On Mon, Mar 10, 2014 at 3:43 PM, Owen DeLong <[email protected]> wrote:
> > Can you give me an example of what would be the scenario here? Assuming I > am the upstream ISP of the "hosts I control, willing to subject them to > vast quantities of traffic". Would I announce 1.2.3.0/24 upstream, and > point it to my customer's link? > > > I'm not assuming that the upstream ISP would be the malefactor. That is, > in fact, a rather odd assumption, is it not? > Very odd, but I was trying to think of ways to force someone to use my servers. > OTOH, if you are a malefactor that wants to turn your botnet into > anycasted DNS servers to issue incorrect redirections to others, getting > said botnet (or its upstream routers if you are able to control them > somehow) to announce 1.2.3.0/24 really doesn't pose any problem to you as > a result of the traffic it generates. > This is the part that I really do not understand. Suppose I control a significant number of Windows7 PCs, and a few Cisco Routers, in your network, through a C&C botnet. How would I get them (the PCs) to make announcements for 1.2.3.0/24? I could install quagga (after porting it) quietly on them, but who would the Windows 7 PCs peer with? Only the routers under my control? In which case, what would be the point? I could get the Ciscos to startup BGP, and start announcing 1.2.3.0/24 , but to whom? Again, I can only peer if I control both sides of the link, and if I control both sides, why do anycast anywhay? I have control on the RIB. If I controlled the Routers at the edge of your network, I could redirect traffic from your nodes to any address I wished. This requires no new DNS, or 1.2.3.0/24 routing. There is one other case I can think of. Start DNS servers on the zombie PCs, assign them 1.2.3.4, and use them as a DNS server farm. But who would come to them? If this was a home network (or any kind of leaf network), assigning 8.8.8.8 to my interface does not make you next to me send your DNS query to me. > > Or would I announce 1.2.3.0/24 from another ISP's origin AS? > > > Not sure how that would work or help other than in an attempt to cover > your tracks. > Thank you, so we can close that scenario I postulated as invalid. > How would (evil me) be able to hurt hosts other than on _my_ network? > > > You are assuming that you are doing this with routers you own (in the > commercial sense of the word). I am assuming someone doing this with > routers that they control (in the enable access sense of the word) but do > not own (in the commercial sense of the word). > > Malefactors these days are rather well known for using other people's > equipment to carry out their misdeeds, or are you unfamiliar with the term > "botnet"? > I am aware of the concept, and some implementations. And I appreciate your distinction between the the "own" and "control" part, it helps bisect the problem. Suppose I subvert a router in your network (might be your edge router, might be an internal). Now what? Where does 1.2.3.0/24 come into the picture? > I am not doubting that people would not want to misuse this, but how would > this work in the case you have outlined? > > > I hope I have adequately clarified. I can understand if I am being too slow in picking up something obvious. I am still nt seeing a _new_ attack vector _due_ to 1.2.3.0/24 being allowed to be used internally (and even leaking externally). -- Sanjeev Gupta +65 98551208 http://sg.linkedin.com/in/ghane
* sig-policy: APNIC SIG on resource management policy * _______________________________________________ sig-policy mailing list [email protected] http://mailman.apnic.net/mailman/listinfo/sig-policy
