The Adtran community holiday season is starting next week! The holiday period will span from December 21, 2024 to January 6, 2025. During this time, responses to feedback form submissions may be delayed. If you are encountering product issues, you can reach out to Adtran support at any time.
cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Anonymous
Not applicable

Remediate BGP TCP Sequence Number Approximation Vulnerability


Need some help here on how to resolve this issue?

Remediate BGP TCP Sequence Number Approximation Vulnerability

0 Kudos
4 Replies
jayh
Honored Contributor
Honored Contributor

Re: Remediate BGP TCP Sequence Number Approximation Vulnerability

Could you be more specific as to where this message is originating?

Reading between the lines, I would suspect that a third-party security audit has thrown this as a potential problem.  What it refers to is the ability of an attacker to guess the TCP sequence numbers used by BGP and potentially hijack a BGP session. While non-zero, the likelihood of an actual attack by this vector is very small.

If your BGP session is internal such as MPLS or iBGP, this is of lesser concern than BGP over the Internet.

Using MD5 passwords on BGP, particularly over the Internet, is a good practice which will mitigate this.

Please give more information. If indeed it's a real concern it will likely have to be fixed by Adtran engineering as this will be buried deep in the BGP algorithm of the software.

Anonymous
Not applicable

Re: Remediate BGP TCP Sequence Number Approximation Vulnerability

That is correct, we were dinged for our iBGP and eBGP on the MPLS cloud.

Chris

jayh
Honored Contributor
Honored Contributor

Re: Remediate BGP TCP Sequence Number Approximation Vulnerability

I'd do the following:

  • If you're not running the latest firmware, upgrade.  Sometimes these things get fixed under the hood.
  • Password-protect all of your BGP sessions.
  • Open a case with Adtran to get it fixed.  It's something that they should address but not really a show-stopper.  Plus, I have something I want them to fix first. (Hi, Evan!)
Anonymous
Not applicable

Re: Remediate BGP TCP Sequence Number Approximation Vulnerability

-

I went ahead and flagged this post as "Assumed Answered". If any of the responses on this thread assisted you, please mark them as Correct or Helpful as the case may be with the applicable buttons. This will make them visible and help other members of the community find solutions more easily. If you have any additional information on this that others may benefit from, please come back to this post to provide an update. If you still need assistance, we would be more than happy to continue working with you on this - just let us know in a reply.


Thanks,

Noor