Date: Tue, 20 Apr 2004 16:46:17 -0700 From: Bill Fumerola <billf@FreeBSD.org> To: Matthew Dillon <dillon@apollo.backplane.com> Cc: freebsd-security@freebsd.org Subject: Re: TCP RST attack Message-ID: <20040420234617.GO17862@elvis.mu.org> In-Reply-To: <200404202045.i3KKjKSb090656@apollo.backplane.com> References: <6.0.3.0.0.20040420125557.06b10d48@209.112.4.2> <593EE0FE-9309-11D8-A8CA-003065ABFD92@mac.com> <200404202045.i3KKjKSb090656@apollo.backplane.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Tue, Apr 20, 2004 at 01:45:20PM -0700, Matthew Dillon wrote:
> On the other hand, BGP can be trivially protected. You don't need
> ingress or egress filtering at all (by which I mean IP block filtering),
> you simply disable the routing of any packet to or from port 179.
> 99.9% of all BGP links are direct connections (meaning that they
> terminate at a router rather then pass through one). No packet to
> or from port 179 has any business being routed from one network to
> another in virtually all BGP link setups so the fix is utterly trivial.
most multi-router, multi-link setups use peering with a multihop address
of some other router (or route server) to provide equal cost balancing.
RFC3682 describes something along the same vein of what you suggest, but
handles non-directly connected cases (multihop, tunnels, etc) better.
vendor J lets you dynamically build your firewall rules such that you
can actually just create a term "allow from all bgp neighbors in the
config AND port 179 AND protocol tcp". vendor C would do well to provide
something similar. those running freebsd bgp daemons should consider
building something similar that feeds ${freebsd_packet_filter} from a
${freebsd_routing_daemon} configuration file.
--
- bill fumerola / fumerola@yahoo-inc.com / billf@FreeBSD.org
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20040420234617.GO17862>