Movatterモバイル変換


[0]ホーム

URL:


Search RFCs

Advanced Search

RFC Editor

RFC 4953

Defending TCP Against Spoofing Attacks,July 2007

File formats:
icon for text fileicon for PDFicon for HTML
Status:
INFORMATIONAL
Author:
J. Touch
Stream:
IETF
Source:
tcpm (wit)

Cite this RFC:TXT  | XML  |  BibTeX

DOI:  https://doi.org/10.17487/RFC4953

Discuss this RFC: Send questions or comments to the mailing listtcpm@ietf.org

Other actions:Submit Errata  | Find IPR Disclosures from the IETF  | View History of RFC 4953


Abstract

Recent analysis of potential attacks on core Internet infrastructureindicates an increased vulnerability of TCP connections to spuriousresets (RSTs), sent with forged IP source addresses (spoofing). TCPhas always been susceptible to such RST spoofing attacks, which wereindirectly protected by checking that the RST sequence number wasinside the current receive window, as well as via the obfuscation ofTCP endpoint and port numbers. For pairs of well-known endpointsoften over predictable port pairs, such as BGP or between web serversand well-known large-scale caches, increases in the pathbandwidth-delay product of a connection have sufficiently increasedthe receive window space that off-path third parties can brute-forcegenerate a viable RST sequence number. The susceptibility to attackincreases with the square of the bandwidth, and thus presents asignificant vulnerability for recent high-speed networks. Thisdocument addresses this vulnerability, discussing proposed solutionsat the transport level and their inherent challenges, as well asexisting network level solutions and the feasibility of theirdeployment. This document focuses on vulnerabilities due to spoofedTCP segments, and includes a discussion of related ICMP spoofingattacks on TCP connections. This memo provides information for the Internet community.


For the definition ofStatus,seeRFC 2026.

For the definition ofStream, seeRFC 8729.




IABIANAIETFIRTFISEISOCIETF Trust
ReportsPrivacy StatementSite MapContact Us

Advanced Search

[8]ページ先頭

©2009-2026 Movatter.jp