attacks on MPLS?

Thu Apr 9 17:31:32 UTC 2009

Meh...

Sure, it rehashes what we pretty well already know, "If a bad guy can
get access to your network or your management tools, you're boned."

It's still worth reminding folks that they need to take appropriate
measures to defend and monitor these devices. Too many networks and
servers get hacked not because the attacker was good, but because the
administrators (some of whom tend to be good security guys) became
complacent and stopped doing routine upkeep. So in that sense, a
little fear can be a good thing.

-Wayne

On Thu, Apr 09, 2009 at 10:14:39AM -0700, Charles Wyble wrote:
> Well if we pull apart the article a bit....
> 
> 
> 
> Quote 1)
> Network infrastructure security has been in the limelight lately, with 
> researchers uncovering big vulnerabilities in the Domain Name System 
> (DNS), the Border Gateway Protocol (BGP), TCP, and in Cisco routers.
> 
> 
> Wasn't aware of any big vulns in BGP (are they referring to the defcon 
> talk that rehashed ages old bgp trust exploitation?). Cisco vulns (I 
> realize cisco released several patches recently but not aware of any 
> signifcant vulns).
> 
> Quote 2)
> own set of switches and management infrastructures, and their own set of 
> surrounding technologies," he says, "and the average attacker could not 
> get his hands on that equipment."
> 
> Hmmmm. Really? 
> http://www.gns3-labs.com/2009/01/23/mpls-vpn-and-traffic-engineering/ + 
> torrent the appropriate IOS images. That seems like it would be enough 
> to build a lab environment for exploit development.
> 
> Seems like the article is a lot of  fear mongering.
> 
> 
> Steven M. Bellovin wrote:
> >http://www.darkreading.com/securityservices/services/data/showArticle.jhtml?articleID=216403220
> >
> >
> >		--Steve Bellovin, http://www.cs.columbia.edu/~smb
> >

---
Wayne Bouchard
web at typo.org
Network Dude
http://www.typo.org/~web/