TCP/BGP vulnerability - easier than you think
Pete Kruckenberg
pete at kruckenberg.com
Wed Apr 21 17:42:39 UTC 2004
Interesting that Cisco uses random port selection with
SNMP (http://www.cisco.com/warp/public/707/cisco-sa-20040420-snmp.shtml,
see the Detail selection) but not with TCP.
Too bad that TCP ports aren't randomized even with the
"fixed" IOS versions. Would seem that as long as you're
implementing security features like TCP RST confirmation,
might as well implement randomized source ports.
>From Theo de Raadt at OpenBSD:
http://archives.neohapsis.com/archives/openbsd/2004-04/1351.html
This entire thing is being "sold" as `cross-vendor
problem'. Sure. Some vendors have a few small issues to
solve in this area. Minor issues. For us, those issues
are 1/50000 smaller than they are for other vendors.
Post-3.5, we have fixes which make the problem
even smaller.
But one vendor -- Cisco -- has an *UTTERLY GIGANTIC HUGE*
issue in this regard, and as you can see, they have not yet
made an announcement see..
You are being told "lots of people have a problem". By not
seperating out the various problems combined in their
notice, or the impact of those problems, you are not being
told the whole truth.
---
Pete.
On Wed, 21 Apr 2004, Todd Vierling wrote:
> Date: Wed, 21 Apr 2004 11:37:04 -0400 (EDT)
> From: Todd Vierling <tv at duh.org>
> To: David Luyer <david at luyer.net>
> Cc: 'Patrick W.Gilmore' <patrick at ianai.net>, nanog at merit.edu
> Subject: Re: TCP/BGP vulnerability - easier than you think
>
>
> On Wed, 21 Apr 2004, David Luyer wrote:
>
> : > You missed the "(assuming the attacker can accurately guess both
> : > ports)" part.
>
> : A significant number of BGP sessions will be with a source
> : port of 11000, 11001 or 11002; BGP sessions are generally
> : quite stable and Cisco routers start the source port at
> : 11000.
>
> If true, *that* would be a security risk in Cisco's port selection
> algorithm. Many modern OS's do not do simple sequential allocation of
> ports, making this point invalid.
More information about the NANOG
mailing list