Date: Tue, 20 Apr 2004 11:13:27 -0700 From: Dragos Ruiu <dr@kyx.net> To: des@des.no (Dag-Erling =?iso-8859-1?q?Sm=F8rgrav?=), Mike Tancsa <mike@sentex.net> Cc: freebsd-security@freebsd.org Subject: Re: TCP RST attack Message-ID: <200404201113.27737.dr@kyx.net> In-Reply-To: <xzphdve35oa.fsf@dwp.des.no> References: <6.0.3.0.0.20040420125557.06b10d48@209.112.4.2> <xzphdve35oa.fsf@dwp.des.no>
next in thread | previous in thread | raw e-mail | index | archive | help
On April 20, 2004 10:44 am, Dag-Erling Sm=F8rgrav wrote: > Mike Tancsa <mike@sentex.net> writes: > > http://www.uniras.gov.uk/vuls/2004/236929/index.htm > > The advisory grossly exaggerates the impact and severity of this > fea^H^H^Hbug. The attack is only practical if you already know the > details of the TCP connection you are trying to attack, or are in a > position to sniff it. The fact that you can attack a TCP connection > which passes through a network you have access to sniff should not be > a surprise to anyone; the remaining cases require spoofing of a type > which egress filtering would prevent, if only people would bother > implementing it. > This is not true. The attack does not require sniffing. > I don't believe BGP sessions are as exposed as the advisory claims > they are, either. The possibility of insertion attacks (which are > quite hard) was predicted six years ago, when RFC 2385 (Protection of > BGP Sessions via the TCP MD5 Signature Option) was written. RST > attacks may cause route flapping, but that can be avoided with a short > hysteresis (though this may be impractical for backbone routers) > While I might agree that the real world practicability of the attack needs to be carefully estimated, as there are a couple of complicating factors (window size, and frequency of updates which fight against each other). This does require much further analysis. I've been working with several people to try to get better analysis and correlation/verification of Paul's data... and the results are inconclusive. This MIGHT not be as big a problem as it seems, but the lab data that Paul has indicates it's something to seriously look at anyway. Cisco PSIRT will be doing a Q&A on the topic after Paul's presentation and we'll have some very sharp technical guys in the audience, including some folks from very large ISPs that are most likely to be affected, so I will wait untill I hear from people smarter than I analyzing this. The discussion should prove interesting and informative I hope. =20 cheers, =2D-dr =2D-=20 Top security experts. Cutting edge tools, techniques and information. Vancouver, Canada April 21-23 2004 http://cansecwest.com pgpkey http://dragos.com/ kyxpgp
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200404201113.27737.dr>