Re: Routing Protocol Security
At 07:43 PM 13-08-02 -0400, batz wrote: >On Mon, 12 Aug 2002 [EMAIL PROTECTED] wrote: > >:Of the problems folks have run into, are they more often the result of a >:legitimate speaker being compromised & playing with advertisements >:somehow (and getting through filters that may or may not be present), or >:from devices actually spoofing their way into the IGP/EGP? Are there >:any specific attacks anyone is aware of & can share? > >My first pointer would be to the Phrack article Things to do in >Ciscoland when you are Dead. While this is not routing protocol >specific, it's more about fun that can be had with tunneling >traffic from a compromised network. Better yet: http://www.phenoelit.de/vippr/index.html http://www.phenoelit.de/irpas/index.html Also note that keepalives and routing updates are process switched (for Ciscos). Think about it. >The short term solution would be routers that denied all layer-3 >traffic destined to it by default, (passing it to elsewhere)and >only accepted traffic from specifically configured peers. (Type >Enforcement(tm) on interfaces anyone?) Don't forget layer-2 as well (from Networkers 2002): http://www.cisco.com/networkers/nw02/post/presentations/general_abstracts.html#mitigation http://www.cisco.com/networkers/nw02/post/presentations/docs/SEC-202.pdf -Hank > > >Routers should be shipped in a state that is functionally inert to >packets on layer 3. > >Alas.. > >-- >batz
Re: $400 million network upgrade for the Pentagon
Blake Fithen wrote: >>Brad Knowles: >> The Pentagon has windows. It also has an ancient system of air >>pipes aimed at all of the windows... > > > > > Is this sensitive info? Given that I saw this on the history channel the other night, I'd say no. :) -- Doug Barton, Yahoo! DNS Administration and Development You can have it done fast, done cheap, or done right. Pick two. Do YOU Yahoo!?
RE: $400 million network upgrade for the Pentagon
On Wed, 14 Aug 2002, Brad Knowles wrote: > > At 5:13 PM -0500 2002/08/13, Blake Fithen wrote: > > > Is this sensitive info? Couldn't someone (theoretically) aim a > > "beam" at an unoccupied office and another at their objective > > office then filter out the 'noise'? > > Actually, I don't know for sure how it's implemented. They may > have separate sound streams for each window. Moreover, this was a > few years ago (I left in 1995), and there may have been changes since > then. It would certainly be a lot easier to use individual speakers > fed by electrical wiring, than pumping a lot of air around from a > central location. Even easier is to glue a piezoelectric transducer to the glass and feed it some noise modulated to look like speech from a gadget which may cost entire $30 in parts. Detecting IR laser emissions and sounding alarm is also a good idea :) --vadim
Re: Routing Protocol Security
On Mon, 12 Aug 2002 [EMAIL PROTECTED] wrote: :Of the problems folks have run into, are they more often the result of a :legitimate speaker being compromised & playing with advertisements :somehow (and getting through filters that may or may not be present), or :from devices actually spoofing their way into the IGP/EGP? Are there :any specific attacks anyone is aware of & can share? My first pointer would be to the Phrack article Things to do in Ciscoland when you are Dead. While this is not routing protocol specific, it's more about fun that can be had with tunneling traffic from a compromised network. The next would be someone taking advantage of poorly configured EGP that blindly redistributed information from the IGP. An example of this would be a big provider a few years ago whose ospf core was accepting unauthenticated RIP from the dial pool and redistributing it into BGP. Teehee. Another issue would be vendors who don't fully implement the authentication features of a protocol. It's probably time for an audit of BGP implementations to see if anyone hasn't implemented anything other than Null as an authentication method. Tim Newshams paper called "The Problem With Random Increments" about random TCP ISN's from last year could have been cause for uglyness if Cisco hadn't fixed their ISN generators. However, it is possible that other vendors are still vulnerable (Routers based on old BSD or VxWorks code) to this. He demonstrated that it was still practically possible to insert data into a tcp stream because ISN generation based on random increments wasn't sufficiently random to make it secure against sequence number guessing. I recently got a frantic call from an associate asking me how to respond to an ex-peer who was making hostile annoucements of his routes. They were announcing his netblocks to any of their peers that would listen, but had them blackholed over