Alternate and/or hidden infrastructure addresses (BGP/TCP RST/SYN vulnerability)

Stephen J. Wilcox steve at telecomplete.co.uk
Fri Apr 23 00:12:30 UTC 2004


On Thu, 22 Apr 2004, James wrote:

> > 1.  Backbone addresses:  ISPs that hide interface addresses and/or primary loopback addresses, and best practices for doing so?  (e.g. traceroutes don't break, but the router uses say Loopback1 address to respond to them, while iBGP uses Loopback0.  All Loopback0 address blocks can be filtered at borders.)
> 
> since ibgp's should be peered w/ loopbacks, loopback protection is all
> needed as as far as this bgp hysteria goes.

no! these are so easy to find!!!!

$ host 65.116.132.145
145.132.116.65.in-addr.arpa domain name pointer lo0.b1.box2.twdx.net.

> 
> so loopback0 with "secret" addresses for ibgp peering, use a loopback1
> to publish router ip addrs to public via looking glass, etc.
> 
> next thing to protect is customer ebgp sessions. some providers don't even
> route the p2p /30 links used between cust and their backbone (i.e. Sprint).
> so that's up to you.
> 
> some backbones even filter all traffic destined to backbone prefixes at
> ingress points (border routers, cust edge routers)... for example.. att
> being one. for example, here comes random test:
> 
> starbucks blahdy $ traceroute -M 8 12.123.205.65
> traceroute to 12.123.205.65 (12.123.205.65), 64 hops max, 44 byte packets
>  8  jfk-brdr-02.inet.qwest.net (205.171.230.21)  6.404 ms  6.138 ms  6.145 ms
>  9  * qwest-gw.n54ny.ip.att.net (192.205.32.169)  6.465 ms !X *
> 
> 
> all above options don't necessarily break traceroute as long as you implement
> it with care... 
> 
> -J
> 
> > 
> > 2.  Public IX addresses:  ISPs that do not redistribute the IX prefix into their iBGP or IGP and do not use external next-hops (except local to the connected border router), but instead use the loopback of the border router when propogating these routes within their iBGP mesh.  This should not break traceroutes "through" the exchange, but will break any traffic such as ping, spoofed packets, etc. to the exchange from a non-connected router.
> > 
> > Can anyone provide pro/con, better description of config templates for doing this, and/or discussion of major networks that choose to do this, or not do this?
> > 
> > Cheers,
> > -Lane
> 
> 




More information about the NANOG mailing list