TCP/BGP vulnerability - easier than you think

Daniel Roesen dr at cluenet.de
Wed Apr 21 12:38:37 UTC 2004


On Wed, Apr 21, 2004 at 02:10:05PM +0200, Iljitsch van Beijnum wrote:
> > "The issue described in this advisory is the practicability of
> > resetting an established TCP connection by sending suitable TCP
> > packets with the RST (Reset) or SYN (Synchronise) flags set."
> 
> And:
> 
> "It is also possible to perform the same attack with SYN (synchronise)
> packets. An established connection will abort by sending a RST if it
> receives a duplicate SYN packet with initial sequence number within the
> TCP window."
> 
> So the attacker sends a spoofed SYN to router A, and router A sends an
> RST to router B and router B terminates the BGP session.

Correct.

> The good part here is that filtering RSTs should still work.

It doesn't. The RST are then being sent by the authorized sender and
your edge anti-spoof filtering for RST doesn't help a single millimeter.



More information about the NANOG mailing list