[31314] in North American Network Operators' Group
Re: S-BGP (some operational content)
daemon@ATHENA.MIT.EDU (batz)
Tue Sep 19 12:36:15 2000
Date: Mon, 18 Sep 2000 07:55:38 -0400 (EDT)
From: batz <batsy@vapour.net>
To: Timothy Brown <tcb@ga.prestige.net>
Cc: nanog@merit.edu
In-Reply-To: <20000916123448.A3688@bastille.dyndns.org>
Message-ID: <Pine.BSF.4.21.0009180738350.32867-100000@intrepid.vapour.net>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Errors-To: owner-nanog-outgoing@merit.edu
On Sat, 16 Sep 2000, Timothy Brown wrote:
:
:a) Has there ever been a published man-in-the-middle attack of someone using
: BGP to affect someone else's network?
:b) Does anyone know of other groups that are focusing on developing new ways
: of combating the vulnerabilities?
You won't see much of this in the wild. Some route spoofing, using
an unauthenticated IGP, that gets redistributed into BGP has been
known to happen occasionally though.
Insertion attacks against BGP are difficult because the sessions tend to
be over a single physical wire between peers. Sniffing the
tcp session using something like 'hunt' and then doing insertion
would require control of an intermediate switch between
peers (which has also been known to happen).
If you are interested in other attacks against BGP, please see
http://www.blackhat.com/html/bh-usa-99/bh3-speakers.html and
look for the BGP talk. In hindsight, I think there are a couple of
technical errors, you'll get the idea. Jeremy Rauch from SecurityFocus.com
has a presentation in more recent Blackhat conferences about routing
protocols in general.
I also noticed that Internet Routing Architectures Second Edition,
published this year, provides remedies to the problems I brought up
in this presentation. They weren't anything really new, but they
were new for many folks in the security biz. Thus I'm not terribly offended
at not being mentioned as a reference in the new edition;) (would
have been nice tho)
Most of the security problems affecting BGP peers are IGP redistribution,
(inward and outward), community configuration, and little in the way of
implemented authentication by most vendors at the time. The biggest
problem are bad or lack of proper filtering, and people still doing
simple as_path based filtering and not filtering by specific
prefix/len.
--
batz
Chief Reverse Engineer
Superficial Intelligence Research
Defective Technologies
