TCP RST attack (the cause of all that MD5-o-rama)

Crist Clark crist.clark at globalstar.com
Tue Apr 20 22:09:59 UTC 2004


Dan Hollis wrote:

> On Tue, 20 Apr 2004, Crist Clark wrote:
> 
>>But it has limited effectiveness for multi-hop sessions. There is the
>>appeal of a solution that does not depend of the physical layout of the
>>BGP peers.
> 
> 
> Does MD5 open the door to cpu DOS attacks on routers though? Eg can 
> someone craft a DOS attack to take out the CPU on a router by forcing it 
> to MD5 authenticate torrents of junk packets, using less bandwidth than 
> it would take to DOS the links themselves?

A reasonable implementation of RFC2385 would only do the cryptographic
MD5 check after matching the TCP 4-tuple and the sequence number. So,
with respect to the attack under discussion, only the packets that would
have succeded in reseting the session make it to MD5 processing where
they then would be dropped.

Still, hitting the TCP stack even without doing the MD5 checks can
kill a router. That's what the TTL hack was suggested for in the first
place.

> As has been pointed out, blind attacker needs to guess the source port as 
> well, which would seem to multiply the search space blind attackers need 
> to hit (the tcpsecure paper states as much - "assuming the attacker can
> accurately guess both ports")
> 
> Are such attacks still practical in that light?

Yes. Most OSs do not randomize port numbers, but start at a fixed value
at reboot. On top of that, many do not use much of the 16-bit space
before wrapping. Now add that most BGP speakers don't initiate much TCP
and fire up their long lived BGP sessions at boot time. The search space
is not that big.

Then there's always going to a looking glass and just looking one up.
-- 
Crist J. Clark                               crist.clark at globalstar.com
Globalstar Communications                                (408) 933-4387



More information about the NANOG mailing list