The Border Gateway Protocol (BGP) is used to exchange routing
information for the Internet and is primarily used by Internet
Service Providers (ISPs). For detailed information about BGP and
some tips for securing it, please see Cisco System's documentation
or Team Cymru. A vulnerable situation arises due to the fact that
BGP relies on long-lived persistent TCP sessions with larger window
sizes to function. When a BGP session is disrupted, the BGP application
restarts and attempts to re-establish a connection to its peers.
This may result in a brief loss of service until the fresh routing
tables are created.
In a TCP session, the endpoints can negotiate a TCP Window size.
When this is taken into account, instead of attempting to send
a spoofed packet with all potential sequence numbers, the attacker
would only need to calculate a valid sequence number that falls
within the next expected ISN plus or minus half the window size.
Therefore, the larger the TCP Window size, the the larger the
range of sequence numbers that will be accepted in the TCP stream.
According to Paul Watson's report, with a typical xDSL data connection
(80 Kbps, upstream) capable of sending of 250 packets per second
(pps) to a session with a TCP Window size of 65,535 bytes, it
would be possible to inject a TCP packet approximately every 5
minutes. It would take approximately 15 seconds with a T-1 (1.544
Mbps) connection. These numbers are significant when large numbers
of compromised machines (often called "botnets" or "zombies")
can be used to generate large amounts of packets that can be directed
at a particular host.
Egress filtering manages the flow of traffic as it leaves a network
under your administrative control. There is typically limited
need for machines providing public services to initiate outbound
connections to the Internet.
In the case of BGP, only your BGP routers should be establishing
connections to your peers. Other BGP traffic generated on your
network could be a sign of an attempted attack.
Please Contact Us to discuss your sign routing
needs. You design it, we build it.