On Mon, 12 Aug 2002 dylan@juniper.net wrote: :Of the problems folks have run into, are they more often the result of a :legitimate speaker being compromised & playing with advertisements :somehow (and getting through filters that may or may not be present), or :from devices actually spoofing their way into the IGP/EGP? Are there :any specific attacks anyone is aware of & can share? My first pointer would be to the Phrack article Things to do in Ciscoland when you are Dead. While this is not routing protocol specific, it's more about fun that can be had with tunneling traffic from a compromised network. The next would be someone taking advantage of poorly configured EGP that blindly redistributed information from the IGP. An example of this would be a big provider a few years ago whose ospf core was accepting unauthenticated RIP from the dial pool and redistributing it into BGP. Teehee. Another issue would be vendors who don't fully implement the authentication features of a protocol. It's probably time for an audit of BGP implementations to see if anyone hasn't implemented anything other than Null as an authentication method. Tim Newshams paper called "The Problem With Random Increments" about random TCP ISN's from last year could have been cause for uglyness if Cisco hadn't fixed their ISN generators. However, it is possible that other vendors are still vulnerable (Routers based on old BSD or VxWorks code) to this. He demonstrated that it was still practically possible to insert data into a tcp stream because ISN generation based on random increments wasn't sufficiently random to make it secure against sequence number guessing. I recently got a frantic call from an associate asking me how to respond to an ex-peer who was making hostile annoucements of his routes. They were announcing his netblocks to any of their peers that would listen, but had them blackholed over some disagreement. I said if they won't listen to you, have your lawyer get them on the phone.:) So, as far as attacks against protocols themselves, they are really more to do with the underlying network/session protocols (UDP, TCP, OSPF, ICMP, IGMP) and would depend on a lack of session state keeping and authentication being implemented in the way the routing protocol manages its sessions. Otherwise, it's an issue of attacks against the routers, which can be catagorized as run of them mill application/daemon attacks like format string and overflow attacks. I am not aware of any of these specifically, however, it is not hard to imagine where one would look for them, as routing daemons are like any other daemon, running on any old OS, on any old host. The short term solution would be routers that denied all layer-3 traffic destined to it by default, (passing it to elsewhere)and only accepted traffic from specifically configured peers. (Type Enforcement(tm) on interfaces anyone?) Routers should be shipped in a state that is functionally inert to packets on layer 3. Alas.. -- batz