[69933] in North American Network Operators' Group
RE: tcp bgp vulnerability looking glass and route server issues.
daemon@ATHENA.MIT.EDU (Burton, Chris)
Wed Apr 21 19:48:13 2004
Date: Wed, 21 Apr 2004 16:46:02 -0700
From: "Burton, Chris" <Chris.Burton@dig.com>
To: "Lane Patterson" <lpatterson@equinix.com>,
"Smith, Donald" <Donald.Smith@qwest.com>, <nanog@merit.edu>
Errors-To: owner-nanog-outgoing@merit.edu
Although "show ip bgp nei" command is by far the easiest way to
get the BGP peer information and should not be enabled on any production
BGP peering routers that allow non-trusted or public connectivity it is
not the only way to get the information; anyone who does not do inbound
SNMP filtering on their border routers or has a week community string
and has SNMP enabled could potentially give away their production BGP
peer information for both source/destination IP address and
source/destination ports. And since most Cisco devices I have seen
usually use the 11000 (other too I assume) range for source ports it
just makes things easier.
Although it is rare to come across networks that do not have
SNMP filtering at their edge or at the very least Strong community
strings it does happen even if it happens by accident.
Chris Burton
Network Engineer
Walt Disney Internet Group: Network Services
The information contained in this e-mail message is confidential,
intended only for the use of the individual or entity named above. If
the reader of this e-mail is not the intended recipient, or the employee
or agent responsible to deliver it to the intended recipient, you are
hereby notified that any review, dissemination, distribution or copying
of this communication is strictly prohibited. If you have received this
e-mail in error, please contact Walt Disney Internet Group at
206-664-4000.
-----Original Message-----
From: owner-nanog@merit.edu [mailto:owner-nanog@merit.edu] On Behalf Of
Lane Patterson
Sent: Wednesday, April 21, 2004 4:22 PM
To: Smith, Donald; nanog@merit.edu
Subject: RE: tcp bgp vulnerability looking glass and route server
issues.
Sensitivity: Private
While I agree that publicly open route-views routers should not allow
display of "sho ip bgp nei" information, this is only giving away
4-tuple info regarding non-production BGP sessions, right? So folks
could potentially flap the route-views sessions, but this will not
affect any production routing in the data path.
If any folks are allowing "sho ip bgp nei" via looking glass interface
to a production router, then yes, that is a problem. I haven't seen
any.
> -----Original Message-----
> From: Smith, Donald [mailto:Donald.Smith@qwest.com]
> Sent: Tuesday, April 20, 2004 1:38 PM
> To: nanog@merit.edu
> Subject: tcp bgp vulnerability looking glass and route server issues.
> Sensitivity: Private
>=20
>=20
>=20
> John Fraizer author of MRLG one of the looking glass implementations
> has updated his code to fix a flaw that provided too much information.
> =20
> MRLG-4.3.0 is available at:
> Available here:
> ftp://ftp.enterzone.net/looking-glass/CURRENT/
>=20
> Some route servers also provide too much info.
> This audit was performed yesterday so if you have already=20
> fixed this issue please ignore:-)
> Part of this issue is the fact that some router servers=20
> provide too much information.
> Without knowing the source/destination ports and IP's this is=20
> still a difficult vulnerability to exploit.=20
>=20
> From this URL I did a quick audit.
> http://www.traceroute.org/#Route%20Servers
> I did NOT look at the looking glass URLs just the route servers.
>=20
> This is the list of open route servers I did a quick audit on.
> No connection means I was unable to connect to it.
> Not misconfigured meant sho ip bgp nei did NOT work.
> Sho ip bgp nei gives full ports/ips means what you think it means.
> You have may want to see if any of them are yours of=20
> if you peer / are the upstream for any of them.
>=20
> "Route Servers"
>=20
> "telnet://ner-routes.bbnplanet.net" BBN Planet NER route monitor=20
> No connection
>=20
> "telnet://route-server.belwue.de" BelWue (AS553)
> Sho ip bgp nei gives full ports/ips.
>=20
> "telnet://route-views.on.bb.telus.com">Telus - East Coast (AS852)
> Sho ip bgp nei gives full ports/ips.
>=20
> telnet://route-views.ab.bb.telus.com" Telus - West Coast (AS852)
> Sho ip bgp nei gives full ports/ips.
>=20
> "telnet://route-server.cerf.net">CerfNet Route Server=20
> (AS1838)</A></LI>
> Sho ip bgp nei gives full ports/ips.
