On Tue, 17 Apr 2001, Mikael Olsson wrote:
> "Paul D. Robertson" wrote:
> >
> > [In summary: BGP injection is damn near impossible in most cases]
>
> Yes. Even with my limited knowledge in BGP, I guessed as much.
> So, that makes it two votes for "attacks via BGP injection aren't
> very likely" :)
>
> (At least not where large and well-managed exchanges are concerned)
That's the point though- Tier-1's only peer with customers or at
well-managed exchanges (thank goodness!)
>
> > [On ARP entries]
> >
> > Static ARP entries for routing clouds and even servers on a local network
> > are a good (but not perfect) defense to this. The administrative overhead
> > is fairly minimal as long as people swapping equipment are aware they
> > exist.
>
> You are, as usual, absolutely right.
>
> However, this does not mean that there's a lot of people actually
> being this clever, since most admins will strenously object to this
> kind of PITA. Border firewalls are usually all they can stand :)
>
> (But this is the old security versus function debate all over again;
> let's not make an issue of it. All I was noting is that ARP spoofing
> will work more often than not.)
I know, I just prefer to give those who are worried about such attacks at
least the option of defense when discussing them. I think it's almost a
direct responsibility of a security practicioner to do so where possible.
> > > > And, to complicate matters even more, any and all of these
> > > techniques could be used in combination. Using BGP
> > > injection to get the packets to your provider's main router
> > > could be followed up by, for instance, RIP spoofing to get
> > > the packets to the system under your control.
> >
> > This sentence doesn't make much sense to me- routing protocols are
> > based on destination, you don't need BGP to get packets to your
> > provider's core routers- your provider always routes your packets,
> > TCP spoofing is more critical.
>
> Alice, using provider A, sends a packet to Bob, using provider B,
> through BGP routing cloud R. Eve, using provider E, wants to
> listen to these packets. Eve needs to get the packets traversing
> R to the main router of provider E (which usually never sees them),
> and, from there, to herself. If BGP could be used (_could_! I'm
> theorizing here) to accomplish the first bit, Eve would likely need
> to use some other technique to actually get the packets to somewhere
> inside provider E's networks where she can intercept them.
This, of course means that provider B has to trust advertisements to A's
networks to come through E- given the transit issues of 4-5 years ago,
that's not a normal situation unless E is of similar connectivity as A and
B.
> Another example then: Use a combination of targeted ICMP redirects
> and RIP spoofing to make packets from Alice to Bob get to Eve
> instead of Bob. All I was saying was that different redirect games
Does *anyone* still use RIP? Expecially as an EGP? Certainly I've never
seen RIP active on purpose on a network in the last 8 years- both
Internet facing and contained local/regional/national networks.
Don't get me wrong, I'd love to see all the kiddies playing with RIP- it'd
sure make certain that the number of targets they could affect would be
pretty low.
> will work with different routing scenarios, and there may be
> several _different_ routing scenarios between the attack point
> in the A->B path and Eve's machine.
>
> > > The up side to all of this is that it's so d*mn convoluted
> > > [snip]
> >
> > The true upside is that anyone trying to play this game is going
> > to be caught and taken seriously enough that they won't get to
> > play again :)
>
> :) Yes, in the specific case of BGP, this is likely true.
>
> It is, unfortunately, less likely for the other redirection games
> that one can play. :( (Especially true for smart hackers, who won't
> do these things from their own machines ;))
If anyone's listening to redirects and modifying routing tables because of
it, then they pretty much get what they deserve. Anything else should be
an IGP, and most IGPs aren't accepted from exterior sources.
If you've got ancillary evidence to the contrary, I'd love to see it- I'm
pretty rough on providers when I do evaluations, and I've yet to see one
that's open to IGP poisoning, especially in such a way that it gets
exported to the EGP peering stuff. Interior routing protocols inside of
companies are normally wide open, but on the Internet I've yet to see
major badness in the last 3-4 years. I'm not saying that it probably
couldn't be done somewhere, I'm just saying that it's unlikely that it'd
work in most places I've seen (but that's a non-scientific sample.)
Not doing it from your own machine implies that you're able to find and
compromise a machine with authority to peer with a provider, then
compromise that network's routing without detection, and keep the
advertisement as preferred from an AS it doesn't belong to for long enough
to perpatrate the attack- without being tracked and traced. Assuming it's
for sniffing, about the only useful thing you can do is get E-mail, and
it's probably easier to play DNS games for that.
I'm not aware of the provider space outside of the US, but I'd find it
difficult to come up with a realistic scenerio where such an attack was
advantageous, successful or undetectable.
Paul
-----------------------------------------------------------------------------
Paul D. Robertson "My statements in this message are personal opinions
[EMAIL PROTECTED] which may have no basis whatsoever in fact."
PSB#9280
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
