how-to block ads
|
wentlanc
You Can't Fix Dumb..
join:2003-07-30
Maineville, OH
| Old news? Hijacking routing tables is not really a new concept. Muck like ARP table poisoning, MAC spoofing, VTP, etc. Most protocols rely on some level of trust. What sets this apart is then re-forwarding the hijacked traffic back to the original destination. The best way not to get caught is to no make any noise, right? Perhaps monitoring routing tables for AS path changes would be key to picking up this kind of exploit?
cw | |
|  
TKJunkMail
Enjoy the sun
Premium
join:2002-03-03
Avalon, NJ
 ·Sprint Mobile Broa..
 ·Comcast
| Re: Old news? said by wentlanc  : Perhaps monitoring routing tables for AS path changes would be key to picking up this kind of exploit? cw That can be done, but it is labor intensive and even then likely to not work:
A handful of academic groups collect BGP routing information from cooperating ASes to monitor BGP updates that change traffic's path. But without context, it can be difficult to distinguish a legitimate change from a malicious hijacking. There are reasons traffic that ordinarily travels one path could suddenly switch to another -- say, if companies with separate ASes merged, or if a natural disaster put one network out of commission and another AS adopted its traffic. On good days, routing paths can remain fairly static. But "when the internet has a bad hair day," Kent said, "the rate of (BGP path) updates goes up by a factor of 200 to 400."
Kapela said eavesdropping could be thwarted if ISPs aggressively filtered to allow only authorized peers to draw traffic from their routers, and only for specific IP prefixes. But filtering is labor intensive, and if just one ISP declines to participate, it "breaks it for the rest of us," he said.
"Providers can prevent our attack absolutely 100 percent," Kapela said. "They simply don't because it takes work, and to do sufficient filtering to prevent these kinds of attacks on a global scale is cost prohibitive."
--
My BLOG .. .. Internet News .. .. My Web Page
Ask yourself one question: 'Do I feel lucky?' Well, do ya punk? | |
| 
Ignite
Premium,VIP
join:2004-03-18
UK
clubs: | Perhaps nothing more interesting than ensuring all your BGP peers are using MD5 authentication would mitigate this. | |
| | keyboard5684
join:2001-08-01
Youngsville, PA
 ·Teliax VOIP
·WestPAnet Inc.
·WestPAnet Inc. CA..
1 edit | Re: Old news? This is true, MD5 which many carriers no longer seem to care about because you can just set 1 or 2 hop BGP.
MD5 should always be setup but it is a longer call with the carrier and sometimes a pain. You usually have to email or send the password to them because you cannot read 7j8j$8e%wVG&6G6Ky6jI#8o!LMt over the phone. So it is a little pain so carriers, or more there techs, just try not to encourage it. You have to specifically request it so it is the ISP fault as well.
But these little tricks are usually just bad configuration/setup. The ISPs and carriers can set up a very secure exchange. DNS exploits too, a lot of this just goes to security, do it right the first time.
Laziness and lack of caring, just people doing there job. Tell you what, pay techs what they deserve and get the right ones in there to do the job. It has to do with undercutting by the ISPs and by the carriers.
EDIT: What about we start using a newer version of BGP? We have been stuck on 4 for a long time. Maybe we all move up to BGP6 or something? Developed yet? | |
| | 
sporkme
drop the crantini and move it, sister
Premium,MVM
join:2000-07-01
Morristown, NJ
·Optimum Online
| said by Ignite :Perhaps nothing more interesting than ensuring all your BGP peers are using MD5 authentication would mitigate this. That would do nothing to solve this... | |
| | | |
|
