[Csci551-talk] strange article..

rajesh shroff rshroff at usc.edu
Wed Apr 21 02:13:58 PDT 2004 

Dampening is a feature introduced for the routing protocols to consider a router down and not available for routing of packets till that router is stable (no flapping). 
Browsing further through the CISCO IOS SOFTWARE RELEASES
Link: http://www.cisco.com/en/US/products/sw/iosswrel/ps1839/products_feature_guide09186a0080110bc8.html#wp1024977

This para is imp:
The IP Event Dampening feature introduces a configurable exponential decay mechanism to suppress the effects of excessive interface flapping events on routing protocols and routing tables in the network. This feature allows the network operator to configure a router to automatically identify and selectively dampen a local interface that is flapping. Dampening an interface removes the interface from the network until the interface stops flapping and becomes stable. Configuring the IP Event Dampening feature improves convergence times and stability throughout the network by isolating failures so that disturbances are not propagated, which reduces the utilization of system processing resources by other devices in the network and improves overall network stability.

After reading through this it also now makes sense with the statement in the article as :

"""> > >>Continued successful attacks against routers can cause them to go 
> > into a stand-by mode, known as "dampening," that can persist for 
> > hours."""

So now as Mike said killing such an active BGP connection would cause wider-spread disconnection -- at least until, say, withdrawn routes are re-advertised.

And as per this feature of dampening, this perticular router will not be available to the network for routing purposes and hence will disrupt the normal routing procedure.

does this not make more sense now.....


----- Original Message -----
From: mike wakerly <wakerly at usc.edu>
Date: Wednesday, April 21, 2004 1:44 am
Subject: Re: [Csci551-talk] strange article..

> On Apr 21, 2004, at 1:21 AM, Rahul Pilani wrote:
> > Is it similar to age-old hacking techniques like buffer-overflow etc?..
> 
> No, the flaw is not nearly as general. It seems that many TCP stacks 
> incorrectly handle RST commands in a TCP connection, and as a 
> consequence, could be tricked into closing a connection. It is 
> important to realize that this seems to be an implementation flaw -- 
> TCP doesn't need to be changed, but some stacks may.
> 
> > >>Routers continually exchange important updates about the most 
> > efficient traffic routes between large networks.
> >
> > How is exchanging routes concerned with TCP ?
> > I think what the so called "Technical Writer" is referring to some 
> > routing protocol like BGP..
> 
> Right, I think something I read earlier today about this mentioned BGP 
> explicitly. Whatever that article was, it suggested BGP connections 
> could be targeted because (1) they are generally left open (eg, 
> long-lived), and (2) resetting and hence killing such a connection 
> could cause wider-spread disconnection -- at least until, say, 
> withdrawn routes are re-advertised.
> 
> > >>Continued successful attacks against routers can cause them to go 
> > into a stand-by mode, known as "dampening," that can persist for 
> > hours.
> >
> > What is the dampening mode that is being talked about?.. Is it OS 
> > specific or is part of any protocol?
> 
> No idea :)
> 
> > >>Experts previously maintained such attacks could take between four 
> > to 142 years to succeed because they require guessing a rotating 
> > number from
> > >>roughly 4 billion possible combinations. Watson said he can guess 
> > the proper number with as few as four attempts, which can be 
> > accomplished within seconds.
> >
> > Combinations of what?..
> > Does anybody have anymore details of what this article is all about?? 
> > or is it just paranoia?..
> 
> To simplify, injecting a packet into a TCP flow is hard because 
> predicting the sequence number is hard. The flaw here is that someone 
> observed a TCP implementation that accepts RST packets with not only 
> the next sequence number, but any sequence number within a certain 
> window. By reducing the space of acceptable sequence numbers, the 
> difficulty in injecting a packet is reduced.
> 
> I'd say this is mostly paranoia. It's an easy problem to fix, and in 
> the meantime, not likely to be terribly widespread.
> 
> Cheers,
> Mike
> 
>

More information about the Csci551-talk mailing list