Date: Tue, 20 Apr 2004 13:45:20 -0700 (PDT) From: Matthew Dillon <dillon@apollo.backplane.com> To: Charles Swiger <cswiger@mac.com> Cc: freebsd-security@freebsd.org Subject: Re: TCP RST attack Message-ID: <200404202045.i3KKjKSb090656@apollo.backplane.com> References: <6.0.3.0.0.20040420125557.06b10d48@209.112.4.2> <593EE0FE-9309-11D8-A8CA-003065ABFD92@mac.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Well, the advisory certainly exaggerates some, but I think there is
a real issue with BGP and I have to respectfully disagree with DES.
Route flapping cannot be solved by reducing hysteresis, at least not
unless you want your backbone provider to cut you off! Flapping is
a major problem... less of one now then when I was doing BEST a decade
ago, but still very serious. When a BGP session flaps it has to
resynchronize, and resynchronization can take a significant period
of time, bandwidth, and router resources to accomplish. You can't
just reconnect and pick up where you left off (if you could it would
be a non-problem).
On the other hand, BGP can be trivially protected. You don't need
ingress or egress filtering at all (by which I mean IP block filtering),
you simply disable the routing of any packet to or from port 179.
99.9% of all BGP links are direct connections (meaning that they
terminate at a router rather then pass through one). No packet to
or from port 179 has any business being routed from one network to
another in virtually all BGP link setups so the fix is utterly trivial.
-Matt
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200404202045.i3KKjKSb090656>