[nsp] bgp vulnerability, just note

Hudson Delbert J Contr 61 CS/SCBN Delbert.Hudson at LOSANGELES.AF.MIL
Wed Apr 21 11:36:53 EDT 2004 

hi,

if this thread is in regards to the recently announced attack tools that 
manipulate tcp window size and sequence number predictability, the stated
heartburn with this tool is that its DDOS tendencies cause ripples such as
flapping bgp sessions and the attendant penalties interior protocols like
eigrp/ospf having brain freeze due to spf and feasible successor algorithm
execution due to expired timers. 

leaving the security of such attacks to the odds that the addressing schema
will isolate it from compromise is security by obscurity. 

loopbacks tend to leave pathing audit trails to merely casual observer
so much the better for one who is focused on such events.

the post below seems to miss the essentials that such an individual engaged
would detect. ANY and/or ALL addresses gathered become targets and the
path to any loopback (remember its always up...) leaves a trail of such
addys. a 'show arp' ony router is a bountiful harvest for a host hunter
looking for a zombie control box planted in a hidden little subnet.

it gets pretty hectic for the poor s.a. who runs a foul of anyone
subverting the routing.

so.....patch what needs to be patched until its time to patch again.

/* piranha */


-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net]On Behalf Of Alexandre
Snarskii
Sent: Wednesday, April 21, 2004 2:49 AM
To: cisco-nsp at puck.nether.net
Subject: [nsp] bgp vulnerability, just note



Hi!

Most articles concerning 'bgp vulnerability' issues based
on the fact, that attaker may easily get both addresses of 
session (using traceroute) and at least one port (179), 
so it need to guess just correct sequence number and another port.

But that is true only for sessions, which set up using link 
addresses (mostly external sessions in my practice). Internal 
sessions often set up using loopback addresses on the both sides, 
so, as far as loopback addresses are not shown in traceroutes
and only known by operating staff, they are not-so-predictable
for any external hacker. 

For example, in the minimal RIPE allocated block /20 there
may be 2^12*(2^12-1) = 16773120 variants of ip pairs used
for loopbacks, so attack to such 'loopbacked' session are
16 million times harder.
And, as the loopback addresses may be assigned not only 
using 'public' internet address, but also with rfc1918 space, 
there are much and much more variants.

_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

More information about the cisco-nsp mailing list