Re: TCP-RST Vulnerability - Doubt

From: Miquel van Smoorenburg
Date: Mon Jun 28 2004 - 08:23:36 EST

Next message: Catalin BOIE: "[PATCH] Add selective delay to sch_dealy (aka sch_ooo)"
Previous message: Salyzyn, Mark: "RE: PATCH: Further aacraid work"
In reply to: Florian Weimer: "Re: TCP-RST Vulnerability - Doubt"
Next in thread: Chris Wedgwood: "Re: TCP-RST Vulnerability - Doubt"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

In article <20040625150532.1a6d6e60.davem@xxxxxxxxxx>,
David S. Miller <davem@xxxxxxxxxx> wrote:
>RFC2385 MD5 hashing support is going in soon, and for the application where
>the vulnerability actually matters (BGP sessions between backbone routers)
>MD5 clears that problem right up and they're all using MD5 protection already
>anyways.

MD5 protection on BGP sessions isn't very common yet. MD5 uses CPU,
and routers don't usually have much of that. Which means that now an
MD5 CPU attack is possible instead of a TCP RST attack.

The "TTL hack" solution is safer. Make sure sender uses a TTL
of 255, on the receiver discard all packets with a TTL < 255.
You can use iptables to implement that on a Linux box.

Mike.

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Catalin BOIE: "[PATCH] Add selective delay to sch_dealy (aka sch_ooo)"
Previous message: Salyzyn, Mark: "RE: PATCH: Further aacraid work"
In reply to: Florian Weimer: "Re: TCP-RST Vulnerability - Doubt"
Next in thread: Chris Wedgwood: "Re: TCP-RST Vulnerability - Doubt"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]