[69932] in North American Network Operators' Group
RE: tcp bgp vulnerability looking glass and route server issues.
daemon@ATHENA.MIT.EDU (Lane Patterson)
Wed Apr 21 19:26:03 2004
Date: Wed, 21 Apr 2004 16:21:51 -0700
From: "Lane Patterson" <lpatterson@equinix.com>
To: "Smith, Donald" <Donald.Smith@qwest.com>, <nanog@merit.edu>
Errors-To: owner-nanog-outgoing@merit.edu
While I agree that publicly open route-views routers should not allow =
display of "sho ip bgp nei" information, this is only giving away =
4-tuple info regarding non-production BGP sessions, right? So folks =
could potentially flap the route-views sessions, but this will not =
affect any production routing in the data path.
If any folks are allowing "sho ip bgp nei" via looking glass interface =
to a production router, then yes, that is a problem. I haven't seen =
any.
> -----Original Message-----
> From: Smith, Donald [mailto:Donald.Smith@qwest.com]
> Sent: Tuesday, April 20, 2004 1:38 PM
> To: nanog@merit.edu
> Subject: tcp bgp vulnerability looking glass and route server issues.
> Sensitivity: Private
>=20
>=20
>=20
> John Fraizer author of MRLG one of the looking glass implementations
> has updated his code to fix a flaw that provided too much information.
> =20
> MRLG-4.3.0 is available at:
> Available here:
> ftp://ftp.enterzone.net/looking-glass/CURRENT/
>=20
> Some route servers also provide too much info.
> This audit was performed yesterday so if you have already=20
> fixed this issue please ignore:-)
> Part of this issue is the fact that some router servers=20
> provide too much information.
> Without knowing the source/destination ports and IP's this is=20
> still a difficult vulnerability to exploit.=20
>=20
> From this URL I did a quick audit.
> http://www.traceroute.org/#Route%20Servers
> I did NOT look at the looking glass URLs just the route servers.
>=20
> This is the list of open route servers I did a quick audit on.
> No connection means I was unable to connect to it.
> Not misconfigured meant sho ip bgp nei did NOT work.
> Sho ip bgp nei gives full ports/ips means what you think it means.
> You have may want to see if any of them are yours of=20
> if you peer / are the upstream for any of them.
>=20
> "Route Servers"
>=20
> "telnet://ner-routes.bbnplanet.net" BBN Planet NER route monitor=20
> No connection
>=20
> "telnet://route-server.belwue.de" BelWue (AS553)
> Sho ip bgp nei gives full ports/ips.
>=20
> "telnet://route-views.on.bb.telus.com">Telus - East Coast (AS852)
> Sho ip bgp nei gives full ports/ips.
>=20
> telnet://route-views.ab.bb.telus.com" Telus - West Coast (AS852)
> Sho ip bgp nei gives full ports/ips.
>=20
> "telnet://route-server.cerf.net">CerfNet Route Server=20
> (AS1838)</A></LI>
> Sho ip bgp nei gives full ports/ips.
>=20
> "telnet://route-server.ip.tiscali.net">Tiscali (AS3257)</A></LI>
> Sho ip bgp nei gives full ports/ips.
>=20
> "telnet://route-server.gblx.net">Global Crossing (AS3549)</A></LI>
> Not misconfigured:-)
>=20
> "telnet://route-server.savvis.net/">SAVVIS Communications=20
> (AS3561)</A></LI>
> Sho ip bgp nei gives full ports/ips.
>=20
> "telnet://public-route-server.is.co.za" TARGET=3DNEW>Internet=20
> Solutions (AS3741)</A></LI>
> Sho ip bgp nei gives full ports/ips.
>=20
> "telnet://route-server-ap.exodus.net">Exodus Communications=20
> Asia (AS4197)</A></LI>
> No connection
>=20
> "telnet://route-server.as5388.net">Planet Online (AS5388)</A></LI>
> Sho ip bgp nei gives full ports/ips.
>=20
> "telnet://route-server.opentransit.net">Opentransit (AS5511)</A></LI>
> Not misconfigured:-)
>=20
> "telnet://tpr-route-server.saix.net">South African Internet=20
> eXchange SAIX (AS5713)</A></LI>
> Not misconfigure:-)
>=20
> "telnet://route-server.gt.ca">GT Group Telecom (AS6539)</A></LI>
> Sho ip bgp nei gives full ports/ips.
>=20
> "telnet://route-server.as6667.net">EUNet Finland (AS6667)</A></LI>
> Sho ip bgp nei gives full ports/ips.
>=20
> "telnet://route-server.he.net">Hurricane Electric (AS6939)</A></LI>
> Sho ip bgp nei gives full ports/ips.
>=20
> "telnet://route-server.ip.att.net">AT&T (AS7018)</A></LI>
> No connection
>=20
> "telnet://route-views.optus.net.au">Optus Route Server=20
> Australia (AS7474)</A></LI>
> Sho ip bgp nei gives full ports/ips.
>=20
> "telnet://route-server.wcg.net">Wiltel (AS7911)</A></LI>
> Sho ip bgp nei gives full ports/ips.
>=20
> "telnet://route-server.colt.net">Colt Internet (AS8220)</A></LI>
> Sho ip bgp nei gives full ports/ips.
>=20
> "telnet://route-server-eu.exodus.net">Exodus Communications=20
> Europe (AS8709)</A></LI>
> No connection
>=20
> "telnet://route-views.bmcag.net">Broadnet mediascape=20
> communications AG (AS9132)</A></LI>
> Not misconfigured:-)
>=20
> "telnet://route-server-au.exodus.net">Exodus Communications=20
> Australia (AS9328)</A></LI>
> No connection
>=20
> "telnet://route-server.manilaix.net.ph">Manila Internet=20
> Exchange, Philippines (AS9670)</A></LI>
> Sho ip bgp nei gives full ports/ips.
>=20
> "telnet://route-server.east.attcanada.com">ATT Canada - East=20
> (AS15290)</A></LI>
> Sho ip bgp nei gives full ports/ips.
>=20
> "telnet://route-server.west.attcanada.com">ATT Canada - West=20
> (AS15290)</A></LI>
> Sho ip bgp nei gives full ports/ips.
>=20
> "telnet://route-server.ip.ndsoftware.net">NDSoftware=20
> (AS25358)</A></LI>
> Sho ip bgp nei gives full ports/ips.
>=20
> "telnet://route-server.loudpacket.net">Loud Packet (AS27276)</A></LI>
> No connection.
>=20
> "telnet://route-server.as28747.net/">RealROOT (AS28747)</A></LI>
> No connection
>=20
> "telnet://route-views.oregon-ix.net">Oregon-ix.net Route=20
> Server</A></LI>
> Sho ip bgp nei appears it WOULD provide full ports/ips if=20
> they had any? The command executed but came back empty!!??=20
> This one can be used as a proxy bounce (connect ip port) too:-(
>=20
> "telnet://route-server.utah.rep.net">Utah Regional Exchange=20
> Point Route Server</A></LI>
> Sho ip bgp nei gives full ports/ips.
>=20
> "telnet://www.netlantis.org">The NetLantis Project Route=20
> Server</A></LI>
> Not misconfigured.
>=20
>=20
> http://pgp.mit.edu:11371/pks/lookup?op=3Dget&search=3D0xAF00EDCC
> pgpFingerPrint:9CE4 227B B9B3 601F B500 D076 43F1 0767 AF00 EDCC
> Increased trust is received by not violating the trust you=20
> have received.
>=20
