From: Shafi, Shahid (sshafi@qualcomm.com)
Date: Thu Apr 22 2004 - 19:29:42 GMT-3
When router A starts a BGP session with router B, destination port is
TCP 179 but what is the source port?
Shahid
-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
istong@stong.org
Sent: Thursday, April 22, 2004 5:34 AM
To: Calton,Doug; istong@stong.org; ccie; Armand D;
ccielab@groupstudy.com
Subject: RE: TCP vulnerability!
If you were just filtering on source address then it
wouldn't help a whole lot. But if you filter on specific source
destination pairs and tcp port 179 you at least make it harder. You
would have to spoof the source address, point to the proper destination
address, guess the proper source/destination tcp ports and properly
guess (within a certain window) what the sequence number should be.
Ultimately you should consider multiple methods of
prevention as I mentioned in an earlier email.
One interesting thread I have seen lately relates to a
possible "added vulnerability" by using MD5. The idea is
that if you add MD5 authentication to your router then it
will now have to check incoming packets for a proper hash.
If you send the router a ton of MD5 authenticated bogus
packets - is there a potential for doing a denial of service
on the router? Perhaps it's a vulnerability that should be
of concern - but I would have to test it in a lab to see.
Someone else asked for a link about the vulnerability so I'm adding that
here:
http://www.cisco.com/warp/public/707/cisco-sa-20040420-tcp-ios.shtml
Thanks,
Ian
http://www.ccie4u.com
CCIE Lab Scenarios and Rack Rentals
> Assuming the source addr is being spoofed, how would an
> ACL help? Related to this, I have been thinking - how does the use of
> a stable source IP (i.e. loopback) affect this vulnerability? I am
> thinking that standard best practices regarding spoofing filters can
> prevent or minimize spoofing (BGP-targeted or otherwise) between ebgp
> sessions on WAN links to peers, if the WAN IP is used to establish
> the session and isolated subnets were used. iBGP sessions
> would be harder to prevent, assuming use of a loopback
> source IP and potential for broadcast media. Thoughts?
>
> -----Original Message-----
> From: nobody@groupstudy.com [mailto:nobody@groupstudy.com]
> On Behalf Of istong@stong.org
> Sent: Thursday, April 22, 2004 6:28 AM
> To: ccie; Armand D; ccielab@groupstudy.com
> Subject: Re: Transmission Control Protocol (TCP) vulnerability!
>
>
> From what I can tell this is not really a new
> vulnerability. This has been an issue for a long time and the
> mitigation steps have been recommended for almost as long. It seems
> the real interest in this vulnerability now stems from the finding
> that you don't have to know the exact sequence number (a 1/2 to the
> 32nd chance) but instead just need to be within a window of the
> correct sequence number.
>
> Having said that there are various methods to address the possible
> threat of someone interrupting your BGP sessions by sending RST or SYN
> packets. One method is to use MD5 authentication on your peers.
> Another method (or in
> cunjunction) you can use ACL's to block tcp port 179 down
> to specific source/destination peers. Lastly you may also want to
> look into best business practices such as AS filtering and prefix
> filtering, etc.
>
>
> Ian
>
> http://www.CCIE4U.com
> High End Rack Rentals with IOS 12.2T starting at only $20
>
>
> > ----- Original Message -----
> > From: "Armand D" <ciscoworks2001@yahoo.com>
> > To: <ccielab@groupstudy.com>
> > Sent: Wednesday, April 21, 2004 8:50 PM
> > Subject: Transmission Control Protocol (TCP)
> > vulnerability ???
> >
> >
> > > Hi,
> > >
> > > I'm wondering what anyone thinks about the latest vulnerability
> > > (TCP) specification ? What precautions are people taking if any at
> > > this point ?
> > >
> > > Thanks,
> > >
> > > Armand
> > >
> > >
> >
>
http://www.cisco.com/warp/public/707/cisco-sa-20040420-tcp-ios.shtml
> > >
> > >
> > > Find local movie times and trailers on Yahoo! Movies.
> > > http://au.movies.yahoo.com
> > >
> > >
> >
> > >
> __________________________________________________________
> > > _____________ Please help support GroupStudy by
> > purchasing your study materials from:
> > > http://shop.groupstudy.com > Subscription information
> > > may be found at:
> > http://www.groupstudy.com/list/CCIELab.html
> >
> >
> __________________________________________________________
> _____________ Please help support GroupStudy by purchasing
> > your study materials from: http://shop.groupstudy.com
> >
> > Subscription information may be found at:
> > http://www.groupstudy.com/list/CCIELab.html
> ______________________________________________
>
> Check Your Email From Any Where in the World!
>
> http://www.myemail.com
>
> Tell Your Friends about MyEmail.com!
> ______________________________________________
>
> __________________________________________________________
> _____________ Please help support GroupStudy by purchasing your study
> materials from: http://shop.groupstudy.com
>
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
______________________________________________
Check Your Email From Any Where in the World!
Tell Your Friends about MyEmail.com!
______________________________________________
This archive was generated by hypermail 2.1.4 : Mon May 03 2004 - 19:48:52 GMT-3