[69984] in North American Network Operators' Group
Re: TCP/BGP vulnerability - easier than you think
daemon@ATHENA.MIT.EDU (Iljitsch van Beijnum)
Fri Apr 23 05:50:09 2004
In-Reply-To: <87brljfbgh.fsf@deneb.enyo.de>
Cc: nanog@merit.edu
From: Iljitsch van Beijnum <iljitsch@muada.com>
Date: Fri, 23 Apr 2004 11:48:43 +0200
To: Florian Weimer <fw@deneb.enyo.de>
Errors-To: owner-nanog-outgoing@merit.edu
On 23-apr-04, at 8:35, Florian Weimer wrote:
>> So I believe filtering out all BGP RSTs on all
>> edges is probably a good idea.
(Edges and borders.)
> The problem is that even if you filter the RST, the state transition
> occurs at the side which receives the SYN and generates the RST. This
> means that the connection has been desynchronized and will eventually
> come down, no further data transfer is possible.
Although it doesn't follow from earlier text, on page 71 RFC 793 states
that an in-window SYN should reset an ESTABLISHED session. So you are
right. This is very bad.
BTW, anyone seen anything supporting Paul Watson's claim that all it
takes to break a session is four packets? I assume he's talking about
this vulnerability that was fixed in FreeBSD in 1998:
http://ciac.llnl.gov/ciac/bulletins/j-008.shtml
I certainly hope our collective favorite vendors didn't overlook this
one.
