I was reading some PDF files on BGP along with Routing TCP/IP v2, and I found myself pondering what a nasty damn worm it would be if someone were to do something using winpcap in conjucting with the worm/virus, and I was a bit confused, disturbed, lost. So I drew up a quick question complete with ascii which can be viewed at politrix.org/segment/brat.txt for those who get a distorted diagram... Apologies beforehand if this post seems a bit odd, but I did not see anything similar to a networking 'vuln'dev', and besides I wouldn't think that any one here would do something malicious with any idea that actually worked for the worse. ------------------------------------------------------------- brat.txt I was thinking about the recent polymorphic Sobigf worm/virus and wondered about the following hypothetical scenario... Sorry about this ASCIIgram, I didn't want to look for Visio nor any other graphic program to do this in, strictly terms to keep it gritty... So here goes. Attacker scripts Sobigf variant with a virii/worm generator, and uses pcap (packet capture) under Windows to have his worm send out predefined packets. Let's say he created what I call a 'BRAT' BGP Router Attack Tool. Now this tool isn't something major it simply sends out two types of packets aimed at routers running BGP. They're both Notification Messages: ========================================= Packet 1 = BGP NM ERROR CODE 2 SUBCODE 2 | Packer 2 = BGP NM ERROR CODE 6 | ========================================= Now we have the hosts' information: www.targetednap.net (4 if's) 192.168.1.1 192.168.4.1 10.10.1.1 10.10.5.1 VIC's nap.maefi.com Link 1 nsp.maefee.com Link 2 nap.maefo.com Link 3 nsp.maefum.com Link 4 Link 1 Link 2 \ / ----------------- | | | Targetednap.net | | | ----------------- / \ Link 3 Link 4 Script kiddiot sets up his worm/virii to send packets as Targetednap to all VIC's as Targetednap via spoofing using WinPCAP. Given the rate of connections that were mentioned for SoBigf, what could happen say if route dampening were used between the routers. Would penalties keep adding up making the connection intolerable because of latency, would it ignore it. Or what could happen say if worm was smart enough to send NLRI's of something like $targetvalue=0 Wouldn't this knock off connections between BR's/ABR's, etc. Are there any flags one can take to prevent this from occurring. Keep in mind that packet creation is not difficult. My guess would be, even if someone didn't get all fancy with the packets being sent, a couple of million packets sent with say a: ping -l 25000 $VIC as $TARGETEDNAP would be enough to cause some massive latency, maybe even disconnect a backbone perhaps? Anyone care to share links on security on this level if any are available ================================================= J. Oquendo rsvp: segment ... antioffline . com PGP Fingerprint 39A7 24C6 A9A0 6C67 96CA 0302 F1D3 2420 851E E3D0 http://www.politrix.org http://www.antioffline.com ================================================= -- __________________________________________________________ Sign-up for your own personalized E-mail at Mail.com http://www.mail.com/?sr=signup CareerBuilder.com has over 400,000 jobs. Be smarter about your job search http://corp.mail.com/careers