TCP vulnerability: cancel red alert
Posted Apr 22, 2004 11:05 UTC (Thu) by jbh
Parent article: TCP vulnerability: cancel red alert
A protocol change seems overkill for a problem that should be rather simple to fix. Any of these would do:
- Make ISPs implement ingress filtering to kill off spoofed source addresses. This is good against all DoS attacks, and I really don't understand why there's not more pressure to do so. Pressure == refusal to peer with ISPs without filtering.
- More randomness in transient port selection. Would make this kind of guessing a few orders of magnitude harder, ie. not practical. I mean, this is hardly a new attack it just haven't been considered practical before.
- Specifically protecting BGP or other vulnerable protocols by either (1) ingress source filtering, (2) ingress TTL filtering (3) md5 signing of packets
Finally, to quote (from memory) davem: Anyone who suggests replying to an RST doesn't understand tcp.
to post comments)