TCP RST attack
Bill Fumerola
billf at FreeBSD.org
Tue Apr 20 18:05:20 PDT 2004
On Tue, Apr 20, 2004 at 01:45:20PM -0700, Matthew Dillon wrote:
> On the other hand, BGP can be trivially protected. You don't need
> ingress or egress filtering at all (by which I mean IP block filtering),
> you simply disable the routing of any packet to or from port 179.
> 99.9% of all BGP links are direct connections (meaning that they
> terminate at a router rather then pass through one). No packet to
> or from port 179 has any business being routed from one network to
> another in virtually all BGP link setups so the fix is utterly trivial.
most multi-router, multi-link setups use peering with a multihop address
of some other router (or route server) to provide equal cost balancing.
RFC3682 describes something along the same vein of what you suggest, but
handles non-directly connected cases (multihop, tunnels, etc) better.
vendor J lets you dynamically build your firewall rules such that you
can actually just create a term "allow from all bgp neighbors in the
config AND port 179 AND protocol tcp". vendor C would do well to provide
something similar. those running freebsd bgp daemons should consider
building something similar that feeds ${freebsd_packet_filter} from a
${freebsd_routing_daemon} configuration file.
--
- bill fumerola / fumerola at yahoo-inc.com / billf at FreeBSD.org
More information about the freebsd-security
mailing list