On Tue, 17 Apr 2001, Mikael Olsson wrote:
> BGP Injection
> -------------
>
> BGP? Ehm. My knowledge in BGP is, unfortunately, very
I'd recommend Internet Routing Architectures, 2nd Ed. Halabi and
McPherson.
> limited. I assume that one would need access (as in "being
> able to push BGP announcements into") to a BGP exchange in the
> path of the communication channel. One such exchange is usually
> the backbone networks, but there could be other, more local
> ones, with less clued admins.
For the most part, backbone providers won't accept advertisements for
their own networks. That would leave you with only being able to redirect
traffic for the less-than-clued's other customers if they're a Tier-1
downstream. There's a reason that the Tier-1's are picky about who
they'll peer routes with.
> This becomes a bit trickier since some (I don't know the
> percentage) providers filter BGP from their customers, to keep
> them from playing these games.
Most, if not all providers do BGP filtering. Every ISP I've ever talked
to about peering full routes wouldn't accept anything but a legitimate
advertisement from me. All my routers were always set up to filter by
neighbor. Ciscos make it easy to filter on AS path too. Anyone who's
accepting routes without any filtering at all needs disconnected.
Expecially if they're set up for multihop. Since BGP announcements show
which AS is announcing the route, it's pretty easy to figure out the
offender too, as well as how it got there in the AS Path.
Also, if you're dealing with a meshed cloud, you'd have to either DoS the
true next hop, or ensure that your advertisement was perferred- not the
easiest of things to do remotely.
[snip]
>
> ARP spoofing
> ------------
>
> I mentioned ARP spoofing in my post. ARP spoofing will, of
> course, only work if you control a system on the same
> broadcast network as (one of) the peers. If they are separate,
> it could also be on any network that speaks ARP in between;
> in this case, you spoof the address of the routers carrying
> the traffic between the peers.
Static ARP entries for routing clouds and even servers on a local network
are a good (but not perfect) defense to this. The administrative overhead
is fairly minimal as long as people swapping equipment are aware they
exist.
> Getting even more complicated
> -----------------------------
>
> Also, there's the issue of RIP and OSPF spoofing, that I,
> for some reason, didn't bring up in that mail. The
> implications are pretty much the same.
>
> And, to complicate matters even more, any and all of these
> techniques could be used in combination. Using BGP
> injection to get the packets to your provider's main router
> could be followed up by, for instance, RIP spoofing to get
> the packets to the system under your control.
This sentence doesn't make much sense to me- routing protocols are based
on destination, you don't need BGP to get packets to your provider's core
routers- your provider always routes your packets, TCP spoofing is more
critical.
> The up side to all of this is that it's so d*mn convoluted
> that none but the most tecno-savvy attackers would try something
> this hard, and, even then, not before trying pretty much all the
> other tricks in the book (which, almost invariably, will have
> resulted in a successful intrusion long before having to take
> this kind of "drastic" measures).
The true upside is that anyone trying to play this game is going to be
caught and taken seriously enough that they won't get to play again :)
Paul
-----------------------------------------------------------------------------
Paul D. Robertson "My statements in this message are personal opinions
[EMAIL PROTECTED] which may have no basis whatsoever in fact."
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