some disagreement. I said if they won't listen to you, have your lawyer get them on the phone.:) So, as far as attacks against protocols themselves, they are really more to do with the underlying network/session protocols (UDP, TCP, OSPF, ICMP, IGMP) and would depend on a lack of session state keeping and authentication being implemented in the way the routing protocol manages its sessions. Otherwise, it's an issue of attacks against the routers, which can be catagorized as run of them mill application/daemon attacks like format string and overflow attacks. I am not aware of any of these specifically, however, it is not hard to imagine where one would look for them, as routing daemons are like any other daemon, running on any old OS, on any old host. The short term solution would be routers that denied all layer-3 traffic destined to it by default, (passing it to elsewhere)and only accepted traffic from specifically configured peers. (Type Enforcement(tm) on interfaces anyone?) Routers should be shipped in a state that is functionally inert to packets on layer 3. Alas.. -- batz
RE: $400 million network upgrade for the Pentagon
At 5:13 PM -0500 2002/08/13, Blake Fithen wrote: > Is this sensitive info? Couldn't someone (theoretically) aim a > "beam" at an unoccupied office and another at their objective > office then filter out the 'noise'? Actually, I don't know for sure how it's implemented. They may have separate sound streams for each window. Moreover, this was a few years ago (I left in 1995), and there may have been changes since then. It would certainly be a lot easier to use individual speakers fed by electrical wiring, than pumping a lot of air around from a central location. -- Brad Knowles, <[EMAIL PROTECTED]> "They that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety." -Benjamin Franklin, Historical Review of Pennsylvania. GCS/IT d+(-) s:+(++)>: a C++(+++)$ UMBSHI$ P+>++ L+ !E W+++(--) N+ !w--- O- M++ V PS++(+++) PE- Y+(++) PGP>+++ t+(+++) 5++(+++) X++(+++) R+(+++) tv+(+++) b+() DI+() D+(++) G+() e++> h--- r---(+++)* z(+++)
RE: $400 million network upgrade for the Pentagon
> Brad Knowles: > The Pentagon has windows. It also has an ancient system of air > pipes aimed at all of the windows... Is this sensitive info? Couldn't someone (theoretically) aim a "beam" at an unoccupied office and another at their objective office then filter out the 'noise'? Sorry for the O.T. -- blake > Brad Knowles, <[EMAIL PROTECTED]> > > "They that can give up essential liberty to obtain a little temporary > safety deserve neither liberty nor safety." > -Benjamin Franklin, Historical Review of Pennsylvania. > > GCS/IT d+(-) s:+(++)>: a C++(+++)$ UMBSHI$ P+>++ L+ !E > W+++(--) N+ !w--- > O- M++ V PS++(+++) PE- Y+(++) PGP>+++ t+(+++) 5++(+++) > X++(+++) R+(+++) > tv+(+++) b+() DI+() D+(++) G+() e++> h--- > r---(+++)* z(+++) >
Re: $400 million network upgrade for the Pentagon
At 12:38 PM -0400 2002/08/13, Sean Donelan wrote: > I have no idea how many or where the cable entrance facilities are > located or how major cables are routed through the Pentagon. True enough. Neither do I. > It might even make sense to put an alternate > building entrance facility not on the side where the majority of the > networking was done. In terms of primary human entrances, they are found on four of the five sides of the building. The fifth side is where the helipad is located. Moreover, the networking is done all over the building, although I presume that there are some areas of concentration around the NMCC, and certain other facilities. In terms of network facilities, I'm sure that they have multiple redundant entrances all around the building. The question is how far away from the building do they then converge, so that you once again have a SPOF. -- Brad Knowles, <[EMAIL PROTECTED]> "They that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety." -Benjamin Franklin, Historical Review of Pennsylvania. GCS/IT d+(-) s:+(++)>: a C++(+++)$ UMBSHI$ P+>++ L+ !E W+++(--) N+ !w--- O- M++ V PS++(+++) PE- Y+(++) PGP>+++ t+(+++) 5++(+++) X++(+++) R+(+++) tv+(+++) b+() DI+() D+(++) G+() e++> h--- r---(+++)* z(+++)
Re: $400 million network upgrade for the Pentagon
