[70221] in North American Network Operators' Group
RE: BGP Exploit
daemon@ATHENA.MIT.EDU (Smith, Donald)
Wed May 5 14:40:20 2004
Date: Wed, 5 May 2004 12:39:35 -0600
From: "Smith, Donald" <Donald.Smith@qwest.com>
To: "Stephen J. Wilcox" <steve@telecomplete.co.uk>
Cc: "Steven M. Bellovin" <smb@research.att.com>,
"Kurt Erik Lindqvist" <kurtis@kurtis.pp.se>,
<kwallace@pcconnection.com>, <nanog@merit.edu>
Errors-To: owner-nanog-outgoing@merit.edu
No. The router stays up. The tool I use is very fast. It floods the GIGE
to the point that that interface is basically unusable but the router
itself stays up only the session is torn down. I did preformed these
tests in a lab and did
not have full bgp routing tables etc ... so your mileage may vary.
Donald.Smith@qwest.com GCIA
http://pgp.mit.edu:11371/pks/lookup?op=3Dget&search=3D0xAF00EDCC
pgpFingerPrint:9CE4 227B B9B3 601F B500 D076 43F1 0767 AF00 EDCC
kill -13 111.2=20
> -----Original Message-----
> From: Stephen J. Wilcox [mailto:steve@telecomplete.co.uk]=20
> Sent: Wednesday, May 05, 2004 10:16 AM
> To: Smith, Donald
> Cc: Steven M. Bellovin; Kurt Erik Lindqvist;=20
> kwallace@pcconnection.com; nanog@merit.edu
> Subject: RE: BGP Exploit=20
>=20
>=20
> Of more interest.. does the router die (cpu load) before you=20
> brute force the=20
> sessions down
>=20
> Steve
>=20
> On Tue, 4 May 2004, Smith, Donald wrote:
>=20
> >=20
> > I have seen 3 pubic ally available tools that ALL work.
> > I have seen 2 privately tools that work.
> > A traffic generator can be configured to successfully tear down bgp=20
> > sessions.
> >=20
> > Given src/dst ip and ports :
> > I tested with a cross platform EBGP peering with md5 using=20
> several of=20
> > the tools I could not tear down the sessions. I tested both=20
> Cisco and=20
> > juniper BGP peering after code upgrades without md5 I=20
> could not tear=20
> > down the sessions.
> >=20
> >=20
> > Donald.Smith@qwest.com GCIA=20
> > http://pgp.mit.edu:11371/pks/lookup?op=3Dget&search=3D0xAF00EDCC
> > pgpFingerPrint:9CE4 227B B9B3 601F B500 D076 43F1 0767=20
> AF00 EDCC kill=20
> > -13 111.2
> >=20
> > > -----Original Message-----
> > > From: owner-nanog@merit.edu [mailto:owner-nanog@merit.edu] On
> > > Behalf Of Steven M. Bellovin
> > > Sent: Tuesday, May 04, 2004 11:54 AM
> > > To: Kurt Erik Lindqvist
> > > Cc: kwallace@pcconnection.com; nanog@merit.edu
> > > Subject: Re: BGP Exploit=20
> > >=20
> > >=20
> > >=20
> > >=20
> > > In message
> > > <C4E8C22A-9DA6-11D8-B28B-000A95928574@kurtis.pp.se>, Kurt=20
> > > Erik Lindq vist writes:
> > >=20
> > > >>
> > > >> Now that the firestorm over implementing Md5 has quieted
> > > down a bit,
> > > >> is anybody aware of whether the exploit has been used?
> > > Feel free to
> > > >> reply off list.
> > > >
> > > >Even more interesting, did anyone manage to reproduce it?
> > > >
> > >=20
> > > I don't know if it's being used; I know that reimplementations of=20
> > > the
> > > idea are out there.
> > >=20
> > >=20
> > > --Steve Bellovin, http://www.research.att.com/~smb
> > >=20
> > >=20
> > >=20
> >=20
>=20
>=20
