cbcvebase.
CVE-2004-0230
published 2004-08-18

CVE-2004-0230: TCP, when using a large Window Size, makes it easier for remote attackers to guess sequence numbers and cause a denial of service (connection loss) to…

PriorityP346medium5CVSS 2.0
AVNACLAuNCNINAP
EXPLOIT
EPSS
80.86%
99.6th percentile
TCP, when using a large Window Size, makes it easier for remote attackers to guess sequence numbers and cause a denial of service (connection loss) to persistent TCP connections by repeatedly injecting a TCP RST packet, especially in protocols that use long-lived connections, such as BGP.

Affected

40 ranges· showing 25
VendorProductVersion rangeFixed in
ciscoproducts
debianlinux
ibmos_400
ibmos_400
juniperjunos< 11.411.4
juniperjunos
juniperjunos
juniperjunos
juniperjunos
juniperjunos
juniperjunos
juniperjunos
juniperjunos
juniperjunos
juniperjunos
juniperjunos
juniperjunos
juniperjunos
juniperjunos
mcafeenetwork_data_loss_prevention<= 8.6
mcafeenetwork_data_loss_prevention
mcafeenetwork_data_loss_prevention
mcafeenetwork_data_loss_prevention
netbsdnetbsd
netbsdnetbsd

Detection & IOCsextracted from sources · hover to see the quote

port179
commandreset-tcp [interface] [src ip] [src port] [dst ip] [dst port] [window size]
command./reset-tcp eth1 172.16.0.1 1 172.16.0.2 2 00:01:02:03:04:05 65536
urlhttps://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/24032.tgz
filenameKreset.pl
filenamereset-tcp.c
  • Monitor for TCP RST packets with forged/spoofed source IPs targeting BGP port 179 (TCP). Attackers iterate through sequence numbers in increments matching the receiver's window size to land a RST within the acceptance window.
  • Detect high-rate TCP RST packet floods targeting a single destination IP/port pair, especially BGP port 179, where the RST sequence numbers increment by a fixed window-size step (e.g., 2500 or 65536) across the full 32-bit sequence space (0–4294967295).
  • Alert on TCP RST packets where the source IP does not match any established session endpoint (spoofed source), particularly when sent at high volume to long-lived TCP sessions such as BGP peering sessions.
  • For BGP-specific detection: alert on TCP RST packets arriving on port 179 where the TTL value equals 1, as exploit tooling explicitly sets TTL to arrive at the router with TTL=1 per the attack methodology.
  • Detect TCP RST packets with both RST and SYN flags simultaneously set (RST|SYN), which is an anomalous flag combination used by the Kreset.pl exploit tool.
  • ·The attack is significantly more effective against TCP implementations using large window sizes. Reducing the TCP receive window size on BGP sessions (e.g., via router configuration) shrinks the sequence number acceptance range and increases the number of packets an attacker must send to land a valid RST.
  • ·BGP sessions are disproportionately exposed because both endpoints (IP addresses and port 179) are well-known or easily discoverable, satisfying the attacker's prerequisite knowledge requirements.
  • ·On Microsoft platforms, an attacker requires knowledge of both IP addresses and port numbers of an existing TCP connection. Persistent sessions such as BGP are more exposed than short-lived connections.
  • ·Cisco routers have a predictable BGP source port after reboot, with subsequent ports incremented by 1 or 512 depending on IOS version, making the source port guessable and lowering the attack complexity.

CVSS provenance

nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:N/I:N/A:P
osv5.0MEDIUM
vendor_cisco5.0MEDIUM
vendor_debian5.0LOW
vendor_redhat5.0MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.