On 11/13/11 3:58 PM, Jason Lewis wrote:
People keep pointing to this as unlikely. I argue that spammers are currently doing this all over the world, maybe not as widespread wiith 1918 space. If I can announce 1918 space to an ISP where my target is...it doesn't matter if everyone else ignores or drops it. The ISP allowed it, so all their customers will route the traffic. I still think it's a valid attack vector, discounting it because people would laugh at me, seems like a poor security posture.
It would be your target announcing the RFC1918 space, so the security risk would be if his ISP, your ISP and all of the intermediate peering/transit links were to honor those announcements and route the traffic to the target. Possible, and it has probably happened at some point, but not likely. The closer your logically to your target the more likely such an attack would succeed. I certainly don't recommend announcing RFC1918 space to the public Internet. Doing so is a bad thing. If you do so there is indeed a non-zero chance that someone close enough to you could connect to your network and do damage. Announcing RFC1918 space is less likely to route very far than announcing public space that isn't allocated to you, however. That's what the spammers all over the world are doing. In terms of security, most every SCADA system, as others have pointed out, should not be connected to the public Internet AT ALL. In this case it really doesn't matter what addressing scheme is used. Use Novell IPX or Appletalk if you want. Or MODBUS. If, however, it is using IPv4, RFC1918 space in a different subnet than anything used internally within the organization is a better choice than any public space or subnets of RFC1918 space in use within the organization. This offers a degree of protection against mis-cabling and other accidental or malicious vectors that could allow other networks to communicate with the SCADA network. It would probably be best if the SCADA hardware vendors were to ship their gear with no IP addresses pre-programmed at all, as well as preventing them from being configured until any default passwords are changed. Similarly, they should educate their installation contractors about such things. -- Jay Hennigan - CCIE #7880 - Network Engineering - jay@impulse.net Impulse Internet Service - http://www.impulse.net/ Your local telephone and internet company - 805 884-6323 - WB6RDV