North American Network Operators Group|
Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical
Re: TCP/BGP vulnerability - easier than you think
On Apr 20, 2004, at 11:09 PM, David Luyer wrote:
Really? I certainly hope an attacker tries those three ports on a router I know about. Looking at a random cisco router at a random NAP with a significant number of peers, there are a total of zero session on those ports.You missed the "(assuming the attacker can accurately guess both
Wow, this attack is even easier to avoid than I thought!
Thanx for proving my point....
Interestingly, cisco confirmed to me the sequence number was not checked until after the MD5 signature was checked.Answering another poster's concern about DoS risk... TCP MD5 is not a significant DoS risk as you only MD5 once the source, destination, sequence, etc are valid - ie. you only MD5 a packet which would already have broken your BGP session! [*]
Again, thanx for proving my point. You really must post more often.
I would love to see these results, as I am interested in the methodolofy. For instance, did they turn on a lab router, configure some new BGP sessions, then attack it? Notice that both Richard and I repeatedly say "for a router which has not recently been rebooted". Of *course* it will be easy when you set things up like that.Worse than breaking the session, I'm told by people who have tested in labs that they could typically break BGP sessions in under half an hour, which then caused flapping and dampening of the routes if the attack was repeated. So the risk is not just the occasional BGP session flap, it's a frequent enough flap that your routes can be dampened.
Even granting the results, flapping a BGP session once per half hour is far from the worst thing 10 Kpps can do on the Internet. In fact, it is probably the *least* damaging thing I have heard miscreants do with 10 Kpss.
Many people also report taking entire routers down in far less than 30 minutes with 10 Kpps of MD5 signed packets if MD5 is turned on. So I am not sure why this is better - sorry, best - than flapping a session every half hour.So, you're best to implement TCP MD5 on your BGP sessions.
Guess we did not agree on this one. I really think flapping a session every 30 minutes (if it really only takes that long) is not better than killing a whole router in far less time.
And how do you track a thousand passwords? Okay, maybe that is not too hard. But how do you guarantee a thousand peers will never screw up and forget, lose, fat-finger, etc. a single one of them? This one I would really like to know, 'cause I sure as hell can't figure it out.With an up to date IOS, if you both implement the password within about a second, the BGP session doesn't even flap to implement the password. Older IOS (12.1) resets the BGP session as a password is set. Other vendors vary.
[*] in any reasonable implementation. it is possible some old implementation does this wrong, though.
Guess IOS counts as both old and unreasonable. I buy that. Again with the agreement! Well, three out of four ain't bad. :) -- TTFN patrick