Massive stupidity (Was: Re: TCP vulnerability)

• Previous message (by thread): Massive stupidity (Was: Re: TCP vulnerability)
• Next message (by thread): TCP/BGP vulnerability - easier than you think
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Apr 20, 2004, at 9:23 PM, Mike Tancsa wrote:

> At 05:09 PM 20/04/2004, Richard A Steenbergen wrote:
>
>> party to know which side won the collision handling. Therefore you 
>> need
>> 262144 packets * 3976 ephemeral ports (assuming both sides are jnpr, 
>> again
>> worst case) * 2 (to figure out who was the connecter and who was the
>> accepter) = 2084569088 packets to exhaustively search all space on 
>> this
>> one single Juniper to Juniper session. Now, lets just for the sake of
>> argument say that the router is capable of actively processing 10,000
>> packets/sec of rst (a fairly exagerated number) and still have this be
>> considered a tcp attack instead of a straight DoS against the routing
>> engine. This will still take 208456 seconds, or 57.9 hours.
> <snip>
> I dont understand why the large differences in claims
>
> http://www.ietf.org/internet-drafts/draft-ietf-tcpm-tcpsecure-00.txt
>
> says
>    Modern operating
>    systems normally default the RCV.WND to about 32,768 bytes. This
>    means that a blind attacker need only guess 65,535 RST segments
>    (2^^32/(RCV.WND*2)) in order to reset a connection. At DSL speeds
>    this means that most connections (assuming the attacker can
>    accurately guess both ports) can be reset in under 200 seconds
>    (usually far less). With the rise of broadband availability and
>    increasing available bandwidth, many Operating Systems have raised
>    their default RCV.WND to as much as 64k, thus making these attacks
>    even easier.

You missed the "(assuming the attacker can accurately guess both 
ports)" part.

This is BY NO MEANS a given.  In fact, it is pretty much guaranteed to 
not be a given on any router which has not recently been rebooted.  (Or 
at least that the attacker doesn't know has been recently rebooted. :)


> Also, with the various 'bots' at peoples disposal, why the assumption 
> the attack would not be distributed.

Who made that assumption?  I do not see it above.

Also, if you have a 'bot army at your disposal, it is trivial to packet 
a router off the 'Net - orders of magnitude easier than guessing 
sequence / port number - and faster too.  In fact, you can probably do 
it in far less than 200 seconds, more or less 59 hours.  And then you 
take down *all* BGP sessions, not just the one in question.

Since miscreants are at least as lazy as you and I, would someone 
explain to me why they would bother trying to guess the sequence & port 
numbers, even with this new "vulnerability", rather just just packet 
the router off the 'Net?  Especially now that we have made it easier by 
forcing the router to calculate MD5 signatures on each packet....


Honestly, once the hysteria dies down, I think we will be going to all 
our peers and asking to take the MD5 stuff off.  I honestly believe we 
will suffer more downtime - and longer downtime - from MD5 keys going 
out of sync than any RST style attack.

If people are really worried about this, then they should ingress 
filter at the leaf nodes.  If they did, no one could spoof the source 
IP of your neighbor router and life would be good.  Add on things like 
the TTL hack and you have at least as good a protection as the MD5 
gives you without any issues of higher CPU, 1000s upon 1000s of keys to 
manage, and all the other associated risks.

But we all know people will not bother source filtering leaf nodes.  
Everyone will clamor about MD5 keys and how you should be protecting 
BGP sessions.  Kinda like guarding the windows while the doors are open 
and unattended.

-- 
TTFN,
patrick

• Previous message (by thread): Massive stupidity (Was: Re: TCP vulnerability)
• Next message (by thread): TCP/BGP vulnerability - easier than you think
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]