[c-nsp] BGP MD5 DDOS ?

Nick Hilliard nick at foobar.org
Sat Sep 15 08:58:16 EDT 2012


On 14 Sep 2012, at 20:59, John Brown <john at citylinkfiber.com> wrote:
> I remember reading / hearing that using a BGP password could cause a DDOS vulnerability with Cisco and other vendor devices.

The problem related to how ios handled  md5 checksums. Turned out that the md5 check was calculated before the tcp seq numbers were checked rather than afterwards, which would make much more sense from a helicopter point of view. Obviously calculating an md5 hash is much more computationally expensive than a simple integer comparison, and people at the time were concerned that this would open up a dos vector for hammering the rp. In retrospect it turned out that it made very little difference in practice.

The general advice is still to use copp or acls to deprioritise unknown bgp traffic. Gtsm can help in some situations, particularly at Ixps. Otherwise md5 is a matter of choice. Some people like it; others don't. 

Nick


More information about the cisco-nsp mailing list