
Now it's your time to overlook something: the filters I listed in my
earlier message simply filter RSTs to/from the BGP port without looking
at the address fields. Filtering ALL RSTs is probably a bad idea as
broken sessions will then have to time out, possibly inconveniencing
users (and thereby generating support calls). But for BGP this isn't
much of an issue as the BGP hold timer takes care of business here
anyway. So I believe filtering out all BGP RSTs on all edges is
probably a good idea.
