[nsp-sec] AS Path Forging - Observations from an incident
Stephen Gill
gillsr at cymru.com
Thu Jan 8 16:00:54 EST 2009
Do they cover MITM? Per their spec:
[ ... ]
B. An Intelligent Adversary
We are aware of three ways in which PGBGP¹s security
could be compromised. First, an adversary could force a
prefix¹s routes to be withdrawn via a denial-of-service attack
and subsequent announcement of its own route for the same
prefix. In this scenario, PGBGP would select the illegitimate
route because no alternative route for the prefix would exist.
This is no different than what happens with the current BGP.
This case is addressed by sBGP, and PGBGP could potentially
address it as well through the IAR mechanism. A second
vulnerability is created by PGBGP¹s delay mechanism. If a
bogus route were to pass through the delay phase unnoticed,
it would eventually propagate as occurs with BGP today.
This form of attack is well addressed by the IAR and would
succeed only if operators neglected their IAR notifications.
Finally, a sophisticated attacker could compromise a router
and announce a very short fake route that passes through her
AS but ends at a legitimate origin. This is known a man-in-themiddle
attack. Although this case is not covered by our current
PGBGP design, we could use PGBGP principles to cover this
kind of attack as well, for example, by treating routes with
anomalous edges as suspicious. This is an important avenue
for future work, even though man-in-the-middle attacks are
still uncommon.
[ ... ]
Cheers,
-- steve
On 1/8/09 12:26 PM, "Hank Nussbacher" <hank at efes.iucc.ac.il> wrote:
> ----------- nsp-security Confidential --------
>
> On Thu, 8 Jan 2009, Johnson, Ron wrote:
>
>> Have y'all looked at this:
>>
>> http://iar.cs.unm.edu/
>
> I have that, as well as the other 4 contenders. They send the alarm that
> some as-path has changed but it won't help you spot where the actual
> hijack is located.
>
> -Hank
>
>>
>> I have been subscribed to this service for a couple of years now.
>>
>> Ron Johnson
>>
>>
>> -----Original Message-----
>> From: nsp-security-bounces at puck.nether.net
>> [mailto:nsp-security-bounces at puck.nether.net] On Behalf Of Bill Woodcock
>> Sent: Thursday, January 08, 2009 10:40 AM
>> To: Hank Nussbacher
>> Cc: nsp-security at puck.nether.net
>> Subject: Re: [nsp-sec] AS Path Forging - Observations from an incident
>>
>> ----------- nsp-security Confidential --------
>>
>> On Thu, 8 Jan 2009, Hank Nussbacher wrote:
>>> What if we (nsp-sec) were to create a closed, secret traceroute
>> mesh so we
>>> can check whether a prefix has been hijacked? This would only be
>> used
>>> when a hijack is taking place and is not useful after the fact.
>>
>> PCH has this capability presently, on our network of servers. We have
>> not yet created an API to make it accessible from the outside. We'd be
>> very interested in hearing what would make it useful to people in the
>> community.
>>
>> -Bill
>>
>>
>>
>> _______________________________________________
>> nsp-security mailing list
>> nsp-security at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/nsp-security
>>
>> Please do not Forward, CC, or BCC this E-mail outside of the
>> nsp-security community. Confidentiality is essential for effective
>> Internet security counter-measures.
>> _______________________________________________
>>
>
>
> _______________________________________________
> nsp-security mailing list
> nsp-security at puck.nether.net
> https://puck.nether.net/mailman/listinfo/nsp-security
>
> Please do not Forward, CC, or BCC this E-mail outside of the nsp-security
> community. Confidentiality is essential for effective Internet security
> counter-measures.
> _______________________________________________
--
Stephen Gill, Chief Scientist, Team Cymru
http://www.cymru.com | +1 312 924 4023 | gillsr at cymru.com
More information about the nsp-security
mailing list