[nsp] bgp vulnerability, just note

Alexandre Snarskii snar at paranoia.ru
Wed Apr 21 05:48:41 EDT 2004


Hi!

Most articles concerning 'bgp vulnerability' issues based
on the fact, that attaker may easily get both addresses of 
session (using traceroute) and at least one port (179), 
so it need to guess just correct sequence number and another port.

But that is true only for sessions, which set up using link 
addresses (mostly external sessions in my practice). Internal 
sessions often set up using loopback addresses on the both sides, 
so, as far as loopback addresses are not shown in traceroutes
and only known by operating staff, they are not-so-predictable
for any external hacker. 

For example, in the minimal RIPE allocated block /20 there
may be 2^12*(2^12-1) = 16773120 variants of ip pairs used
for loopbacks, so attack to such 'loopbacked' session are
16 million times harder.
And, as the loopback addresses may be assigned not only 
using 'public' internet address, but also with rfc1918 space, 
there are much and much more variants.



More information about the cisco-nsp mailing list