[nsp] bgp vulnerability?
Don Bowman
don at sandvine.com
Tue Apr 20 16:43:14 EDT 2004
From: Dmitry Volkov [mailto:dmitry.volkov at rogers.com]
> I'm just wondering - because it's valid RFC 793 behavior,
> how it can be avoided ?
> by not complaining with RFC ?
> If sequence number has to match exactly (but not in the
> window) - then there
> may be
> quite often situations when valid Reesets will not work
>
> Am I wrong here ?
>
> Reset Processing
>
> In all states except SYN-SENT, all reset (RST) segments are
> validated
> by checking their SEQ-fields. A reset is valid if its
> sequence number
> is in the window.
>
http://www.us-cert.gov/cas/techalerts/TA04-111A.html
is the attack mentioned. This isn't exactly new news, this
has been a known issue with TCP (and BGP) for a long time.
TCP must reset if the RST is in window. The md5 option
[RFC2385] means that the attacker must do more than just
guess the sequence number, so if that's enabled, you won't
be vulnerable to this attack.
The yahoo article made it sound a lot more interesting :)
--don
More information about the cisco-nsp
mailing list