A vulnerability exists in the reliance of the Border Gateway Protocol (BGP) on the Transmission Control Protocol (TCP) to maintain persistent sessions. Sustained exploitation of this vulnerability could lead to a denial-of-service condition affecting a large segment of the Internet community. Normal operations would most likely resume shortly after the attack stopped.
The Border Gateway Protocol (BGP) is used to exchange routing information for the Internet and is primarily used by Internet Service Providers. For details about BGP, please see Cisco System's documentation on BGP.
A vulnerable situation arises due to the fact that BGP relies on persistent TCP sessions to function. Since TCP is an insecure transmission protocol, it is possible to inject TCP packets into sessions between hosts given the appropriate information. The TCP/IP Initial Sequence Number vulnerability (VU#498440) is one example of how an attacker could inject TCP packets into a session. As an example, if an attacker were to send a reset (RST) packet, he or she would cause the TCP session between two endpoints to terminate without any further communication. In the case of a BGP/TCP session, this would cause the BGP application to restart and attempt to re-establish a connection to its peers and cause a brief denial-of-service period until the routing tables could be repopulated. The time previously thought to exploit this type of an attack would have made sustaining a denial-of-service condition unlikely. In 2001, the CERTâ Coordination Center released CA-2001-09, describing statistical weaknesses in various TCP/IP Initial Sequence generators. In that document, it was noted by Tim Newsham:
As a result, if a sequence number within the receive window is known, an attacker can inject data into the session stream or terminate the connection. If the ISN value is known and the number of bytes sent already sent is known, an attacker can send a simple packet to inject data or kill the session. If these values are not known exactly, but an attacker can guess a suitable range of values, he can send out a number of packets with different sequence numbers in the range until one is accepted. The attacker need not send a packet for every sequence number, but can send packets with sequence numbers a window-size apart. If the appropriate range of sequence numbers is covered, one of these packets will be accepted. The total number of packets that needs to be sent is then given by the range to be covered divided by the fraction of the window size that is used as an increment.
Sustained exploitation of this vulnerability could lead to a denial-of-service condition affecting a large segment of the Internet community. Normal operations would most likely resume shortly after the attack stopped.
Please see your vendor's advisory for updates and mitigation capabilities.
Cisco Systems, Inc.
Nortel Networks, Inc.
Redback Networks Inc.
Sun Microsystems, Inc.
Thanks to Paul Watson for reporting this vulnerability and to NISCC and Cisco Systems for their coordination.
This document was written by Jason A Rafail.
|Date First Published:||2004-04-20|
|Date Last Updated:||2006-05-01 20:01 UTC|