Name: draft-touch-tcp-antispoof-00
Title: Defending TCP Against Spoofing Attacks
State: Active
Authors: Joseph Touch
Group: Individual Submissions (none)
Date: 2004-07-12
Recent attacks on core Internet infrastructure indicate an increased
vulnerability of TCP connections to spurious resets (RSTs). TCP has always
been susceptible to such RST spoof attacks, which were indirectly protected
by checking that the RST sequence number was inside the current receive
window, as well as via the obfuscation of TCP endpoint and port numbers.
For pairs of well-known endpoints often over predictable port pairs, such
as BGP, increases in the path bandwidth-delay product of a connection have
sufficiently increased the receive window space that off-path third parties
can guess a viable RST sequence number. This document addresses this
vulnerability, discussing proposed solutions at the transport level and
their inherent challenges, as well as existing network level solutions and
the feasibility of their deployment.
[sh-index] Back to list of manuals
|
| |