At 6:21 PM -0500 2002/08/12, gg wrote: > The Department of Defense does posses allot of "network disorganization" > mostly on the NIPERNET side. You mean NIPRnet, right? > Allot of the NIPERNET "unclassified" network is just plain unruly at > it's best (I left the military in 2000, so maybe things have changed). I was the DISA.MIL Technical POC until I left in 1995, and I am the guy who convinced the SIPRnet and NIPRnet administrators to go with DNS for doing hostname resolution (instead of HOSTS.TXT files), as well as using real IP address space issued by ARIN, instead of just randomly fabricating some network space (in the event that the networks were ever connected to the live Internet, some point in the distant future). I'm also the guy who turned back to ARIN a few Class A, B, and a number of Class C network ranges that we were no longer using. > Any > shop with their ADP or IT staff can practically get a server up and running, > build intranets, databases, etc. without practically anyone raising an > eyebrow, this is at the command level. Yup. > Allot of these systems are non-redundant, and pose single points of > failures, etc, but again this is at the command level. True enough. But then these aren't mission-critical systems like WWMCCS or GCCS. > After moving along the ranks, from a lowly seaman recruit running AUI, > cat V, and fiber cabling on an aircraft carrier, to a Third Class Petty > Officer stationed at The Unified Atlantic Region Network Operations Center > in Norfolk, VA. I learned that this is not the case for Mission Critical > systems, or for the SIPERNET "classified network". Yup. >As Brad also stated the same. >All I can say is this, and any ex-RM can say the same (Well RM's are > extint now they are IT), I never worked in a building that had any windows, > and that could not stand a very good shaking, that is, if it wasnt > underground in the first place. The Pentagon has windows. It also has an ancient system of air pipes aimed at all of the windows, where at a central location they play a radio or otherwise generate sound waves that are then distributed via the air pipes, thus preventing anyone from aiming a laser at the window and being able to bug the office. Of course, if you're not a flag officer (or equivalent), or you don't work for a flag officer (or equivalent), you won't get any windows. Myself, I worked in the basement, and I walked over a mile each way to go from where I got off the metro, past the concourse between corridors 1 & 10, down to my office on the mezzanine level, on the F ring, between corridors 6 & 7. -- Brad Knowles, <[EMAIL PROTECTED]> "They that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety." -Benjamin Franklin, Historical Review of Pennsylvania. GCS/IT d+(-) s:+(++)>: a C++(+++)$ UMBSHI$ P+>++ L+ !E W+++(--) N+ !w--- O- M++ V PS++(+++) PE- Y+(++) PGP>+++ t+(+++) 5++(+++) X++(+++) R+(+++) tv+(+++) b+() DI+() D+(++) G+() e++> h--- r---(+++)* z(+++)
Re: Routing Protocol Security
On Tue, Aug 13, 2002 at 01:55:50PM -0700, senthil ayyasamy wrote: > > Can any of you cite cases where an attack has been > > carried out against a > > network's routing protocol (BGP or OSPF in > > particular)? > > I heard people talking about a Dos (not DDos) attack > from your neighbor peer router that overflows your > routing table with too much data. I am not aware of > any DDos on routing packets(?).There are chances for > man-in-the-attacks between BGP sessions. The question > is how much the crypto- based security mechanisms like > MD5 helps prevent routing vulnerabilities. But, I > guess misconfiguration can also be considered as a > reason behind many vulnerabilities. Senthil, Hi there.. Agreed, I think there are two major classifications you can lump things under; exploitation of a weak router / misconfiguration to manipulate a legitimate speaker's advertisements, OR a 3rd party box somehow manipulating a routing protocol between other devices. (Using something like nemesis, etc..) While tools like nemesis and other scripts are out there, and perfectly capable of forging/manipulating routing protocol packets, how common is this? Of the problems folks have run into, are they more often the result of a legitimate speaker being compromised & playing with advertisements somehow (and getting through filters that may or may not be present), or from devices actually spoofing their way into the IGP/EGP? Are there any specific attacks anyone is aware of & can share? ..Dylan -- , Dylan Greene , + Juniper Networks + + +1 617/407-6254+ ` [EMAIL PROTECTED] '
Re: Routing Protocol Security
> Can any of you cite cases where an attack has been > carried out against a > network's routing protocol (BGP or OSPF in > particular)? I heard people talking about a Dos (not DDos) attack from your neighbor peer router that overflows your routing table with too much data. I am not aware of any DDos on routing packets(?).There are chances for man-in-the-attacks between BGP sessions. The question is how much the crypto- based security mechanisms like MD5 helps prevent routing vulnerabilities. But, I guess misconfiguration can also be considered as a reason behind many vulnerabilities. __ Do You Yahoo!? HotJobs - Search Thousands of New Jobs http://www.hotjobs.com
Re: AS path fugliness?
