RE: Cisco vulnerability and dangerous filtering techniques
It could poll different looking glasses...
-----Original Message----- From: alex@yuriev.com [mailto:alex@yuriev.com] Sent: Tuesday, July 22, 2003 4:01 PM To: Austad, Jay Cc: nanog@merit.edu Subject: RE: Cisco vulnerability and dangerous filtering techniques
I was thinking about this the other day. The most efficient way to make this work would be to spread using some vulnerability (like the Microsoft DCOM vulnerability released last week), and then at a predetermined time, start DoS'ing routers in the IP space of major providers, and then work your way towards the "edges."
Pray tell, the virus will also get BGP feeds to determine where the edges are?
Alex
Just a handful of traceroutes would give it enough information to start at a major backbone and work back towards itself. -SW
It could poll different looking glasses...
-----Original Message----- From: alex@yuriev.com [mailto:alex@yuriev.com] Sent: Tuesday, July 22, 2003 4:01 PM To: Austad, Jay Cc: nanog@merit.edu Subject: RE: Cisco vulnerability and dangerous filtering techniques
I was thinking about this the other day. The most efficient way to make this work would be to spread using some vulnerability (like the Microsoft DCOM vulnerability released last week), and then at a predetermined time, start DoS'ing routers in the IP space of major providers, and then work your way towards the "edges."
Pray tell, the virus will also get BGP feeds to determine where the edges are?
Alex
Just a handful of traceroutes would give it enough information to start at a major backbone and work back towards itself.
I guess all folks with Ph.D. at Akamai really are paid for nothing if a virus could calculate that with a few traceroutes. Alex
On Tue, 22 Jul 2003 17:51:20 EDT, alex@yuriev.com said:
I guess all folks with Ph.D. at Akamai really are paid for nothing if a virus could calculate that with a few traceroutes.
It's actually pretty easy if you get 20K distributed zombies doing the traceroutes and then distributing the data to each other. Given that data, it's pretty easy to compute the graph - every router running BGP has to do similar. :) The Akamai problem is how to do it *without* having 20K boxes doing traceroutes. ;)
On Tue, Jul 22, 2003 at 05:53:45PM -0400, Valdis.Kletnieks@vt.edu wrote:
On Tue, 22 Jul 2003 17:51:20 EDT, alex@yuriev.com said:
I guess all folks with Ph.D. at Akamai really are paid for nothing if a virus could calculate that with a few traceroutes.
It's actually pretty easy if you get 20K distributed zombies doing the traceroutes and then distributing the data to each other. Given that data, it's pretty easy to compute the graph - every router running BGP has to do similar. :)
Sounds like said virus implementor should go into the optimized routing business. Personally I'm gonna call bullshit on that one until I see it done.
The Akamai problem is how to do it *without* having 20K boxes doing traceroutes. ;)
How many boxes does Akamai have? :) -- Richard A Steenbergen <ras@e-gerbil.net> http://www.e-gerbil.net/ras GPG Key ID: 0xF8B12CBC (7535 7F59 8204 ED1F CC1C 53AF 4C41 5ECA F8B1 2CBC)
-- On Wednesday, July 23, 2003 01:59 -0400 -- Richard A Steenbergen <ras@e-gerbil.net> supposedly wrote:
On Tue, Jul 22, 2003 at 05:53:45PM -0400, Valdis.Kletnieks@vt.edu wrote:
On Tue, 22 Jul 2003 17:51:20 EDT, alex@yuriev.com said:
I guess all folks with Ph.D. at Akamai really are paid for nothing if a virus could calculate that with a few traceroutes.
Let's hope not. :)
It's actually pretty easy if you get 20K distributed zombies doing the traceroutes and then distributing the data to each other. Given that data, it's pretty easy to compute the graph - every router running BGP has to do similar. :)
I am not sure why you would even need "a few" traceroutes. Why not just load the virus with, say, the top 10 or 100 ASes, then use one of those kewlio traceroute programs that give you AS info. Do *one* or maybe a couple traceroutes, hit the last big AS in the list, and work your way back home.
Sounds like said virus implementor should go into the optimized routing business. Personally I'm gonna call bullshit on that one until I see it done.
No comment. :)
The Akamai problem is how to do it *without* having 20K boxes doing traceroutes. ;)
How many boxes does Akamai have? :)
Last press release was a little over 15K boxes in over 1100 networks in 66 countries. But I would not call them zombies. Is that more or less distributed than your typical 'bot-net? -- TTFN, patrick
Pray tell, the virus will also get BGP feeds to determine where the edges are?
It could poll different looking glasses...
And I could be the Pope... How many thousands of "polls" do you think a looking glass can handle simultaneously? I am all for the doomsday scenarios, but lets make them a little bit less sci-fi, shall we? How about "it would create valid looking OSPF packets with garbage in them?" or "create valid looking STP packets" Alex
On Tue, 22 Jul 2003 17:50:17 EDT, alex@yuriev.com said:
How many thousands of "polls" do you think a looking glass can handle simultaneously? I am all for the doomsday scenarios, but lets make them a little bit less sci-fi, shall we? How about "it would create valid looking OSPF packets with garbage in them?" or "create valid looking STP packets"
Why would thousands be needed? We already *know* that the bad guys are *well* acquainted with using P2P networks for controlling zombies. There's no reason a few strategic queries won't provide a good first approximation, which can then be distributed. Remember - it doesn't have to be perfect to cause a problem. ;) And no, there's no reason they can;t create poison OSPF or STP packets.
participants (6)
-
alex@yuriev.com -
Austad, Jay -
Patrick W. Gilmore -
Richard A Steenbergen -
Steve -
Valdis.Kletnieks@vt.edu