TCP RST attack
Matthew Dillon
dillon at apollo.backplane.com
Tue Apr 20 13:45:22 PDT 2004
Well, the advisory certainly exaggerates some, but I think there is
a real issue with BGP and I have to respectfully disagree with DES.
Route flapping cannot be solved by reducing hysteresis, at least not
unless you want your backbone provider to cut you off! Flapping is
a major problem... less of one now then when I was doing BEST a decade
ago, but still very serious. When a BGP session flaps it has to
resynchronize, and resynchronization can take a significant period
of time, bandwidth, and router resources to accomplish. You can't
just reconnect and pick up where you left off (if you could it would
be a non-problem).
On the other hand, BGP can be trivially protected. You don't need
ingress or egress filtering at all (by which I mean IP block filtering),
you simply disable the routing of any packet to or from port 179.
99.9% of all BGP links are direct connections (meaning that they
terminate at a router rather then pass through one). No packet to
or from port 179 has any business being routed from one network to
another in virtually all BGP link setups so the fix is utterly trivial.
-Matt
More information about the freebsd-security
mailing list