TCP/BGP vulnerability - easier than you think
Iljitsch van Beijnum
iljitsch at muada.com
Tue Apr 27 07:14:30 UTC 2004
On 27-apr-04, at 5:03, Priscilla Oppenheimer wrote:
> C) If the RST bit is set and the sequence number does not exactly
> match the next expected sequence value, yet is within the
> acceptable window (RCV.NXT < SEG.SEQ <= RCV.NXT+RCV.WND) send an
> acknowledgment.
> So, per item C, does the recipient of a RST with a sequence number
> that does not exactly match the next expected sequence value not reset
> the connection? It sends an ACK but keeps the connection open?
Looks that way to me.
> The ACK will go to the correct TCP partner, not the attacker
> presumably. So then that partner resets. But where does this leave the
> other partner (the recipient of the RST)? Is the assumption that this
> side may continue sending, which would cause the other side to RST
> (since it closed the session) and this RST would have the correct
> sequence number so the connection would get reset from both partners'
> points of view?
Yes. I think the idea is that if A has the session open and B has it
closed, then the only real RSTs will be those that B sends for packets
it receives from A. If those packets have and acknowledgement number in
them (which should always be the case for established sessions) then
this will be the RST's sequence number so there will be a perfect match
between what A expects from an RST and what B sends.
The situation where B legitimately sends a sequence number that isn't
an exact match is hard to imagine, as the ACKs A sends depend on the
sequence numbers B sent and if the session is dead at B's end
presumably B isn't burning up too many sequence numbers. But if this
happens for some reason and A sends a dataless ACK packet obviously B
will respond with an RST so we're back to the situation where B is
sending an RST with the sequence number that A expects.
More information about the NANOG
mailing list