TCP Vulnerability makes case for authenticated BGP
Pekka Savola
pekkas at netcore.fi
Tue Apr 20 18:09:15 UTC 2004
On Tue, 20 Apr 2004, tad pedley wrote:
> Although denial of service using crafted TCP packets is a well known
> weakness of TCP, until recently it was believed that a successful
> denial of service attack was not achievable in practice. The reason
> for this is that the receiving TCP implementation checks the
> sequence number of the RST or SYN packet, which is a 32 bit number,
> giving a probability of 1/232 of guessing the sequence number
> correctly (assuming a random distribution).
>
> The discoverer of the practicability of the RST attack was Paul A.
> Watson, who describes his research in his paper Slipping In The
> Window: TCP Reset Attacks, presented at the CanSecWest 2004
> conference. He noticed that the probability of guessing an
> acceptable sequence number is much higher than 1/232 because the
> receiving TCP implementation will accept any sequence number in a
> certain range (or window) of the expected sequence number. The
> window makes TCP reset attacks practicable.
Believed by whom, is the question.
It has been clearly documented for a long time now that such larger
windows exist. They have even been documented specifically about BGP
(draft-ietf-idr-bgp-vuln-00.txt).
--
Pekka Savola "You each name yourselves king, yet the
Netcore Oy kingdom bleeds."
Systems. Networks. Security. -- George R.R. Martin: A Clash of Kings
More information about the NANOG
mailing list