Defending TCP Against Spoofing Attacks
RFC 4953
Document Type RFC - Informational (July 2007; No errata)
Author Joseph Touch 
Last updated 2015-10-14
Stream IETF
Formats plain text html pdf htmlized bibtex
Reviews
SECDIR Last Call Review
Stream WG state (None)
Document shepherd No shepherd assigned
IESG IESG state RFC 4953 (Informational)
Consensus Boilerplate Unknown
Telechat date
Responsible AD Lars Eggert
Send notices to (None)
Email authors Email WG IPR References Referenced by Nits 
Network Working Group                                          J.  Touch
Request for Comments: 4953                                       USC/ISI
Category: Informational                                        July 2007

                 Defending TCP Against Spoofing Attacks

Status of This Memo

   This memo provides information for the Internet community.  It does
   not specify an Internet standard of any kind.  Distribution of this
   memo is unlimited.

Copyright Notice

   Copyright (C) The IETF Trust (2007).

Abstract

   Recent analysis of potential attacks on core Internet infrastructure
   indicates an increased vulnerability of TCP connections to spurious
   resets (RSTs), sent with forged IP source addresses (spoofing).  TCP
   has always been susceptible to such RST spoofing attacks, which were
   indirectly protected by checking that the RST sequence number was
   inside the current receive window, as well as via the obfuscation of
   TCP endpoint and port numbers.  For pairs of well-known endpoints
   often over predictable port pairs, such as BGP or between web servers
   and well-known large-scale caches, increases in the path bandwidth-
   delay product of a connection have sufficiently increased the receive
   window space that off-path third parties can brute-force generate a
   viable RST sequence number.  The susceptibility to attack increases
   with the square of the bandwidth, and thus presents a significant
   vulnerability for recent high-speed networks.  This document
   addresses this vulnerability, discussing proposed solutions at the
   transport level and their inherent challenges, as well as existing
   network level solutions and the feasibility of their deployment.
   This document focuses on vulnerabilities due to spoofed TCP segments,
   and includes a discussion of related ICMP spoofing attacks on TCP
   connections.

Touch                        Informational                      [Page 1]
RFC 4953         Defending TCP Against Spoofing Attacks        July 2007

Table of Contents

   1. Introduction ....................................................3
   2. Background ......................................................4
      2.1. Review of TCP Windows ......................................5
      2.2. Recent BGP Attacks Using TCP RSTs ..........................6
      2.3. TCP RST Vulnerability ......................................6
      2.4. What Changed - the Ever-Opening Advertised Receive Window ..7
   3. Proposed Solutions and Mitigations .............................10
      3.1. Transport Layer Solutions .................................10
           3.1.1. TCP MD5 Authentication .............................11
           3.1.2. TCP RST Window Attenuation .........................11
           3.1.3. TCP Timestamp Authentication .......................12
           3.1.4. Other TCP Cookies ..................................13
           3.1.5. Other TCP Considerations ...........................13
           3.1.6. Other Transport Protocol Solutions .................14
      3.2. Network Layer (IP) Solutions ..............................14
           3.2.1. Address Filtering ..................................15
           3.2.2. IPsec ..............................................16
   4. ICMP ...........................................................17
   5. Issues .........................................................18
      5.1. Transport Layer (e.g., TCP) ...............................18
      5.2. Network Layer (IP) ........................................19
      5.3. Application Layer .........................................21
      5.4. Link Layer ................................................21
      5.5. Issues Discussion .........................................21
   6. Security Considerations ........................................22
   7. Conclusions ....................................................23
   8. Acknowledgments ................................................23
   9. Informative References .........................................24

Touch                        Informational                      [Page 2]
RFC 4953         Defending TCP Against Spoofing Attacks        July 2007

1.  Introduction

   Analysis of the Internet infrastructure has recently demonstrated a
   new version of a vulnerability in BGP connections between core
   routers using an attack based on RST spoofing from off-path attackers
   [9][10][48].  The attack itself is not new, having been documented
   nearly six years earlier [20].  Such connections, typically using
   TCP, can be susceptible to off-path third-party reset (RST) segments
   with forged source addresses (spoofed), which terminate the TCP
   connection.  BGP routers react to a terminated TCP connection in
   various ways, which can amplify the impact of an attack, ranging from
   restarting the connection to deciding that the other router is
Show full document text
RFC Editor IASA & IETF LLC IETF Trust IRTF IETF IESG IAB IANA Privacy Statement IETF Tools