RE: TCP vulnerability!

From: Dmitry Volkov (dmitry.volkov@rogers.com)
Date: Thu Apr 22 2004 - 19:44:33 GMT-3

• Next message: Kenneth Wygand: "RE: QoS on 3550"
• Previous message: Shafi, Shahid: "RE: TCP vulnerability!"
• Maybe in reply to: istong@stong.org: "RE: TCP vulnerability!"
• Next in thread: Alexander Arsenyev (GU/ETL): "RE: TCP vulnerability!"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Looks like cisco starts with 11000 and so on 11001, 11002, etc :)

> -----Original Message-----
> From: nobody@groupstudy.com [mailto:nobody@groupstudy.com]On Behalf Of
> Shafi, Shahid
> Sent: Thursday, April 22, 2004 6:30 PM
> To: istong@stong.org; Calton,Doug; ccie; Armand D;
> ccielab@groupstudy.com
> Subject: RE: TCP vulnerability!
>
>
> When router A starts a BGP session with router B, destination port is
> TCP 179 but what is the source port?
>
> Shahid
>
> -----Original Message-----
> From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On
> Behalf Of
> istong@stong.org
> Sent: Thursday, April 22, 2004 5:34 AM
> To: Calton,Doug; istong@stong.org; ccie; Armand D;
> ccielab@groupstudy.com
> Subject: RE: TCP vulnerability!
>
>
> If you were just filtering on source address then it
> wouldn't help a whole lot. But if you filter on specific source
> destination pairs and tcp port 179 you at least make it harder. You
> would have to spoof the source address, point to the proper
> destination
> address, guess the proper source/destination tcp ports and properly
> guess (within a certain window) what the sequence number should be.
> Ultimately you should consider multiple methods of
> prevention as I mentioned in an earlier email.
>
> One interesting thread I have seen lately relates to a
> possible "added vulnerability" by using MD5. The idea is
> that if you add MD5 authentication to your router then it
> will now have to check incoming packets for a proper hash.
> If you send the router a ton of MD5 authenticated bogus
> packets - is there a potential for doing a denial of service
> on the router? Perhaps it's a vulnerability that should be
> of concern - but I would have to test it in a lab to see.
>
> Someone else asked for a link about the vulnerability so I'm
> adding that
> here:
>
> http://www.cisco.com/warp/public/707/cisco-sa-20040420-tcp-ios.shtml
>
>
> Thanks,
>
> Ian
> http://www.ccie4u.com
> CCIE Lab Scenarios and Rack Rentals
>
>
>
>
> > Assuming the source addr is being spoofed, how would an
> > ACL help? Related to this, I have been thinking - how does
> the use of
> > a stable source IP (i.e. loopback) affect this vulnerability? I am
> > thinking that standard best practices regarding spoofing
> filters can
> > prevent or minimize spoofing (BGP-targeted or otherwise)
> between ebgp
> > sessions on WAN links to peers, if the WAN IP is used to establish
> > the session and isolated subnets were used. iBGP sessions
> > would be harder to prevent, assuming use of a loopback
> > source IP and potential for broadcast media. Thoughts?
> >
> > -----Original Message-----
> > From: nobody@groupstudy.com [mailto:nobody@groupstudy.com]
> > On Behalf Of istong@stong.org
> > Sent: Thursday, April 22, 2004 6:28 AM
> > To: ccie; Armand D; ccielab@groupstudy.com
> > Subject: Re: Transmission Control Protocol (TCP) vulnerability!
> >
> >
> > From what I can tell this is not really a new
> > vulnerability. This has been an issue for a long time and the
> > mitigation steps have been recommended for almost as long.
> It seems
> > the real interest in this vulnerability now stems from the finding
> > that you don't have to know the exact sequence number (a 1/2 to the
> > 32nd chance) but instead just need to be within a window of the
> > correct sequence number.
> >
> > Having said that there are various methods to address the possible
> > threat of someone interrupting your BGP sessions by sending
> RST or SYN
>
> > packets. One method is to use MD5 authentication on your peers.
> > Another method (or in
> > cunjunction) you can use ACL's to block tcp port 179 down
> > to specific source/destination peers. Lastly you may also want to
> > look into best business practices such as AS filtering and prefix
> > filtering, etc.
> >
> >
> > Ian
> >
> > http://www.CCIE4U.com
> > High End Rack Rentals with IOS 12.2T starting at only $20
> >
> >
> > > ----- Original Message -----
> > > From: "Armand D" <ciscoworks2001@yahoo.com>
> > > To: <ccielab@groupstudy.com>
> > > Sent: Wednesday, April 21, 2004 8:50 PM
> > > Subject: Transmission Control Protocol (TCP)
> > > vulnerability ???
> > >
> > >
> > > > Hi,
> > > >
> > > > I'm wondering what anyone thinks about the latest
> vulnerability
> > > > (TCP) specification ? What precautions are people
> taking if any at
>
> > > > this point ?
> > > >
> > > > Thanks,
> > > >
> > > > Armand
> > > >
> > > >
> > >
> >
> http://www.cisco.com/warp/public/707/cisco-sa-20040420-tcp-ios.shtml
> > > >
> > > >
> > > > Find local movie times and trailers on Yahoo! Movies.
> > > > http://au.movies.yahoo.com
> > > >
> > > >
> > >
> > > >
> > __________________________________________________________
> > > > _____________ Please help support GroupStudy by
> > > purchasing your study materials from:
> > > > http://shop.groupstudy.com > Subscription information
> > > > may be found at:
> > > http://www.groupstudy.com/list/CCIELab.html
> > >
> > >
> > __________________________________________________________
> > _____________ Please help support GroupStudy by purchasing
> > > your study materials from: http://shop.groupstudy.com
> > >
> > > Subscription information may be found at:
> > > http://www.groupstudy.com/list/CCIELab.html
> > ______________________________________________
> >
> > Check Your Email From Any Where in the World!
> >
> > http://www.myemail.com
> >
> > Tell Your Friends about MyEmail.com!
> > ______________________________________________
> >
> > __________________________________________________________
> > _____________ Please help support GroupStudy by purchasing
> your study
> > materials from: http://shop.groupstudy.com
> >
> > Subscription information may be found at:
> > http://www.groupstudy.com/list/CCIELab.html
> ______________________________________________
>
> Check Your Email From Any Where in the World!
>
> http://www.myemail.com
>
> Tell Your Friends about MyEmail.com!
> ______________________________________________
>
> ______________________________________________________________
> _________
> Please help support GroupStudy by purchasing your study
> materials from:
> http://shop.groupstudy.com
>
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
> ______________________________________________________________
> _________
> Please help support GroupStudy by purchasing your study
> materials from:
> http://shop.groupstudy.com
>
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html

• Next message: Kenneth Wygand: "RE: QoS on 3550"
• Previous message: Shafi, Shahid: "RE: TCP vulnerability!"
• Maybe in reply to: istong@stong.org: "RE: TCP vulnerability!"
• Next in thread: Alexander Arsenyev (GU/ETL): "RE: TCP vulnerability!"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Mon May 03 2004 - 19:48:52 GMT-3