how-to block ads
|
espaeth
Digital Plumber
Premium,MVM
join:2001-04-21
Minneapolis, MN
 ·voip.ms
·Vitelity VOIP
·Callcentric
·VoiceStick
·ViaTalk
 ·Comcast
 ·Embarq
| The DNS exploit is bigger...
in that any kid with a script can trigger it, and the investment cost to pull off the scam is essentially $0. To pull this off you need a lot of access, and you need a considerable investment in infrastructure to be in a position to pull it off. (you need the routing hardware, and to get a carrier circuit with BGP to start you need to prove you own a netblock ($$ to ARIN), you need to prove you own an ASN ($$ to ARIN), and you're going to need to sign contracts for connectivity with a hefty up-front install fee)
1) You need to be able to source a more specific route from a network you don't own through your upstream provider. Many backbone providers strictly enforce which routes you can originat, so you'd have to find one that will play ball.
2) Even if you get the taffic to successfully come to you, you need to overcome the blackhole effect that you create to forward the traffic on to the final destination. (ie, you can't just send it back upstream or the destination traffic will just come right back to you)
The limited exposure would be spoof a network on Carrier A by relaying a more specific route into Carrier C but setting community tags so that it would not be redistributed to its peers. You can then get the customers of Carrier C to forward the traffic to you, and you can dump the traffic out onto Carrier A where it will reach its final destination. | |
sporkme
drop the crantini and move it, sister
Premium,MVM
join:2000-07-01
Morristown, NJ
·Optimum Online
| said by espaeth  :To pull this off you need a lot of access Define "access".
said by espaeth : and you need a considerable investment in infrastructure PC hardware and OpenBGP/Zebra/Quagga
said by espaeth :and to get a carrier circuit with BGP "carrier circuit"? No, when you place your order, note that you'll be running BGP. It's not even an extra charge.
said by espaeth : to start you need to prove you own a netblock ($$ to ARIN) Or that you want to announce your block from another ISP
said by espaeth : you need to prove you own an ASN ($$ to ARIN) I have never needed to prove this. Do you consider Level3 a "major" carrier?
said by espaeth : and you're going to need to sign contracts for connectivity with a hefty up-front install fee One-page MSA, $750 NRC, less if you "commit" to more than one year.
said by espaeth :1) You need to be able to source a more specific route from a network you don't own through your upstream provider. Many backbone providers strictly enforce which routes you can originat, so you'd have to find one that will play ball. The ones that take money from customers will "play ball".
said by espaeth :2) Even if you get the taffic to successfully come to you, you need to overcome the blackhole effect that you create to forward the traffic on to the final destination. (ie, you can't just send it back upstream or the destination traffic will just come right back to you) I can ask Alex "pretty please" to explain on the mailing list...  | |
espaeth
Digital Plumber
Premium,MVM
join:2001-04-21
Minneapolis, MN
·voip.ms
·Vitelity VOIP
·Callcentric
·VoiceStick
·ViaTalk
·Comcast
·Embarq
1 edit | My point about access is you're not going to pull this off at an office or residence without forking over a ridiculous amount of capital for a tail circuit.
If you do this in a colo space, you're still going to have a space commit if you're leasing a rack, plus up-front cross-connect fees to patch yourself over to another carrier. Most places don't let you bring in equipment and start requesting cross connects unless you are going to agree to some sort of term.
I work for a company that has grown through acquisition, and we've had Verizon, Level(3), Qwest, ATT, and Sprint all stop accepting one of our netblock advertisements at one point or another because we rolled an acquired company's netblock advertisement under one of our main AS advertisements and they got concerned that the netblock owner didn't match our company name. The company I work for isn't small, we control 3 /16s + a few scraps of public address space and have Internet points of presence in 16 countries.
In any case, my point is that the DNS exploit is essentially free and has high payout potential. This requires a fair amount of start-up capital, some reasonable fake identities if you want to get out of your contract obligations, and your window of success is still limited. The risk:reward ratio is substantially lower here. | |
isp eh
@comcast.net | totally agree.
anyway, a company can easily re-route your data by advertising itself (typically a typo) as the owner of a more specific ip block than you are advertising. | |
-
|
