"Paul D. Robertson" wrote:
>
> [In summary: BGP injection is damn near impossible in most cases]
Yes. Even with my limited knowledge in BGP, I guessed as much.
So, that makes it two votes for "attacks via BGP injection aren't
very likely" :)
(At least not where large and well-managed exchanges are concerned)
> [On ARP entries]
>
> Static ARP entries for routing clouds and even servers on a local network
> are a good (but not perfect) defense to this. The administrative overhead
> is fairly minimal as long as people swapping equipment are aware they
> exist.
You are, as usual, absolutely right.
However, this does not mean that there's a lot of people actually
being this clever, since most admins will strenously object to this
kind of PITA. Border firewalls are usually all they can stand :)
(But this is the old security versus function debate all over again;
let's not make an issue of it. All I was noting is that ARP spoofing
will work more often than not.)
> > And, to complicate matters even more, any and all of these
> > techniques could be used in combination. Using BGP
> > injection to get the packets to your provider's main router
> > could be followed up by, for instance, RIP spoofing to get
> > the packets to the system under your control.
>
> This sentence doesn't make much sense to me- routing protocols are
> based on destination, you don't need BGP to get packets to your
> provider's core routers- your provider always routes your packets,
> TCP spoofing is more critical.
Alice, using provider A, sends a packet to Bob, using provider B,
through BGP routing cloud R. Eve, using provider E, wants to
listen to these packets. Eve needs to get the packets traversing
R to the main router of provider E (which usually never sees them),
and, from there, to herself. If BGP could be used (_could_! I'm
theorizing here) to accomplish the first bit, Eve would likely need
to use some other technique to actually get the packets to somewhere
inside provider E's networks where she can intercept them.
Another example then: Use a combination of targeted ICMP redirects
and RIP spoofing to make packets from Alice to Bob get to Eve
instead of Bob. All I was saying was that different redirect games
will work with different routing scenarios, and there may be
several _different_ routing scenarios between the attack point
in the A->B path and Eve's machine.
> > The up side to all of this is that it's so d*mn convoluted
> > [snip]
>
> The true upside is that anyone trying to play this game is going
> to be caught and taken seriously enough that they won't get to
> play again :)
:) Yes, in the specific case of BGP, this is likely true.
It is, unfortunately, less likely for the other redirection games
that one can play. :( (Especially true for smart hackers, who won't
do these things from their own machines ;))
/Mike
Hmmm.. 4800 unread mails in the firewalls list from mid september
to now. I really ought to start catching up on my backlog soon :/
--
Mikael Olsson, EnterNet Technologies
Storgatan 12, Box 393, SE-891 28 ÖRNSKÖLDSVIK
Phone: +46 (0)660 29 92 00 Mobile: +46 (0)70 66 77 636
Fax: +46 (0)660 122 50 WWW: http://www.enternet.net
On bosses and technology: "There are bosses who don't know, and there
are bosses who don't know that they don't know" /Anonymous techie
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
