Sobigf + BGP

J. Oquendo routesec at engineer.com
Sat Aug 23 08:44:52 UTC 2003


I was reading some PDF files on BGP along with
Routing TCP/IP v2, and I found myself pondering
what a nasty damn worm it would be if someone
were to do something using winpcap in conjucting
with the worm/virus, and I was a bit confused,
disturbed, lost. So I drew up a quick question
complete with ascii which can be viewed at
politrix.org/segment/brat.txt for those who get
a distorted diagram...

Apologies beforehand if this post seems a bit odd,
but I did not see anything similar to a networking
'vuln'dev', and besides I wouldn't think that any
one here would do something malicious with any idea
that actually worked for the worse.

-------------------------------------------------------------
brat.txt 

I was thinking about the recent polymorphic Sobigf worm/virus
and wondered about the following hypothetical scenario...

Sorry about this ASCIIgram, I didn't want to look for Visio
nor any other graphic program to do this in, strictly terms
to keep it gritty... So here goes.

Attacker scripts Sobigf variant with a virii/worm generator,
and uses pcap (packet capture) under Windows to have his
worm send out predefined packets. Let's say he created what
I call a 'BRAT' BGP Router Attack Tool. Now this tool isn't
something major it simply sends out two types of packets
aimed at routers running BGP.

They're both Notification Messages:

=========================================
Packet 1 = BGP NM ERROR CODE 2 SUBCODE 2 |
Packer 2 = BGP NM ERROR CODE 6           |
=========================================

Now we have the hosts' information:
www.targetednap.net (4 if's)
192.168.1.1 192.168.4.1 10.10.1.1 10.10.5.1

VIC's
nap.maefi.com   Link 1 nsp.maefee.com  Link 2
nap.maefo.com   Link 3 nsp.maefum.com  Link 4

  
                Link 1                 Link 2
                    \                   /
                      -----------------
                     |                 |
                     | Targetednap.net |
                     |                 |
		      -----------------
                    /                   \
                 Link 3                Link 4

Script kiddiot sets up his worm/virii to send packets
as Targetednap to all VIC's as Targetednap via spoofing using
WinPCAP. Given the rate of connections that were mentioned
for SoBigf, what could happen say if route dampening were used
between the routers. Would penalties keep adding up making the
connection intolerable because of latency, would it ignore it.

Or what could happen say if worm was smart enough to send
NLRI's of something like $targetvalue=0

Wouldn't this knock off connections between BR's/ABR's, etc.
Are there any flags one can take to prevent this from occurring.
Keep in mind that packet creation is not difficult. My guess
would be, even if someone didn't get all fancy with the packets
being sent, a couple of million packets sent with say a:
ping -l 25000 $VIC as $TARGETEDNAP would be enough to cause
some massive latency, maybe even disconnect a backbone perhaps?

Anyone care to share links on security on this level if
any are available

=================================================
J. Oquendo
rsvp: segment ... antioffline . com
PGP Fingerprint
39A7 24C6 A9A0 6C67 96CA 0302 F1D3 2420 851E E3D0

http://www.politrix.org
http://www.antioffline.com
=================================================


-- 
__________________________________________________________
Sign-up for your own personalized E-mail at Mail.com
http://www.mail.com/?sr=signup

CareerBuilder.com has over 400,000 jobs. Be smarter about your job search
http://corp.mail.com/careers




More information about the NANOG mailing list