Re: TCP Vulnerability makes case for authenticated BGP

[Pekka Savola <pekkas () netcore fi>]

On Tue, 20 Apr 2004, tad pedley wrote:
> Although denial of service using crafted TCP packets is a well known
> weakness of TCP, until recently it was believed that a successful
> denial of service attack was not achievable in practice. The reason
> for this is that the receiving TCP implementation checks the
> sequence number of the RST or SYN packet, which is a 32 bit number,
> giving a probability of 1/232 of guessing the sequence number
> correctly (assuming a random distribution).
>
> The discoverer of the practicability of the RST attack was Paul A.
> Watson, who describes his research in his paper “Slipping In The
> Window: TCP Reset Attacks”, presented at the CanSecWest 2004
> conference. He noticed that the probability of guessing an
> acceptable sequence number is much higher than 1/232 because the
> receiving TCP implementation will accept any sequence number in a
> certain range (or “window”) of the expected sequence number. The
> window makes TCP reset attacks practicable.

Believed by whom, is the question.

It has been clearly documented for a long time now that such larger 
windows exist.  They have even been documented specifically about BGP 
(draft-ietf-idr-bgp-vuln-00.txt).

-- 
Pekka Savola                 "You each name yourselves king, yet the
Netcore Oy                    kingdom bleeds."
Systems. Networks. Security. -- George R.R. Martin: A Clash of Kings