North American Network Operators Group|
Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical
Re: TCP/BGP vulnerability - easier than you think
On 23-apr-04, at 8:35, Florian Weimer wrote:
So I believe filtering out all BGP RSTs on all edges is probably a good idea.
(Edges and borders.)
Although it doesn't follow from earlier text, on page 71 RFC 793 states that an in-window SYN should reset an ESTABLISHED session. So you are right. This is very bad.The problem is that even if you filter the RST, the state transition occurs at the side which receives the SYN and generates the RST. This means that the connection has been desynchronized and will eventually come down, no further data transfer is possible.
BTW, anyone seen anything supporting Paul Watson's claim that all it takes to break a session is four packets? I assume he's talking about this vulnerability that was fixed in FreeBSD in 1998: http://ciac.llnl.gov/ciac/bulletins/j-008.shtml
I certainly hope our collective favorite vendors didn't overlook this one.