TCP/BGP vulnerability - easier than you think

• Previous message (by thread): TCP/BGP vulnerability - easier than you think
• Next message (by thread): TCP/BGP vulnerability - easier than you think
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Wed, 21 Apr 2004, Daniel Roesen wrote:

> > > > The general ignorance to the fact that SYN works as well is
> > > astonishing. :-)

> > What are you talking about?

> http://www.uniras.gov.uk/vuls/2004/236929/index.htm

> First paragraph of the summary:

> "The issue described in this advisory is the practicability of resetting
> an established TCP connection by sending suitable TCP packets with the
> RST (Reset) or SYN (Synchronise) flags set."

And:

"It is also possible to perform the same attack with SYN (synchronise)
packets. An established connection will abort by sending a RST if it
receives a duplicate SYN packet with initial sequence number within the
TCP window."

So the attacker sends a spoofed SYN to router A, and router A sends an
RST to router B and router B terminates the BGP session.

I don't see anything in RFC 793 that suggests that "connections in a
synchronized state" should be terminated because of a SYN. Hopefully our
favorite vendors didn't either...

The good part here is that filtering RSTs should still work. The
advantage of that approach is that it moves the problem from the control
plane to the data plane.

• Previous message (by thread): TCP/BGP vulnerability - easier than you think
• Next message (by thread): TCP/BGP vulnerability - easier than you think
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]