TCP/BGP vulnerability - easier than you think

Wed Apr 21 03:40:25 UTC 2004

On Apr 20, 2004, at 11:09 PM, David Luyer wrote:

>> You missed the "(assuming the attacker can accurately guess both
>> ports)" part.
>>
>> This is BY NO MEANS a given.  In fact, it is pretty much guaranteed to
>> not be a given on any router which has not recently been rebooted.  
>> (Or
>> at least that the attacker doesn't know has been recently rebooted. :)
>
> A significant number of BGP sessions will be with a source
> port of 11000, 11001 or 11002; BGP sessions are generally
> quite stable and Cisco routers start the source port at
> 11000.  So attackers could cause enough disruption just
> targeting these three source ports.  The other thing the
> attacker has to guess is which router established the BGP
> session.  As to IPs which sessions exist on, they can guess
> from traceroute each inter-provider hop.

Really?  I certainly hope an attacker tries those three ports on a 
router I know about.  Looking at a random cisco router at a random NAP 
with a significant number of peers, there are a total of zero session 
on those ports.

Wow, this attack is even easier to avoid than I thought!

Thanx for proving my point....

> Answering another poster's concern about DoS risk...
> TCP MD5 is not a significant DoS risk as you only MD5 once the
> source, destination, sequence, etc are valid - ie. you only MD5
> a packet which would already have broken your BGP session! [*]

Interestingly, cisco confirmed to me the sequence number was not 
checked until after the MD5 signature was checked.

Again, thanx for proving my point.  You really must post more often.

> Worse than breaking the session, I'm told by people who have
> tested in labs that they could typically break BGP sessions
> in under half an hour, which then caused flapping and dampening
> of the routes if the attack was repeated.  So the risk is not
> just the occasional BGP session flap, it's a frequent enough
> flap that your routes can be dampened.

I would love to see these results, as I am interested in the 
methodolofy.  For instance, did they turn on a lab router, configure 
some new BGP sessions, then attack it?  Notice that both Richard and I 
repeatedly say "for a router which has not recently been rebooted".  Of 
*course* it will be easy when you set things up like that.

Even granting the results, flapping a BGP session once per half hour is 
far from the worst thing 10 Kpps can do on the Internet.  In fact, it 
is probably the *least* damaging thing I have heard miscreants do with 
10 Kpss.

> So, you're best to implement TCP MD5 on your BGP sessions.

Many people also report taking entire routers down in far less than 30 
minutes with 10 Kpps of MD5 signed packets if MD5 is turned on.  So I 
am not sure why this is better - sorry, best - than flapping a session 
every half hour.

Guess we did not agree on this one.  I really think flapping a session 
every 30 minutes (if it really only takes that long) is not better than 
killing a whole router in far less time.

> With an up to date IOS, if you both implement the password
> within about a second, the BGP session doesn't even flap to
> implement the password.  Older IOS (12.1) resets the BGP
> session as a password is set.  Other vendors vary.

And how do you track a thousand passwords?  Okay, maybe that is not too 
hard.  But how do you guarantee a thousand peers will never screw up 
and forget, lose, fat-finger, etc. a single one of them?  This one I 
would really like to know, 'cause I sure as hell can't figure it out.

> [*] in any reasonable implementation.  it is possible some old
>     implementation does this wrong, though.

Guess IOS counts as both old and unreasonable.  I buy that.

Again with the agreement!  Well, three out of four ain't bad. :)

-- 
TTFN
patrick