It's back, same source as last time:
Aug 13 14:06:07 Insufficient chunk pools for aspath, requested size 268
Aug 13 14:06:11 Insufficient chunk pools for aspath, requested size 268
Aug 13 14:07:29 Insufficient chunk pools for aspath, requested size 270
Aug 13 14:09:44 Insufficient chunk pools for aspath, requested size 270
Aug 13 14:09:52 Insufficient chunk pools for aspath, requested size 268
*> 205.139.72.0 208.172.167.21100 0 3561 23037
{80,1239,1785,2379,2711,4181,4323,4513,4546,5006,5676,5778,6181,6253,6347,
6395,6453,6467,6571,6580,6993,7132,7381,7431,7633,7795,10346,10625,10674,10726,
10851,10877,10910,10937,10957,11101,11134,11169,11235,11589,11657,11853,12082,
12156,12163,12179,12180,12261,13371,13443,13488,13568,13576,13578,13641,13790,
13815,13882,13904,13919,14021,14289,14359,14381,14412,14452,14549,14564,14625,
14677,14685,14787,14793,14929,14990,15062,15215,16477,16504,16640,16707,16759,
16782,16852,17033,17060,17064,17142,17304,18548,18586,18618,18886,19024,19541,
20303,20316,20333,20357,20457,20458,21536,22184,22191,22242,22299,22319,22389,
22728,22912,23087,23181,23195,23269,23306,23365,23453,23502,23547,25639,25707,
25905,25943,26004} ?
*> 205.139.73.0 208.172.167.21100 0 3561 23037
{80,1239,1785,2379,2711,4181,4323,4513,4546,5006,5676,5778,6181,6253,6347,
6395,6453,6467,6571,6580,6993,7132,7381,7431,7633,7795,10346,10625,10674,10726,
10851,10877,10910,10937,10957,11101,11134,11169,11235,11589,11657,11853,12082,
12156,12163,12179,12180,12261,13371,13443,13488,13568,13576,13578,13641,13790,
13815,13882,13904,13919,14021,14289,14359,14381,14412,14452,14549,14564,14625,
14677,14685,14787,14793,14929,14990,15062,15215,16477,16504,16640,16707,16759,
16782,16852,17033,17060,17064,17142,17304,18548,18586,18618,18886,19024,19541,
20303,20316,20333,20357,20457,20458,21536,22184,22191,22242,22299,22319,22389,
22728,22912,23087,23181,23195,23269,23306,23365,23453,23502,23547,25639,25707,
25905,25943,26004} ?
(plus a bunch of others for the same AS)
FYI, after the Jul 03 incident I received this response from C&W:
> Thank you for notifying us of the problem. We have put a filter in
place
> and I believe we have been in touch with our customer.
