RE: TCP vulnerability!

From: Kenneth Wygand (KWygand@customonline.com)
Date: Thu Apr 22 2004 - 10:40:13 GMT-3

• Next message: Kenneth Wygand: "RE: Logging Options"
• Previous message: Yasser Abdullah : "RE: Logging Options"
• Maybe in reply to: istong@stong.org: "RE: TCP vulnerability!"
• Next in thread: Brian McGahan: "RE: TCP vulnerability!"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Gotta refresh some information on my BGP, but even without any access
list, wouldn't you be unable to reset a BGP session without a correct
source/destination pair? Follow my logic...

If the spoofed source isn't right, it would be like having Router A peer
to the loopback of Router B and router B trying to peer with Router A
with Router B's direct connected interface. Won't BGP just throw this
packet away?

If the destination isn't right (trying to reset a session that's
connected to the Router B's loopback interface by sending a TCP reset to
Router B's directly connected interface), won't the same thing happen?
Won't BGP just throw this packet away?

And as far as using an access list to limit sessions to using TCP port
179, it would seem that would be the only port on which a TCP session
could be reset, regardless of filtering through an access list.

Am I missing something?

Kenneth E. Wygand
Systems Engineer, Project Services
CISSP #37102, CCNP, CCDP, ACSP, Cisco IPT Design Specialist, MCP, CNA,
Network+, A+
Custom Computer Specialists, Inc.
"The only unattainable goal is the one not attempted."
-Anonymous

-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
istong@stong.org
Sent: Thursday, April 22, 2004 8:34 AM
To: Calton,Doug; istong@stong.org; ccie; Armand D;
ccielab@groupstudy.com
Subject: RE: TCP vulnerability!

If you were just filtering on source address then it
wouldn't help a whole lot. But if you filter on specific
source destination pairs and tcp port 179 you at least make
it harder. You would have to spoof the source address,
point to the proper destination address, guess the proper
source/destination tcp ports and properly guess (within a
certain window) what the sequence number should be.
Ultimately you should consider multiple methods of
prevention as I mentioned in an earlier email.

One interesting thread I have seen lately relates to a
possible "added vulnerability" by using MD5. The idea is
that if you add MD5 authentication to your router then it
will now have to check incoming packets for a proper hash.
If you send the router a ton of MD5 authenticated bogus
packets - is there a potential for doing a denial of service
on the router? Perhaps it's a vulnerability that should be
of concern - but I would have to test it in a lab to see.

Someone else asked for a link about the vulnerability so I'm
adding that here:

http://www.cisco.com/warp/public/707/cisco-sa-20040420-tcp-ios.shtml

Thanks,

Ian
http://www.ccie4u.com
CCIE Lab Scenarios and Rack Rentals

> Assuming the source addr is being spoofed, how would an
> ACL help? Related to this, I have been thinking - how does
> the use of a stable source IP (i.e. loopback) affect this
> vulnerability? I am thinking that standard best practices
> regarding spoofing filters can prevent or minimize
> spoofing (BGP-targeted or otherwise) between ebgp sessions
> on WAN links to peers, if the WAN IP is used to establish
> the session and isolated subnets were used. iBGP sessions
> would be harder to prevent, assuming use of a loopback
> source IP and potential for broadcast media. Thoughts?
>
> -----Original Message-----
> From: nobody@groupstudy.com [mailto:nobody@groupstudy.com]
> On Behalf Of istong@stong.org
> Sent: Thursday, April 22, 2004 6:28 AM
> To: ccie; Armand D; ccielab@groupstudy.com
> Subject: Re: Transmission Control Protocol (TCP)
> vulnerability!
>
>
> From what I can tell this is not really a new
> vulnerability. This has been an issue for a long time and
> the mitigation steps have been recommended for almost as
> long. It seems the real interest in this vulnerability
> now stems from the finding that you don't have to know the
> exact sequence number (a 1/2 to the 32nd chance) but
> instead just need to be within a window of the correct
> sequence number.
>
> Having said that there are various methods to address the
> possible threat of someone interrupting your BGP sessions
> by sending RST or SYN packets. One method is to use MD5
> authentication on your peers. Another method (or in
> cunjunction) you can use ACL's to block tcp port 179 down
> to specific source/destination peers. Lastly you may also
> want to look into best business practices such as AS
> filtering and prefix filtering, etc.
>
>
> Ian
>
> http://www.CCIE4U.com
> High End Rack Rentals with IOS 12.2T starting at only $20
>
>
> > ----- Original Message -----
> > From: "Armand D" <ciscoworks2001@yahoo.com>
> > To: <ccielab@groupstudy.com>
> > Sent: Wednesday, April 21, 2004 8:50 PM
> > Subject: Transmission Control Protocol (TCP)
> > vulnerability ???
> >
> >
> > > Hi,
> > >
> > > I'm wondering what anyone thinks about the latest
> > > vulnerability (TCP) specification ? What precautions
> > > are people taking if any at this point ?
> > >
> > > Thanks,
> > >
> > > Armand
> > >
> > >
> >
>
http://www.cisco.com/warp/public/707/cisco-sa-20040420-tcp-ios.shtml
> > >
> > >
> > > Find local movie times and trailers on Yahoo! Movies.
> > > http://au.movies.yahoo.com
> > >
> > >
> >
> > >
> __________________________________________________________
> > > _____________ Please help support GroupStudy by
> > purchasing your study materials from:
> > > http://shop.groupstudy.com > Subscription information
> > > may be found at:
> > http://www.groupstudy.com/list/CCIELab.html
> >
> >
> __________________________________________________________
> _____________ Please help support GroupStudy by purchasing
> > your study materials from: http://shop.groupstudy.com
> >
> > Subscription information may be found at:
> > http://www.groupstudy.com/list/CCIELab.html
> ______________________________________________
>
> Check Your Email From Any Where in the World!
>
> http://www.myemail.com
>
> Tell Your Friends about MyEmail.com!
> ______________________________________________
>
> __________________________________________________________
> _____________ Please help support GroupStudy by purchasing
> your study materials from: http://shop.groupstudy.com
>
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
______________________________________________

Check Your Email From Any Where in the World!

http://www.myemail.com

Tell Your Friends about MyEmail.com!
______________________________________________

• Next message: Kenneth Wygand: "RE: Logging Options"
• Previous message: Yasser Abdullah : "RE: Logging Options"
• Maybe in reply to: istong@stong.org: "RE: TCP vulnerability!"
• Next in thread: Brian McGahan: "RE: TCP vulnerability!"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Mon May 03 2004 - 19:48:52 GMT-3