(I thought this could be of interest to the firewalls mailing list,
so I anonymized the person asking the question and cc:ed the list.)
someone wrote (off-list):
>
> You were talking about it is possible to hijack a session using
> ICMP redirects, and BGP even if you are not on the same
> subnet as the target.
>
> Mikael Olsson posted, at 2000-06-07:
> > Actually, ICMP redirects may help if you're not local to the
> > endpoint. Blow a couple of redirects against a router between
> > the peers and make it send the traffic to you instead. BGP
> > injection works too, but that's really overkill :-) :-)
> > (But yes, ARP spoofing is by far the most common way of session
> > hijacking)
Well.. I must admit that routing games (except for ARP, that is;
it's just soo much easier to experiment with) isn't one of my
stronger areas.
I'm leaning quite heavily on friends in-the-know here when making
broad assertions like the ones above :)
First, a sidenote: I wasn't talking about remotely hijacking a
session between two hosts residing on the same broadcast network.
My post was more about hijacking traffic passing across the
Internet. Some of it may still apply, but I really don't want
to wrack my brains to figure out _how_ just now :)
ICMP Redirects
--------------
As far as _I_ know, ICMP redirects ought to work if you
can fool a router in the communication path, and all routers
between said router and a system under your control, to divert
traffic to said system. (This "system" could of course be your
own computer, if you're a stupid hacker. A smart hacker would
use someone else's :))
Getting the traffic to the original target after you're
done with it (if this is indeed what you want to do) is a
different matter entirely. You would need another path to forward
the packets on that doesn't go through the router that you've
subverted (lest you just get the packets back to you again; wash,
rinse and repeat).
This path could, of course, be any kind of tunnel to a point
that is "past" the subverted router. For that matter, it could
be a dial-up connection to an ISP on the other side of the
Internet.
BGP Injection
-------------
BGP? Ehm. My knowledge in BGP is, unfortunately, very
limited. I assume that one would need access (as in "being
able to push BGP announcements into") to a BGP exchange in the
path of the communication channel. One such exchange is usually
the backbone networks, but there could be other, more local
ones, with less clued admins.
This becomes a bit trickier since some (I don't know the
percentage) providers filter BGP from their customers, to keep
them from playing these games.
The ICMP redirect problems apply here too -- even if you
manage to subvert the routers in the BGP exchange, you
need to get the traffic to a system under your control,
and, if you want the traffic to reach its real destination,
you will, again, need a path that doesn't pass through
said exchange.
ARP spoofing
------------
I mentioned ARP spoofing in my post. ARP spoofing will, of
course, only work if you control a system on the same
broadcast network as (one of) the peers. If they are separate,
it could also be on any network that speaks ARP in between;
in this case, you spoof the address of the routers carrying
the traffic between the peers.
Getting even more complicated
-----------------------------
Also, there's the issue of RIP and OSPF spoofing, that I,
for some reason, didn't bring up in that mail. The
implications are pretty much the same.
And, to complicate matters even more, any and all of these
techniques could be used in combination. Using BGP
injection to get the packets to your provider's main router
could be followed up by, for instance, RIP spoofing to get
the packets to the system under your control.
> Do you know where I can find more information on that?
Nope. I haven't seen any step-by-step guides on wide-scale
traffic redirection. There _could_ be a couple floating around
the 'net, but something tells me that such a "guide" would be
kept on a need-to-know basis, probably by people that we'd
rather didn't know about it in the first place. :)
The up side to all of this is that it's so d*mn convoluted
that none but the most tecno-savvy attackers would try something
this hard, and, even then, not before trying pretty much all the
other tricks in the book (which, almost invariably, will have
resulted in a successful intrusion long before having to take
this kind of "drastic" measures).
The only reference I can give you right now is in regard
to ARP spoofing. However, it is a very fine one:
http://www.monkey.org/~dugsong/dsniff/
Hope this helps... somehow :)
/Mike
--
Mikael Olsson, EnterNet Technologies
Storgatan 12, Box 393, SE-891 28 ÖRNSKÖLDSVIK
Phone: +46 (0)660 29 92 00 Mobile: +46 (0)70 66 77 636
Fax: +46 (0)660 122 50 WWW: http://www.enternet.net
"Smile; today is the tomorrow that you worried about yesterday"
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
