[nsp] bgp vulnerability, just note

Stephen J. Wilcox steve at telecomplete.co.uk
Thu Apr 22 10:28:18 EDT 2004


Hi Alexandre,
 yes the issue is mainly going to be eBGP with link addresses

But you can do it on loopbacks too, most networks allocate loopbacks/link 
addresses etc from pre-reserved blocks, so find one and you can guess the rest 
(a traceroute will confirm it). As to how to find it, look for the IP blocks 
labelled as infrastructure, and/or go for the lowest/highest /24s in their 
allocation, and/or do some rdns lookups which are usually very informative

Also, if the provider has a looking glass, just sh ip bgp sum and you should get
a complete list of all the ibgp peers...

Steve

-- 
Stephen J. Wilcox
BSc (Hons).  CCIE #10730
Technical Director, Telecomplete
http://www.telecomplete.co.uk/


On Wed, 21 Apr 2004, Alexandre Snarskii wrote:

> 
> Hi!
> 
> Most articles concerning 'bgp vulnerability' issues based
> on the fact, that attaker may easily get both addresses of 
> session (using traceroute) and at least one port (179), 
> so it need to guess just correct sequence number and another port.
> 
> But that is true only for sessions, which set up using link 
> addresses (mostly external sessions in my practice). Internal 
> sessions often set up using loopback addresses on the both sides, 
> so, as far as loopback addresses are not shown in traceroutes
> and only known by operating staff, they are not-so-predictable
> for any external hacker. 
> 
> For example, in the minimal RIPE allocated block /20 there
> may be 2^12*(2^12-1) = 16773120 variants of ip pairs used
> for loopbacks, so attack to such 'loopbacked' session are
> 16 million times harder.
> And, as the loopback addresses may be assigned not only 
> using 'public' internet address, but also with rfc1918 space, 
> there are much and much more variants.
> 
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
> 




More information about the cisco-nsp mailing list