From owner-freebsd-security@FreeBSD.ORG Tue Apr 20 11:17:21 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 64CE816A4CE for ; Tue, 20 Apr 2004 11:17:21 -0700 (PDT) Received: from post.kyx.net (mail.kyx.net [216.232.31.82]) by mx1.FreeBSD.org (Postfix) with ESMTP id 1543143D3F for ; Tue, 20 Apr 2004 11:17:21 -0700 (PDT) (envelope-from dr@kyx.net) Received: from zylinator.zorg (unknown [216.232.31.80]) by post.kyx.net (Postfix) with ESMTP id C1A11D0A2C; Tue, 20 Apr 2004 11:28:15 -0700 (PDT) From: Dragos Ruiu Organization: All Terrain Ninjas To: des@des.no (Dag-Erling =?iso-8859-1?q?Sm=F8rgrav?=), Mike Tancsa Date: Tue, 20 Apr 2004 11:13:27 -0700 User-Agent: KYX-CP/M-FNORD5602 References: <6.0.3.0.0.20040420125557.06b10d48@209.112.4.2> In-Reply-To: MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline Message-Id: <200404201113.27737.dr@kyx.net> cc: freebsd-security@freebsd.org Subject: Re: TCP RST attack X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 20 Apr 2004 18:17:21 -0000 On April 20, 2004 10:44 am, Dag-Erling Sm=F8rgrav wrote: > Mike Tancsa writes: > > http://www.uniras.gov.uk/vuls/2004/236929/index.htm > > The advisory grossly exaggerates the impact and severity of this > fea^H^H^Hbug. The attack is only practical if you already know the > details of the TCP connection you are trying to attack, or are in a > position to sniff it. The fact that you can attack a TCP connection > which passes through a network you have access to sniff should not be > a surprise to anyone; the remaining cases require spoofing of a type > which egress filtering would prevent, if only people would bother > implementing it. > This is not true. The attack does not require sniffing. > I don't believe BGP sessions are as exposed as the advisory claims > they are, either. The possibility of insertion attacks (which are > quite hard) was predicted six years ago, when RFC 2385 (Protection of > BGP Sessions via the TCP MD5 Signature Option) was written. RST > attacks may cause route flapping, but that can be avoided with a short > hysteresis (though this may be impractical for backbone routers) > While I might agree that the real world practicability of the attack needs to be carefully estimated, as there are a couple of complicating factors (window size, and frequency of updates which fight against each other). This does require much further analysis. I've been working with several people to try to get better analysis and correlation/verification of Paul's data... and the results are inconclusive. This MIGHT not be as big a problem as it seems, but the lab data that Paul has indicates it's something to seriously look at anyway. Cisco PSIRT will be doing a Q&A on the topic after Paul's presentation and we'll have some very sharp technical guys in the audience, including some folks from very large ISPs that are most likely to be affected, so I will wait untill I hear from people smarter than I analyzing this. The discussion should prove interesting and informative I hope. =20 cheers, =2D-dr =2D-=20 Top security experts. Cutting edge tools, techniques and information. Vancouver, Canada April 21-23 2004 http://cansecwest.com pgpkey http://dragos.com/ kyxpgp