RE: Transmission Control Protocol (TCP) vulnerability ???

From: Scott Morris (swm@emanon.com)
Date: Wed Apr 21 2004 - 17:12:12 GMT-3

• Next message: Charles T. Alexander: "Cat 3500 VLAN remains shutdown"
• Previous message: Jay Hennigan: "Re: your mail"
• Maybe in reply to: Armand D: "Transmission Control Protocol (TCP) vulnerability ???"
• Next in thread: Dmitry Volkov: "RE: Transmission Control Protocol (TCP) vulnerability ???"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

The RST is part of the header fields (TCP RST). The MD5 authentication
takes the header information into account and makes sure nothing has
changed.

While not entirely foolproof, it now involves the hacker being able to spoof
the IP src/dst, picking the seqeuence correctly, AND knowing the shared
password in order to generate a workable hash. Otherwise, your side would
just trash the incoming item without the authentication.

The hash is part of the L4 transaction AFAIK.

HTH,
 
Scott Morris, CCIE4 (R&S/ISP-Dial/Security/Service Provider) #4713, CISSP,
JNCIS, et al.
IPExpert CCIE Program Manager
IPExpert Sr. Technical Instructor
swm@emanon.com/smorris@ipexpert.net
http://www.ipexpert.net
 
 

-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of Paul
Borghese
Sent: Wednesday, April 21, 2004 1:43 PM
To: 'Armand D'; ccielab@groupstudy.com
Subject: RE: Transmission Control Protocol (TCP) vulnerability ???

I have been studying the vulnerability with relation to how it effects BGP
sessions. In a nutshell, the hacker sends a TCP RST message thus
terminating the BGP neighbor relationship. This causes the routes to be
removed from the BGP table. Do this a few times and (assuming you have
route dampening enabled) the routes are placed in a dampened state. The
hacker must guess the TCP Sequence number (or be close based upon the
windowing size).

Cisco's workaround is to simply use BGP authentication. While I do not
doubt Cisco has tested this and it works, I do not understand why it will
work. BGP is transported as data that rides over TCP/IP (port 179). Why
would authenticating application layer data prevent the TCP session from
being reset? The authentication is taking place at a higher layer then
layer 4.

Any opinions? Howard?

Take care,

Paul Borghese

-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
Armand D
Sent: Wednesday, April 21, 2004 1:51 PM
To: ccielab@groupstudy.com
Subject: Transmission Control Protocol (TCP) vulnerability ???

Hi,

I'm wondering what anyone thinks about the latest vulnerability (TCP)
specification ? What precautions are people taking if any at this point ?

Thanks,

Armand

http://www.cisco.com/warp/public/707/cisco-sa-20040420-tcp-ios.shtml

Find local movie times and trailers on Yahoo! Movies.
http://au.movies.yahoo.com

• Next message: Charles T. Alexander: "Cat 3500 VLAN remains shutdown"
• Previous message: Jay Hennigan: "Re: your mail"
• Maybe in reply to: Armand D: "Transmission Control Protocol (TCP) vulnerability ???"
• Next in thread: Dmitry Volkov: "RE: Transmission Control Protocol (TCP) vulnerability ???"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Mon May 03 2004 - 19:48:52 GMT-3