Hi NANOG folks, I read an IEEE(?) draft on Secure BGP a short time ago, a draft which discussed using a PKI to prove that a netblock was reachable through a give provider. There were several other concepts in the document relating to actual vulnerabilities in BGP. Most of them looked valid. My questions become: a) Has there ever been a published man-in-the-middle attack of someone using BGP to affect someone else's network? b) Does anyone know of other groups that are focusing on developing new ways of combating the vulnerabilities? Brgds, T
On Sat, 16 Sep 2000, Timothy Brown wrote: : :a) Has there ever been a published man-in-the-middle attack of someone using : BGP to affect someone else's network? :b) Does anyone know of other groups that are focusing on developing new ways : of combating the vulnerabilities? You won't see much of this in the wild. Some route spoofing, using an unauthenticated IGP, that gets redistributed into BGP has been known to happen occasionally though. Insertion attacks against BGP are difficult because the sessions tend to be over a single physical wire between peers. Sniffing the tcp session using something like 'hunt' and then doing insertion would require control of an intermediate switch between peers (which has also been known to happen). If you are interested in other attacks against BGP, please see http://www.blackhat.com/html/bh-usa-99/bh3-speakers.html and look for the BGP talk. In hindsight, I think there are a couple of technical errors, you'll get the idea. Jeremy Rauch from SecurityFocus.com has a presentation in more recent Blackhat conferences about routing protocols in general. I also noticed that Internet Routing Architectures Second Edition, published this year, provides remedies to the problems I brought up in this presentation. They weren't anything really new, but they were new for many folks in the security biz. Thus I'm not terribly offended at not being mentioned as a reference in the new edition;) (would have been nice tho) Most of the security problems affecting BGP peers are IGP redistribution, (inward and outward), community configuration, and little in the way of implemented authentication by most vendors at the time. The biggest problem are bad or lack of proper filtering, and people still doing simple as_path based filtering and not filtering by specific prefix/len. -- batz Chief Reverse Engineer Superficial Intelligence Research Defective Technologies
Have you every noticed there aren't a whole lot of major IRC servers on cw.net? (I said not a whole lot, not none.) There is a reason for this, cw.net's filtering leaves something to be desired, you can advertise almost any AS to them and they will accept it. This could be used for DoS quiet easily and has been for sometime now. Blackhole attacks. But who wants to advertise an entire AS? If you peer with cw.net or most anyone for that matter you can advertise a nice little /25 on their network creating a blackhole for the amount of time you need it. This is one of the most common attacks there are. Major backbones will give major customers full routing and advertisements across their networks. (I've seen it happen, and still have it happen.)
On Sat, 16 Sep 2000, Timothy Brown wrote:
: :a) Has there ever been a published man-in-the-middle attack of someone using : BGP to affect someone else's network? :b) Does anyone know of other groups that are focusing on developing new ways : of combating the vulnerabilities?
-- Dave McKay dave@sneakerz.org Network Engineer - Google Inc.
On Tue, Sep 19, 2000 at 03:03:53PM -0500, Dave McKay wrote:
Have you every noticed there aren't a whole lot of major IRC servers on cw.net? (I said not a whole lot, not none.) There is a reason for this, cw.net's filtering leaves something to be desired, you can advertise almost any AS to them and they will accept it. This could be used for DoS quiet easily and has been for sometime now. Blackhole attacks. But who wants to advertise an entire AS? If you peer with cw.net or most anyone for that matter you can advertise a nice little /25 on their network creating a blackhole for the amount of time you need it. This is one of the most common attacks there are. Major backbones will give major customers full routing and advertisements across their networks. (I've seen it happen, and still have it happen.)
Anyone who peers with a tier 1, particularly other tier 1s, is not easily filter. I know for a fact (having done recent turnups) that they do filter per-prefix on their downstream customers running BGP. --msa
participants (4)
-
batz -
Dave McKay -
Majdi S. Abbas -
Timothy Brown