>=20
> "telnet://route-server.ip.tiscali.net">Tiscali (AS3257)</A></LI>
> Sho ip bgp nei gives full ports/ips.
>=20
> "telnet://route-server.gblx.net">Global Crossing (AS3549)</A></LI>
> Not misconfigured:-)
>=20
> "telnet://route-server.savvis.net/">SAVVIS Communications=20
> (AS3561)</A></LI>
> Sho ip bgp nei gives full ports/ips.
>=20
> "telnet://public-route-server.is.co.za" TARGET=3DNEW>Internet=20
> Solutions (AS3741)</A></LI>
> Sho ip bgp nei gives full ports/ips.
>=20
> "telnet://route-server-ap.exodus.net">Exodus Communications=20
> Asia (AS4197)</A></LI>
> No connection
>=20
> "telnet://route-server.as5388.net">Planet Online (AS5388)</A></LI>
> Sho ip bgp nei gives full ports/ips.
>=20
> "telnet://route-server.opentransit.net">Opentransit (AS5511)</A></LI>
> Not misconfigured:-)
>=20
> "telnet://tpr-route-server.saix.net">South African Internet=20
> eXchange SAIX (AS5713)</A></LI>
> Not misconfigure:-)
>=20
> "telnet://route-server.gt.ca">GT Group Telecom (AS6539)</A></LI>
> Sho ip bgp nei gives full ports/ips.
>=20
> "telnet://route-server.as6667.net">EUNet Finland (AS6667)</A></LI>
> Sho ip bgp nei gives full ports/ips.
>=20
> "telnet://route-server.he.net">Hurricane Electric (AS6939)</A></LI>
> Sho ip bgp nei gives full ports/ips.
>=20
> "telnet://route-server.ip.att.net">AT&T (AS7018)</A></LI>
> No connection
>=20
> "telnet://route-views.optus.net.au">Optus Route Server=20
> Australia (AS7474)</A></LI>
> Sho ip bgp nei gives full ports/ips.
>=20
> "telnet://route-server.wcg.net">Wiltel (AS7911)</A></LI>
> Sho ip bgp nei gives full ports/ips.
>=20
> "telnet://route-server.colt.net">Colt Internet (AS8220)</A></LI>
> Sho ip bgp nei gives full ports/ips.
>=20
> "telnet://route-server-eu.exodus.net">Exodus Communications=20
> Europe (AS8709)</A></LI>
> No connection
>=20
> "telnet://route-views.bmcag.net">Broadnet mediascape=20
> communications AG (AS9132)</A></LI>
> Not misconfigured:-)
>=20
> "telnet://route-server-au.exodus.net">Exodus Communications=20
> Australia (AS9328)</A></LI>
> No connection
>=20
> "telnet://route-server.manilaix.net.ph">Manila Internet=20
> Exchange, Philippines (AS9670)</A></LI>
> Sho ip bgp nei gives full ports/ips.
>=20
> "telnet://route-server.east.attcanada.com">ATT Canada - East=20
> (AS15290)</A></LI>
> Sho ip bgp nei gives full ports/ips.
>=20
> "telnet://route-server.west.attcanada.com">ATT Canada - West=20
> (AS15290)</A></LI>
> Sho ip bgp nei gives full ports/ips.
>=20
> "telnet://route-server.ip.ndsoftware.net">NDSoftware=20
> (AS25358)</A></LI>
> Sho ip bgp nei gives full ports/ips.
>=20
> "telnet://route-server.loudpacket.net">Loud Packet (AS27276)</A></LI>
> No connection.
>=20
> "telnet://route-server.as28747.net/">RealROOT (AS28747)</A></LI>
> No connection
>=20
> "telnet://route-views.oregon-ix.net">Oregon-ix.net Route=20
> Server</A></LI>
> Sho ip bgp nei appears it WOULD provide full ports/ips if=20
> they had any? The command executed but came back empty!!??=20
> This one can be used as a proxy bounce (connect ip port) too:-(
>=20
> "telnet://route-server.utah.rep.net">Utah Regional Exchange=20
> Point Route Server</A></LI>
> Sho ip bgp nei gives full ports/ips.
>=20
> "telnet://www.netlantis.org">The NetLantis Project Route=20
> Server</A></LI>
> Not misconfigured.
>=20
>=20
> http://pgp.mit.edu:11371/pks/lookup?op=3Dget&search=3D0xAF00EDCC
> pgpFingerPrint:9CE4 227B B9B3 601F B500 D076 43F1 0767 AF00 EDCC
> Increased trust is received by not violating the trust you=20
> have received.
>=20
