North American Network Operators Group|
Date Prev | Date Next |
Date Index |
Thread Index |
Author Index |
Re: Routing Protocol Security
- From: batz
- Date: Tue Aug 13 19:56:45 2002
On Mon, 12 Aug 2002 firstname.lastname@example.org wrote:
:Of the problems folks have run into, are they more often the result of a
:legitimate speaker being compromised & playing with advertisements
:somehow (and getting through filters that may or may not be present), or
:from devices actually spoofing their way into the IGP/EGP? Are there
:any specific attacks anyone is aware of & can share?
My first pointer would be to the Phrack article Things to do in
Ciscoland when you are Dead. While this is not routing protocol
specific, it's more about fun that can be had with tunneling
traffic from a compromised network.
The next would be someone taking advantage of poorly configured
EGP that blindly redistributed information from the IGP. An example
of this would be a big provider a few years ago whose ospf core was
accepting unauthenticated RIP from the dial pool and redistributing
it into BGP.
Another issue would be vendors who don't fully implement the
authentication features of a protocol. It's probably time for
an audit of BGP implementations to see if anyone hasn't implemented
anything other than Null as an authentication method.
Tim Newshams paper called "The Problem With Random Increments" about
random TCP ISN's from last year could have been cause for uglyness
if Cisco hadn't fixed their ISN generators. However, it is possible
that other vendors are still vulnerable (Routers based on old BSD or
VxWorks code) to this. He demonstrated that it was still practically
possible to insert data into a tcp stream because ISN generation
based on random increments wasn't sufficiently random to make
it secure against sequence number guessing.
I recently got a frantic call from an associate asking me how to respond
to an ex-peer who was making hostile annoucements of his routes. They
were announcing his netblocks to any of their peers that would listen,
but had them blackholed over some disagreement. I said if they won't
listen to you, have your lawyer get them on the phone.:)
So, as far as attacks against protocols themselves, they are really
more to do with the underlying network/session protocols (UDP, TCP,
OSPF, ICMP, IGMP) and would depend on a lack of session state keeping
and authentication being implemented in the way the routing protocol
manages its sessions.
Otherwise, it's an issue of attacks against the routers, which can
be catagorized as run of them mill application/daemon attacks like
format string and overflow attacks. I am not aware of any of these
specifically, however, it is not hard to imagine where one would look
for them, as routing daemons are like any other daemon, running on
any old OS, on any old host.
The short term solution would be routers that denied all layer-3
traffic destined to it by default, (passing it to elsewhere)and
only accepted traffic from specifically configured peers. (Type
Enforcement(tm) on interfaces anyone?)
Routers should be shipped in a state that is functionally inert to
packets on layer 3.