North American Network Operators Group
Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: Massive stupidity (Was: Re: TCP vulnerability)

  • From: Patrick W.Gilmore
  • Date: Tue Apr 20 21:39:58 2004 
On Apr 20, 2004, at 9:23 PM, Mike Tancsa wrote:


At 05:09 PM 20/04/2004, Richard A Steenbergen wrote:
party to know which side won the collision handling. Therefore you need
262144 packets * 3976 ephemeral ports (assuming both sides are jnpr, again
worst case) * 2 (to figure out who was the connecter and who was the
accepter) = 2084569088 packets to exhaustively search all space on this
one single Juniper to Juniper session. Now, lets just for the sake of
argument say that the router is capable of actively processing 10,000
packets/sec of rst (a fairly exagerated number) and still have this be
considered a tcp attack instead of a straight DoS against the routing
engine. This will still take 208456 seconds, or 57.9 hours.
<snip>
I dont understand why the large differences in claims

http://www.ietf.org/internet-drafts/draft-ietf-tcpm-tcpsecure-00.txt

says
   Modern operating
   systems normally default the RCV.WND to about 32,768 bytes. This
   means that a blind attacker need only guess 65,535 RST segments
   (2^^32/(RCV.WND*2)) in order to reset a connection. At DSL speeds
   this means that most connections (assuming the attacker can
   accurately guess both ports) can be reset in under 200 seconds
   (usually far less). With the rise of broadband availability and
   increasing available bandwidth, many Operating Systems have raised
   their default RCV.WND to as much as 64k, thus making these attacks
   even easier.
You missed the "(assuming the attacker can accurately guess both ports)" part.

This is BY NO MEANS a given. In fact, it is pretty much guaranteed to not be a given on any router which has not recently been rebooted. (Or at least that the attacker doesn't know has been recently rebooted. :)


Also, with the various 'bots' at peoples disposal, why the assumption the attack would not be distributed.
Who made that assumption? I do not see it above.

Also, if you have a 'bot army at your disposal, it is trivial to packet a router off the 'Net - orders of magnitude easier than guessing sequence / port number - and faster too. In fact, you can probably do it in far less than 200 seconds, more or less 59 hours. And then you take down *all* BGP sessions, not just the one in question.

Since miscreants are at least as lazy as you and I, would someone explain to me why they would bother trying to guess the sequence & port numbers, even with this new "vulnerability", rather just just packet the router off the 'Net? Especially now that we have made it easier by forcing the router to calculate MD5 signatures on each packet....


Honestly, once the hysteria dies down, I think we will be going to all our peers and asking to take the MD5 stuff off. I honestly believe we will suffer more downtime - and longer downtime - from MD5 keys going out of sync than any RST style attack.

If people are really worried about this, then they should ingress filter at the leaf nodes. If they did, no one could spoof the source IP of your neighbor router and life would be good. Add on things like the TTL hack and you have at least as good a protection as the MD5 gives you without any issues of higher CPU, 1000s upon 1000s of keys to manage, and all the other associated risks.

But we all know people will not bother source filtering leaf nodes. Everyone will clamor about MD5 keys and how you should be protecting BGP sessions. Kinda like guarding the windows while the doors are open and unattended.

--
TTFN,
patrick