TCP RST attack (the cause of all that MD5-o-rama)
Patrick W.Gilmore
patrick at ianai.net
Tue Apr 20 19:40:38 UTC 2004
On Apr 20, 2004, at 1:36 PM, Mike Tancsa wrote:
> http://www.uniras.gov.uk/vuls/2004/236929/index.htm
What is a typical receive window on a router? I have been told (have
not confirmed) it was about 14 bits.
Assuming a well randomized starting sequence number (just give me this
one for the moment), and a source port range of ~4K (one of the router
vendor's defaults), at 10K pps it would still take ~29 hours on average
to guess the proper values for everything necessary to RST a BGP
session. (You can see my math at the end. Feel free to correct me if
I missed something.)
Hitting a router for a full day at 10K pps is likely to be noticed by
most networks. If you would not notice this, perhaps you should change
your monitoring? :)
And, if you twiddle the defaults on the router vendor mentioned above,
or you use a different router vendor, substituting "2^16" for "4000" in
the paragraph above leads you to ... 19 days? (Someone check my math.
:)
Of course, some of the reports say that ephemeral ports are not well
randomized for some router vendors. :(
So, while this is an interesting application of technology (if you are
a h4x0r k1dd13 :), I think if the router vendors used well randomized
ephemeral ports and sequence numbers, and used the full range of ports
available to them, most routers will fall over long before someone
could guess the proper values and reset a single BGP session. Or at
least the owners would notice before the reset succeeded. It would be
even better if the receive window was tuned downward for BGP - not like
you need a huge window for data transfer when the hosts are directly
connected.
Then we could all stop frantically trying to synchronize thousands of
keys between thousands of networks, an exercise which is destined to
lose some data, and therefore some connectivity.
--
TTFN,
patrick
Sequence numbers are 32 bits. Since the miscreant only needs to guess
once every 14 bits, you get:
2^32 / 2^14 == 262144
There is a router vendor out there which defaults to source ports
between 1024 and 5000, or so I have been told. (This router vendor
does many things very well and should not be considered a Bad Vendor
for this one minor error, which I hope they will fix ASAP.)
We now have:
(5000 - 1024) * 262144 == 1042284544
Let's assume a typical router can take 10K pps to the main CPU without
falling over. I know some can take slightly more, and many cannot take
anywhere near that, but it is a nice round number. Taking 10K pps, we
get:
1042284544 / 10000 == 104228.4544
This means it will take about 29 hours to guess each possibility.
Of course, you will not have to guess each possibility to find the
answer, so you should divide by two to get the average time to guess
correctly. But then you don't know which side is on port 179, so you
have to multiply by two, which kinda cancels that out.
More information about the NANOG
mailing list