[nsp] bgp vulnerability?

Don Bowman don at sandvine.com
Tue Apr 20 16:43:14 EDT 2004


From: Dmitry Volkov [mailto:dmitry.volkov at rogers.com]
> I'm just wondering - because it's valid RFC 793 behavior,
> how it can be avoided ?
> by not complaining with RFC ?
> If sequence number has to match exactly (but not in the 
> window) - then there
> may be
> quite often situations when valid Reesets will not work
> 
> Am I wrong here ?
> 
> Reset Processing
> 
>   In all states except SYN-SENT, all reset (RST) segments are 
> validated
>   by checking their SEQ-fields.  A reset is valid if its 
> sequence number
>   is in the window.
> 

http://www.us-cert.gov/cas/techalerts/TA04-111A.html

is the attack mentioned. This isn't exactly new news, this
has been a known issue with TCP (and BGP) for a long time.

TCP must reset if the RST is in window. The md5 option
[RFC2385] means that the attacker must do more than just
guess the sequence number, so if that's enabled, you won't
be vulnerable to this attack.

The yahoo article made it sound a lot more interesting :)

--don


More information about the cisco-nsp mailing list