>
> Best Regards,
> Cable & Wireless US-IPGSOC
Mike
Re: Routing Protocol Security
I know of several incidents where invalid routing announcements were maliciously employed in order to cause reachability problems to the destination prefix network. It still bugs me that router vendors don't provide the capability to support inter-provider filters (read: 10s or 100s of thousands of instances). But heck, some providers still don't even filter routing announcements for customer prefixes explicitly. This is a HUGE vulnerability. Likewise, employing the same set of inter-provider filters at the data plane as ingress source filters would suppress the bulk of these cheesy spoofed-source address attacks. This is another HUGE vulnerability (providing a solution in hardware is a bit more difficult -- though not impossible!). But heck, some providers still don't employ customer ingress filtering. Of course, then the vulnerability would be the registries, and subsequent components therein. The again, at least the former was done many moons ago, though wasn't real successful given the network, 24 hour turnarounds, etc.. However, things like BGP Route Refresh and the like could alleviate most of the offshoots of the time. Now, back to the router vendor support issue, if that's what you were soliciting input on...? -danny
Routing Protocol Security
HI, Can any of you cite cases where an attack has been carried out against a network’s routing protocol (BGP or OSPF in particular)? My apologies if this question is too far off-topic, but if anyone knows of such incidents it would be the members of this group. Jeff
Re: $400 million network upgrade for the Pentagon
On Mon, 12 Aug 2002, Brad Knowles wrote: > > Building a surviable network in such a small area, relatively speaking the > > Pentagon is small, is a much harder problem than diversity on a regional > > or even national network. > > Keep in mind that it was DARPA that funded the original research > on what we now call the Internet. There are plenty of clueless > morons in the building (the one with four sides and a spare), but > there are also some exceptionally sharp people. Its not a matter of having smart people. Distance offers protection against many risks. The closer you put two critical systems to each other (e.g. in the same building) the higher the risk a single catastrophe (or system engineer) will impact both of them. Of course there are limits to diversity, earth is a single point of failure for the foreseeable future. > Perhaps true for the unclassified systems. But then they're not > really that critical to the real day-to-day operations. Moreover, > where the plane struck is not the side where the majority of this > kind of networking is done. I have no idea how many or where the cable entrance facilities are located or how major cables are routed through the Pentagon. Demarcs are sometimes located in the darndest places a long way away from where you might do your work. It might even make sense to put an alternate building entrance facility not on the side where the majority of the networking was done. In any case, classification level is orthogonal to quality.
Palm OS SNMP client... need some input
I'm working on ideas for an SNMP client for Palm OS. So far, I can't find any that exist, and there's been at least one request made out there for such a thing. The basic idea would be to have a database with IPs, names, descriptions and community names for different SNMP agents you want to work with. You'd define the list, then select an agent and do things with it. I'm also looking at doing a trap monitor type of function. While I'm thinking through the design, I'm coming up with some questions that I need to ask potential users. I figured this would be the best place to look. If you reply, please do it directly to me so as not to clutter the list. Thanks. Here they are... How useful would you consider such a thing? Would it be worthwhile to implement SNMP versions 1 & 2, or just the latter? If both, then how/where/if to switch between the two? Would it be sufficient to only support the standard, RFC-defined MIB, or should there be the ability to handle custom MIBs? The problem with the latter is mainly in presentation. It would be simple enough to do a simple text-based UI for setting and querying values (a la snmpget/put), but personally I'd consider that a bit raw. To do anything better would require more work to either enable a dynamic UI or creating custom forms and code in a plugin-style system. Any other comments or suggestions? --- Brian Smith // avalon73 at arthurian dot nu // http://www.arthurian.nu/ Software Developer // Gamer // Webmaster // System Administrator If man did not exist, God's job would be easier.
Re: Microslosh vision of the future
on 8/12/2002 3:44 PM Brad Knowles wrote: > Do you really think that they will ever again lift a hand against > Microsoft? They only participated in the anti-trust action brought > by the Clinton white house because they had no choice Yeah! The FTC actions res passport are just to throw us off the truth! http://www.infoworld.com/articles/hn/xml/02/08/08/020808hnftcboost2.xml http://www.eweek.com/article2/0,3959,449416,00.asp investigation started in this term, action concluded in this term please... somewhere else, thanks -- Eric A. Hallhttp://www.ehsco.com/ Internet Core Protocols http://www.oreilly.com/catalog/coreprot/
