Interesting that Cisco uses random port selection with SNMP (http://www.cisco.com/warp/public/707/cisco-sa-20040420-snmp.shtml, see the Detail selection) but not with TCP. Too bad that TCP ports aren't randomized even with the "fixed" IOS versions. Would seem that as long as you're implementing security features like TCP RST confirmation, might as well implement randomized source ports.
From Theo de Raadt at OpenBSD: http://archives.neohapsis.com/archives/openbsd/2004-04/1351.html
This entire thing is being "sold" as `cross-vendor problem'. Sure. Some vendors have a few small issues to solve in this area. Minor issues. For us, those issues are 1/50000 smaller than they are for other vendors. Post-3.5, we have fixes which make the problem even smaller. But one vendor -- Cisco -- has an *UTTERLY GIGANTIC HUGE* issue in this regard, and as you can see, they have not yet made an announcement see.. You are being told "lots of people have a problem". By not seperating out the various problems combined in their notice, or the impact of those problems, you are not being told the whole truth. --- Pete. On Wed, 21 Apr 2004, Todd Vierling wrote:
Date: Wed, 21 Apr 2004 11:37:04 -0400 (EDT) From: Todd Vierling <tv@duh.org> To: David Luyer <david@luyer.net> Cc: 'Patrick W.Gilmore' <patrick@ianai.net>, nanog@merit.edu Subject: Re: TCP/BGP vulnerability - easier than you think
On Wed, 21 Apr 2004, David Luyer wrote:
: > You missed the "(assuming the attacker can accurately guess both : > ports)" part.
: A significant number of BGP sessions will be with a source : port of 11000, 11001 or 11002; BGP sessions are generally : quite stable and Cisco routers start the source port at : 11000.
If true, *that* would be a security risk in Cisco's port selection algorithm. Many modern OS's do not do simple sequential allocation of ports, making this point invalid.