Merit Network
Can't find what you're looking for? Search the Mail Archives.
  About Merit   Services   Network   Resources & Support   Network Research   News   Events   Home

Discussion Communities: Merit Network Email List Archives

North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: Routing Protocol Security

  • From: batz
  • Date: Tue Aug 13 19:56:45 2002

On Mon, 12 Aug 2002 wrote:

:Of the problems folks have run into, are they more often the result of a
:legitimate speaker being compromised & playing with advertisements
:somehow (and getting through filters that may or may not be present), or
:from devices actually spoofing their way into the IGP/EGP?  Are there 
:any specific attacks anyone is aware of & can share?

My first pointer would be to the Phrack article Things to do in 
Ciscoland when you are Dead. While this is not routing protocol
specific, it's more about fun that can be had with tunneling 
traffic from a compromised network. 

The next would be someone taking advantage of poorly configured
EGP that blindly redistributed information from the IGP. An example
of this would be a big provider a few years ago whose ospf core was 
accepting unauthenticated RIP from the dial pool and redistributing 
it into BGP.  


Another issue would be vendors who don't fully implement the 
authentication features of a protocol. It's probably time for 
an audit of BGP implementations to see if anyone hasn't implemented
anything other than Null as an authentication method. 

Tim Newshams paper called "The Problem With Random Increments" about 
random TCP ISN's from last year could have been cause for uglyness 
if Cisco hadn't fixed their ISN generators. However, it is possible 
that other vendors are still vulnerable (Routers based on old BSD or 
VxWorks code) to this. He demonstrated that it was still practically
possible to insert data into a tcp stream because ISN generation 
based on random increments wasn't sufficiently random to make
it secure against sequence number guessing. 

I recently got a frantic call from an associate asking me how to respond
to an ex-peer who was making hostile annoucements of his routes. They 
were announcing his netblocks to any of their peers that would listen, 
but had them blackholed over some disagreement. I said if they won't 
listen to you, have your lawyer get them on the phone.:)  

So, as far as attacks against protocols themselves, they are really
more to do with the underlying network/session protocols (UDP, TCP, 
OSPF, ICMP, IGMP) and would depend on a lack of session state keeping 
and authentication being implemented in the way the routing protocol 
manages its sessions.  

Otherwise, it's an issue of attacks against the routers, which can 
be catagorized as run of them mill application/daemon attacks like
format string and overflow attacks. I am not aware of any of these
specifically, however, it is not hard to imagine where one would look
for them, as routing daemons are like any other daemon, running on 
any old OS, on any old host. 

The short term solution would be routers that denied all layer-3 
traffic destined to it by default, (passing it to elsewhere)and 
only accepted traffic from specifically configured peers. (Type
Enforcement(tm) on interfaces anyone?)   

Routers should be shipped in a state that is functionally inert to 
packets on layer 3. 



Discussion Communities

About Merit | Services | Network | Resources & Support | Network Research
News | Events | Contact | Site Map | Merit Network Home

Merit Network, Inc.