[59839] in North American Network Operators' Group
RE: Cisco vulnerability and dangerous filtering techniques
daemon@ATHENA.MIT.EDU (Austad, Jay)
Tue Jul 22 17:56:36 2003
From: "Austad, Jay" <JAustad@temgweb.com>
To: "'alex@yuriev.com'" <alex@yuriev.com>,
"Austad, Jay" <JAustad@temgweb.com>
Cc: nanog@merit.edu
Date: Tue, 22 Jul 2003 16:55:43 -0500
Errors-To: owner-nanog-outgoing@merit.edu
> How many thousands of "polls" do you think a looking glass can handle
> simultaneously? I am all for the doomsday scenarios, but lets
> make them a
> little bit less sci-fi, shall we? How about "it would create
> valid looking
> OSPF packets with garbage in them?" or "create valid looking
> STP packets"
It was just a suggestion. I don't think it's plausible on a wide scale, but
only a few queries would be needed to get an overview of the topology.
Originally I was thinking traceroutes. It's not going to be exact, but it's
going to glean enough information to cause more damage than without that
info.
If you were doing some sort of p2p, each host would simply need to perform
many random traceroutes and correlate their data. The devices that appeared
most often in that data would obviously be backbone routers, and the attack
would start with those and work to the least frequent (with specific
emphasis on the hops that were seen from the local trojan/worm/etc).
Like I said, it's not going to be perfect, but it is better than blindly
spewing out evil packets.
Jay
