nanog mailing list archives
Re: TCP/BGP vulnerability - easier than you think
From: Daniel Roesen <dr () cluenet de>
Date: Wed, 21 Apr 2004 15:21:13 +0200
On Wed, Apr 21, 2004 at 03:09:15PM +0200, Iljitsch van Beijnum wrote:
The good part here is that filtering RSTs should still work.It doesn't. The RST are then being sent by the authorized sender and your edge anti-spoof filtering for RST doesn't help a single millimeter.Now it's your time to overlook something: the filters I listed in my earlier message simply filter RSTs to/from the BGP port without looking at the address fields. Filtering ALL RSTs is probably a bad idea as broken sessions will then have to time out, possibly inconveniencing users (and thereby generating support calls).
As you didn't specify where to apply these filters, I guessed on the edges. I would have never thought that someone would really suggest to deliberately break RST for valid BGP sessions.
So I believe filtering out all BGP RSTs on all edges is probably a good idea.
RST and SYN. But that's still patchwork. Do anti-spoofing filtering in general, not only mitigating _this_ thread. Don't allow packets from source IPs of your originated IP spaces enter your network, ADDITIONALLY to securing the transport via TCP MD5 authentication or even better with IPSEC. Having always two lines of defense is good security practise, especially if the doors to properly close are many (edge interfaces).
Current thread:
- Re: TCP/BGP vulnerability - easier than you think, (continued)
- Re: TCP/BGP vulnerability - easier than you think Adam Rothschild (Apr 21)
- Re: TCP/BGP vulnerability - easier than you think E.B. Dreger (Apr 21)
- Re: TCP/BGP vulnerability - easier than you think E.B. Dreger (Apr 22)
- Re: TCP/BGP vulnerability - easier than you think Iljitsch van Beijnum (Apr 21)
- Re: TCP/BGP vulnerability - easier than you think Daniel Roesen (Apr 21)
- Re: TCP/BGP vulnerability - easier than you think Iljitsch van Beijnum (Apr 21)
- Re: TCP/BGP vulnerability - easier than you think Daniel Roesen (Apr 21)
- Re: TCP/BGP vulnerability - easier than you think Iljitsch van Beijnum (Apr 21)
- Re: TCP/BGP vulnerability - easier than you think Daniel Roesen (Apr 21)
- Re: TCP/BGP vulnerability - easier than you think Iljitsch van Beijnum (Apr 21)
- Re: TCP/BGP vulnerability - easier than you think Daniel Roesen (Apr 21)
- Re: TCP/BGP vulnerability - easier than you think Iljitsch van Beijnum (Apr 21)
- Re: TCP/BGP vulnerability - easier than you think Paul Jakma (Apr 21)
- Re: TCP/BGP vulnerability - easier than you think Iljitsch van Beijnum (Apr 21)
- Re: TCP/BGP vulnerability - easier than you think Paul Jakma (Apr 21)
- RE: TCP/BGP vulnerability - easier than you think David Luyer (Apr 21)
- Re: TCP/BGP vulnerability - easier than you think Crist Clark (Apr 22)
- Re: TCP/BGP vulnerability - easier than you think John Kristoff (Apr 21)
- Re: TCP/BGP vulnerability - easier than you think E.B. Dreger (Apr 21)
- Re: TCP/BGP vulnerability - easier than you think Iljitsch van Beijnum (Apr 22)
- Re: TCP/BGP vulnerability - easier than you think Paul Jakma (Apr 23)