Adtran
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Anonymous
Not applicable
‎10-28-2013 12:12 PM

Remediate BGP TCP Sequence Number Approximation Vulnerability


Need some help here on how to resolve this issue?

Remediate BGP TCP Sequence Number Approximation Vulnerability

0 Kudos
Reply
4 Replies
jayh
Honored Contributor
Honored Contributor
‎10-28-2013 01:12 PM

Re: Remediate BGP TCP Sequence Number Approximation Vulnerability

Could you be more specific as to where this message is originating?

Reading between the lines, I would suspect that a third-party security audit has thrown this as a potential problem.  What it refers to is the ability of an attacker to guess the TCP sequence numbers used by BGP and potentially hijack a BGP session. While non-zero, the likelihood of an actual attack by this vector is very small.

If your BGP session is internal such as MPLS or iBGP, this is of lesser concern than BGP over the Internet.

Using MD5 passwords on BGP, particularly over the Internet, is a good practice which will mitigate this.

Please give more information. If indeed it's a real concern it will likely have to be fixed by Adtran engineering as this will be buried deep in the BGP algorithm of the software.

0 Kudos
Accept as Solution Reply
Anonymous
Not applicable
‎10-28-2013 01:28 PM

Re: Remediate BGP TCP Sequence Number Approximation Vulnerability

That is correct, we were dinged for our iBGP and eBGP on the MPLS cloud.

Chris

0 Kudos
Accept as Solution Reply
jayh
Honored Contributor
Honored Contributor
‎10-28-2013 01:35 PM

Re: Remediate BGP TCP Sequence Number Approximation Vulnerability

I'd do the following:

  • If you're not running the latest firmware, upgrade.  Sometimes these things get fixed under the hood.
  • Password-protect all of your BGP sessions.
  • Open a case with Adtran to get it fixed.  It's something that they should address but not really a show-stopper.  Plus, I have something I want them to fix first. (Hi, Evan!)
0 Kudos
Accept as Solution Reply
Anonymous
Not applicable
‎11-07-2013 11:16 AM

Re: Remediate BGP TCP Sequence Number Approximation Vulnerability

-

I went ahead and flagged this post as "Assumed Answered". If any of the responses on this thread assisted you, please mark them as Correct or Helpful as the case may be with the applicable buttons. This will make them visible and help other members of the community find solutions more easily. If you have any additional information on this that others may benefit from, please come back to this post to provide an update. If you still need assistance, we would be more than happy to continue working with you on this - just let us know in a reply.


Thanks,

Noor

0 Kudos
Accept as Solution Reply