On Apr 20, 2004, at 11:09 PM, David Luyer wrote:
You missed the "(assuming the attacker can accurately guess both ports)" part.
This is BY NO MEANS a given. In fact, it is pretty much guaranteed to not be a given on any router which has not recently been rebooted. (Or at least that the attacker doesn't know has been recently rebooted. :)
A significant number of BGP sessions will be with a source port of 11000, 11001 or 11002; BGP sessions are generally quite stable and Cisco routers start the source port at 11000. So attackers could cause enough disruption just targeting these three source ports. The other thing the attacker has to guess is which router established the BGP session. As to IPs which sessions exist on, they can guess from traceroute each inter-provider hop.
Really? I certainly hope an attacker tries those three ports on a router I know about. Looking at a random cisco router at a random NAP with a significant number of peers, there are a total of zero session on those ports. Wow, this attack is even easier to avoid than I thought! Thanx for proving my point....
Answering another poster's concern about DoS risk... TCP MD5 is not a significant DoS risk as you only MD5 once the source, destination, sequence, etc are valid - ie. you only MD5 a packet which would already have broken your BGP session! [*]
Interestingly, cisco confirmed to me the sequence number was not checked until after the MD5 signature was checked. Again, thanx for proving my point. You really must post more often.
Worse than breaking the session, I'm told by people who have tested in labs that they could typically break BGP sessions in under half an hour, which then caused flapping and dampening of the routes if the attack was repeated. So the risk is not just the occasional BGP session flap, it's a frequent enough flap that your routes can be dampened.
I would love to see these results, as I am interested in the methodolofy. For instance, did they turn on a lab router, configure some new BGP sessions, then attack it? Notice that both Richard and I repeatedly say "for a router which has not recently been rebooted". Of *course* it will be easy when you set things up like that. Even granting the results, flapping a BGP session once per half hour is far from the worst thing 10 Kpps can do on the Internet. In fact, it is probably the *least* damaging thing I have heard miscreants do with 10 Kpss.
So, you're best to implement TCP MD5 on your BGP sessions.
Many people also report taking entire routers down in far less than 30 minutes with 10 Kpps of MD5 signed packets if MD5 is turned on. So I am not sure why this is better - sorry, best - than flapping a session every half hour. Guess we did not agree on this one. I really think flapping a session every 30 minutes (if it really only takes that long) is not better than killing a whole router in far less time.
With an up to date IOS, if you both implement the password within about a second, the BGP session doesn't even flap to implement the password. Older IOS (12.1) resets the BGP session as a password is set. Other vendors vary.
And how do you track a thousand passwords? Okay, maybe that is not too hard. But how do you guarantee a thousand peers will never screw up and forget, lose, fat-finger, etc. a single one of them? This one I would really like to know, 'cause I sure as hell can't figure it out.
[*] in any reasonable implementation. it is possible some old implementation does this wrong, though.
Guess IOS counts as both old and unreasonable. I buy that. Again with the agreement! Well, three out of four ain't bad. :) -- TTFN patrick