From owner-freebsd-security@FreeBSD.ORG Tue Apr 20 14:16:35 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 0363916A4CE for ; Tue, 20 Apr 2004 14:16:35 -0700 (PDT) Received: from smtpout.mac.com (smtpout.mac.com [17.250.248.44]) by mx1.FreeBSD.org (Postfix) with ESMTP id E41BB43D58 for ; Tue, 20 Apr 2004 14:16:34 -0700 (PDT) (envelope-from cswiger@mac.com) Received: from mac.com (smtpin01-en2 [10.13.10.146]) by smtpout.mac.com (8.12.6/MantshX 2.0) with ESMTP id i3KLGV5l001545; Tue, 20 Apr 2004 14:16:34 -0700 (PDT) Received: from [10.1.1.193] (nfw2.codefab.com [199.103.21.225] (may be forged)) (authenticated bits=0)i3KLGUgQ028043; Tue, 20 Apr 2004 14:16:31 -0700 (PDT) In-Reply-To: <200404201343.44342.dr@kyx.net> References: <6.0.3.0.0.20040420125557.06b10d48@209.112.4.2> <593EE0FE-9309-11D8-A8CA-003065ABFD92@mac.com> <200404201343.44342.dr@kyx.net> Mime-Version: 1.0 (Apple Message framework v613) Content-Type: text/plain; charset=US-ASCII; format=flowed Message-Id: Content-Transfer-Encoding: 7bit From: Charles Swiger Date: Tue, 20 Apr 2004 17:16:25 -0400 To: Dragos Ruiu X-Mailer: Apple Mail (2.613) cc: freebsd-security@freebsd.org Subject: Re: TCP RST attack X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 20 Apr 2004 21:16:35 -0000 On Apr 20, 2004, at 4:43 PM, Dragos Ruiu wrote: > On April 20, 2004 01:28 pm, Charles Swiger wrote: >> My take on this is pretty close to yours: this isn't a new >> vulnerability and it's difficult to perform this type of attack under >> most circumstances without being able to sniff the traffic going by. >> (Basicly, sending a RST is a simple form of data injection via the >> classic man-in-the-middle attack. ACKs and RSTs count as data, too. > > Definitely not a new vulnerability. Just a newer analysis with more > factors accounted for. Agreed. For those who don't get them, CERT just released an advisory (TA04-111A) about this issue which contains some more specific information: "According to Paul Watson's report, with a typical xDSL data connection (80 Kbps, upstream) capable of sending of 250 packets per second (pps) to a session with a TCP Window size of 65,535 bytes, it would be possible to inject a TCP packet approximately every 5 minutes. It would take approximately 15 seconds with a T-1 (1.544 Mbps) connection." [ ...thought about reducing TCP window size... ] > But I'm told most providers crank UP their window sizes to improve BGP > restarts... So reducing the windows may negatively affect other things. > (Need to be careful that the cure isn't worse than the disease.) Oh, sure. My suggestion was not specifically oriented towards BGP, since that already has mechanisms available to protect it (TCP MD5 checksums) and for the reasons that Matt Dillon mentioned-- it's easy to firewall off port 179, or have your BGP peers talking out-of-band via an appropriate network topology. -- -Chuck