TCP/BGP vulnerability - easier than you think
Daniel Roesen
dr at cluenet.de
Wed Apr 21 11:19:51 UTC 2004
On Wed, Apr 21, 2004 at 01:00:07PM +0200, Iljitsch van Beijnum wrote:
> > All things considered, I think MD5 authentication will lower the bar
> > for attackers, not raise it. I'm sure code optimizations could fix
> > things to some degree, but that's just not the case today.
>
> > Which begs the question, what is one to do,
>
> How about:
>
> access-list 123 deny tcp any any eq bgp rst log-input
> access-list 123 deny tcp any eq bgp any rst log-input
>
> Unfortunately, not all vendors are able to look at the RST bit when
> filtering...
The general ignorance to the fact that SYN works as well is
astonishing. :-)
More information about the NANOG
mailing list