RE: Newbie x Cisco IOS-XR x ROV: BCP to not harassing peer(s)
This attack will work very well until the victim starts advertising its prefix. The victim may not notice the fake advertisement because the fake advertisement will not reach the victim AS due to AS-path loop checking. So potential victims must advertise all prefixes that they register in RPKI or subscribe to an Internet monitoring service to detect the fake advertisements. And don't forget maxlen. You must advertise in BGP every prefix covered by maxlen. Regards, Jakob. -----Original Message----- From: Saku Ytti <saku@ytti.fi> On Tue, 24 May 2022 at 11:23, Max Tulyev <maxtul@netassist.ua> wrote:
To make a working hijack of the routed prefix (for sniffing traffic, DDoS or something similar), you have to announce a more specific prefix(es). It can be denied by RPKI.
If you signed RPKI prefix is still unannounced - yes, somebody can hijack it by forging the origin ASN - that's quite easy.
This axiomatically assumes first come, first serve, which is obviously not complete understanding of BGP best path algorithm. -- ++ytti
On 25 May 2022, at 5:45 am, Jakob Heitz (jheitz) via NANOG <nanog@nanog.org> wrote:
This attack will work very well until the victim starts advertising its prefix. The victim may not notice the fake advertisement because the fake advertisement will not reach the victim AS due to AS-path loop checking.
Often the best forms of attack are ones that are scoped in locality. Advertising the same prefix from a different location in BGP may create a localised preference to follow the synthesised route which is not visible everywhere. Sometimes this is exactly what the attacker wants to achieve. Geoff
participants (2)
-
Geoff Huston -
Jakob Heitz (jheitz)