RE: Transmission Control Protocol (TCP) vulnerability ???

From: Shafi, Shahid (sshafi@qualcomm.com)
Date: Thu Apr 22 2004 - 00:36:04 GMT-3

• Next message: Howard C. Berkowitz: "Re: BGP load balancing with two isp's"
• Previous message: Jim Devane: "RE: BGP load balancing with two isp's"
• Maybe in reply to: Armand D: "Transmission Control Protocol (TCP) vulnerability ???"
• Next in thread: ccie: "Re: Transmission Control Protocol (TCP) vulnerability ???"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Great answer Scott. Here is the proof and associated RFC. Excellent
question Paul because this is the first thing that came to my useless
mind too :-)

http://www.cisco.com/en/US/about/ac123/ac114/ac173/ac170/about_cisco_pac
ket_department09186a008010176a.html

Thanks,
Shahid

-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
Scott Morris
Sent: Wednesday, April 21, 2004 1:12 PM
To: 'Paul Borghese'; 'Armand D'; ccielab@groupstudy.com
Subject: RE: Transmission Control Protocol (TCP) vulnerability ???

The RST is part of the header fields (TCP RST). The MD5 authentication
takes the header information into account and makes sure nothing has
changed.

While not entirely foolproof, it now involves the hacker being able to
spoof the IP src/dst, picking the seqeuence correctly, AND knowing the
shared password in order to generate a workable hash. Otherwise, your
side would just trash the incoming item without the authentication.

The hash is part of the L4 transaction AFAIK.

HTH,
 
Scott Morris, CCIE4 (R&S/ISP-Dial/Security/Service Provider) #4713,
CISSP, JNCIS, et al. IPExpert CCIE Program Manager IPExpert Sr.
Technical Instructor swm@emanon.com/smorris@ipexpert.net
http://www.ipexpert.net
 
 

-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
Paul Borghese
Sent: Wednesday, April 21, 2004 1:43 PM
To: 'Armand D'; ccielab@groupstudy.com
Subject: RE: Transmission Control Protocol (TCP) vulnerability ???

I have been studying the vulnerability with relation to how it effects
BGP sessions. In a nutshell, the hacker sends a TCP RST message thus
terminating the BGP neighbor relationship. This causes the routes to be
removed from the BGP table. Do this a few times and (assuming you have
route dampening enabled) the routes are placed in a dampened state. The
hacker must guess the TCP Sequence number (or be close based upon the
windowing size).

Cisco's workaround is to simply use BGP authentication. While I do not
doubt Cisco has tested this and it works, I do not understand why it
will work. BGP is transported as data that rides over TCP/IP (port
179). Why would authenticating application layer data prevent the TCP
session from being reset? The authentication is taking place at a
higher layer then layer 4.

Any opinions? Howard?

Take care,

Paul Borghese

-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
Armand D
Sent: Wednesday, April 21, 2004 1:51 PM
To: ccielab@groupstudy.com
Subject: Transmission Control Protocol (TCP) vulnerability ???

Hi,

I'm wondering what anyone thinks about the latest vulnerability (TCP)
specification ? What precautions are people taking if any at this point
?

Thanks,

Armand

http://www.cisco.com/warp/public/707/cisco-sa-20040420-tcp-ios.shtml

Find local movie times and trailers on Yahoo! Movies.
http://au.movies.yahoo.com

• Next message: Howard C. Berkowitz: "Re: BGP load balancing with two isp's"
• Previous message: Jim Devane: "RE: BGP load balancing with two isp's"
• Maybe in reply to: Armand D: "Transmission Control Protocol (TCP) vulnerability ???"
• Next in thread: ccie: "Re: Transmission Control Protocol (TCP) vulnerability ???"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Mon May 03 2004 - 19:48:52 GMT-3