Finding ID | Version | Rule ID | IA Controls | Severity |
---|---|---|---|---|
V-31285 | NET0408 | SV-41555r2_rule | ECSC-1 | Medium |
Description |
---|
As specified in RFC 793, TCP utilizes sequence checking to ensure proper ordering of received packets. RFC 793 also specifies that RST (reset) control flags should be processed immediately, without waiting for out of sequence packets to arrive. RFC 793 also requires that sequence numbers are checked against the window size before accepting data or control flags as valid. A router receiving an RST segment will close the TCP session with the BGP peer that is being spoofed; thereby, purging all routes learned from that BGP neighbor. A RST segment is valid as long as the sequence number is within the window. The TCP reset attack is made possible due to the requirements that Reset flags should be processed immediately and that a TCP endpoint must accept out of order packets that are within the range of a window size. This reduces the number of sequence number guesses the attack must make by a factor equivalent to the active window size. Each sequence number guess made by the attacker can be simply incremented by the receiving connections window size. The BGP peering session can protect itself against such an attack by authenticating each TCP segment. The TCP header options include an MD5 signature in every packet and are checked prior to the acceptance and processing of any TCP packet—including RST flags. One way to create havoc in a network is to advertise bogus routes to a network. A rogue router could send a fictitious routing update to convince a BGP router to send traffic to an incorrect or rogue destination. This diverted traffic could be analyzed to learn confidential information of the site’s network, or merely used to disrupt the network’s ability to effectively communicate with other networks. An autonomous system can advertise incorrect information by sending BGP updates messages to routers in a neighboring AS. A malicious AS can advertise a prefix originated from another AS and claim that it is the originator (prefix hijacking). Neighboring autonomous systems receiving this announcement will believe that the malicious AS is the prefix owner and route packets to it. |
STIG | Date |
---|---|
Perimeter Router Security Technical Implementation Guide Cisco | 2017-03-09 |
Check Text ( C-40049r1_chk ) |
---|
Review the router configuration to determine if authentication is being used for all peers. A password should be defined for each BGP neighbor regardless of the autonomous system the peer belongs as shown in the following example: outer bgp 100 neighbor external-peers peer-group neighbor 171.69.232.90 remote-as 200 neighbor 171.69.232.90 peer-group external-peers neighbor 171.69.232.100 remote-as 300 neighbor 171.69.232.100 peer-group external-peers neighbor 171.69.232.90 password xxxxxxxxxx neighbor 171.69.232.100 password xxxxxxxxxx |
Fix Text (F-14123r2_fix) |
---|
Configure the device to authenticate all BGP peers. |