[69930] in North American Network Operators' Group
Re: Vendor TCP oops-es (was Re: TCP/BGP vulnerability)
daemon@ATHENA.MIT.EDU (Iljitsch van Beijnum)
Wed Apr 21 19:00:25 2004
In-Reply-To: <Pine.NEB.4.58.0404211503540.11522@server.duh.org>
Cc: nanog@merit.edu
From: Iljitsch van Beijnum <iljitsch@muada.com>
Date: Wed, 21 Apr 2004 22:09:07 +0200
To: Todd Vierling <tv@duh.org>
Errors-To: owner-nanog-outgoing@merit.edu
On 21-apr-04, at 21:18, Todd Vierling wrote:
> [*] I must admit one thing, for instance: This "Advisory" was a
> problem
> for NetBSD, but not because its port allocation scheme was crappy. It
> so
> happened that NetBSD wasn't properly validating the sequence number to
> be
> within the window. "Oops."
You can say that again. I think I found this bug in the FreeBSD source
code (where it was fixed). Any info on which of our favorite vendors
have the same bug in their code?
If they do, the bad news is that resetting a session may take only a
few thousand packets (just 2 assuming all other info such as port
numbers is known). The good news is that MD5 should hold up well
against the exploit. But filtering BGP RSTs is also a good idea, IMO.
