On 23-apr-04, at 8:35, Florian Weimer wrote:
So I believe filtering out all BGP RSTs on all edges is probably a good idea.
(Edges and borders.)
The problem is that even if you filter the RST, the state transition occurs at the side which receives the SYN and generates the RST. This means that the connection has been desynchronized and will eventually come down, no further data transfer is possible.
Although it doesn't follow from earlier text, on page 71 RFC 793 states that an in-window SYN should reset an ESTABLISHED session. So you are right. This is very bad. BTW, anyone seen anything supporting Paul Watson's claim that all it takes to break a session is four packets? I assume he's talking about this vulnerability that was fixed in FreeBSD in 1998: http://ciac.llnl.gov/ciac/bulletins/j-008.shtml I certainly hope our collective favorite vendors didn't overlook this one.