TCP/BGP vulnerability - easier than you think

Pete Kruckenberg pete at kruckenberg.com
Wed Apr 21 17:42:39 UTC 2004


Interesting that Cisco uses random port selection with 
SNMP (http://www.cisco.com/warp/public/707/cisco-sa-20040420-snmp.shtml, 
see the Detail selection) but not with TCP.

Too bad that TCP ports aren't randomized even with the
"fixed" IOS versions. Would seem that as long as you're
implementing security features like TCP RST confirmation,
might as well implement randomized source ports.

>From Theo de Raadt at OpenBSD:
 http://archives.neohapsis.com/archives/openbsd/2004-04/1351.html

 This entire thing is being "sold" as `cross-vendor 
 problem'.  Sure.  Some vendors have a few small issues to 
 solve in this area.  Minor issues. For us, those issues 
 are 1/50000 smaller than they are for other vendors. 
 Post-3.5, we have fixes which make the problem 
 even smaller.

 But one vendor -- Cisco -- has an *UTTERLY GIGANTIC HUGE*
 issue in this regard, and as you can see, they have not yet
 made an announcement see..

 You are being told "lots of people have a problem". By not
 seperating out the various problems combined in their
 notice, or the impact of those problems, you are not being
 told the whole truth.
---

Pete.

On Wed, 21 Apr 2004, Todd Vierling wrote:

> Date: Wed, 21 Apr 2004 11:37:04 -0400 (EDT)
> From: Todd Vierling <tv at duh.org>
> To: David Luyer <david at luyer.net>
> Cc: 'Patrick W.Gilmore' <patrick at ianai.net>, nanog at merit.edu
> Subject: Re: TCP/BGP vulnerability - easier than you think
> 
> 
> On Wed, 21 Apr 2004, David Luyer wrote:
> 
> : > You missed the "(assuming the attacker can accurately guess both
> : > ports)" part.
> 
> : A significant number of BGP sessions will be with a source
> : port of 11000, 11001 or 11002; BGP sessions are generally
> : quite stable and Cisco routers start the source port at
> : 11000.
> 
> If true, *that* would be a security risk in Cisco's port selection
> algorithm.  Many modern OS's do not do simple sequential allocation of
> ports, making this point invalid.






More information about the NANOG mailing list