North American Network Operators Group|
Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical
Re: TCP/BGP vulnerability - easier than you think
Questions arose while trying to explain proposed TCP fixes to my students. Can y'all help me with these?
We were going over the "Transmission Control Protocol security considerations draft-ietf-tcpm-tcpsecure-00.txt" document here when the questions arose:
The questions have to do with this from the document:
the following changes should be made to provide some
protection against such an attack.
A) If the RST bit is set and the sequence number is outside the
expected window, silently drop the segment.
B) If the RST bit is exactly the next expected sequence number, reset
C) If the RST bit is set and the sequence number does not exactly
match the next expected sequence value, yet is within the
acceptable window (RCV.NXT < SEG.SEQ <= RCV.NXT+RCV.WND) send an
This solution forms a challenge/response with any RST where the value
does not exactly match the expected value and yet the RST is within
the window. In cases of a legitimate reset without the exact
sequence number, the consequences of this new challenge/response will
be that the peer requires an extra round trip time before the
connection can be reset.
So, per item C, does the recipient of a RST with a sequence number that does not exactly match the next expected sequence value not reset the connection? It sends an ACK but keeps the connection open?
The ACK will go to the correct TCP partner, not the attacker presumably. So then that partner resets. But where does this leave the other partner (the recipient of the RST)? Is the assumption that this side may continue sending, which would cause the other side to RST (since it closed the session) and this RST would have the correct sequence number so the connection would get reset from both partners' points of view?
Regardless of hackers, we're trying to figure out how to legitimately RST despite possibly not having the exact right sequence value.
At 09:48 PM 4/23/04, Todd Vierling wrote:
On Fri, 23 Apr 2004, Leo Bicknell wrote:
When your Daemon is in charge, do not try to think consciously. Drift, wait, and obey. -- Kipling.