Information Technology Reference
In-Depth Information
The attacker can use a “brute-force” method for the remaining TCP parameters. The
attacker then sends the TCP reset packets, iterating through the various combinations until
the session is reset. The TCP reset packets are sent, spoofing the source address of the TCP
reset packets to make the BGP router under attack think they are arriving from the remote
BGP peer.
The solution to the TCP reset attack is to enable the TCP MD5 signature option to protect
the TCP session itself from attack. The TCP MD5 signature is an 18-byte value that is
generated based on the data in the packet and a password that is configured on both peering
routers. The addition of this MD5 signature dramatically increases the complexity of brute-
force attacks against the TCP layer. The attack not only must know the TCP session
parameters, but also must iterate through the entire 18-byte MD5 signature space.
The configuration to enable TCP MD5 signatures is
neighbor
address
password
password
It is important that the password remain confidential between the two peers. If the attacker
knows the password, he can generate the correct MD5 signature for the attacking packets.
CAUTION
Peer Filtering
Routing information should not be accepted indiscriminately from customers or peers. Two
classifications of prefixes should not be advertised on the Internet:
•
Prefixes reserved for special use, such as RFC 1918 space.
•
Unallocated address space. These prefixes are called
Martian addresses
or
bogons
.
The initial classification of prefixes (those that are reserved and should not be publicly
routed) can be configured for every peering session. The prefix list for these networks is
provided in Example 9-11.
Example 9-11
Prefix List to Filter Reserved Addresses
ip prefix-list MARTIAN seq 5 deny 0.0.0.0/8
ip prefix-list MARTIAN seq 10 deny 10.0.0.0/8
ip prefix-list MARTIAN seq 15 deny 127.0.0.0/8
ip prefix-list MARTIAN seq 20 deny 168.254.0.0/16
ip prefix-list MARTIAN seq 25 deny 172.16.0.0/12
ip prefix-list MARTIAN seq 30 deny 192.0.2.0/24
ip prefix-list MARTIAN seq 35 deny 192.168.0.0/16
ip prefix-list MARTIAN seq 40 deny 224.0.0.0/4
ip prefix-list MARTIAN seq 45 deny 240.0.0.0/4
