[AusNOG] BGP injection / IP Hijacking / Peer Trust
edwin at mavetju.org
Thu Aug 28 23:12:57 EST 2008
On Thu, Aug 28, 2008 at 11:28:26AM +1000, Sean K. Finn wrote:
> There seems to be some publicity about hijacking other's IP ranges with BGP to snoop/sniff/intercept traffic.
> Now, of course this is a known thing, and thankfully doesn't happen too much in Australia, but I've noticed one thing from the flamewar that starts with the comments at the end of this article.
Security is a layered process:
On LAN level, you lock down your ports to only allow known MAC
addresses on pre-defined ports so nobody will come in and plug in
the laptop on the intranet.
On intranet level, you define properly which OSPF neighbours you
allow and use encrypted passwords between them.
On the internet gateway we filter outgoing traffic not originated
with our IP space, and incoming traffic "coming" from our own IP
Your SMTP servers don't allow relaying and have TLS enabled. Your
DNS servers don't do recursion for unknown requestors and has DNSSec
The whois information for your domains and netblocks is up to date.
Your BGP talker has properly defined who its neighbours are and has
filters for incoming routes.
You might miss a couple of the above mentioned things in your
network. Due to the nature of the customer who has lots of people
coming in with laptops. Or you trust your own network enough to
keep OSPF available on all router ports. And you can't filter "own"
traffic out that one uplink because of expected redundancy issues.
TLS is difficult, DNSSec is more difficult. Whois is a pain to
update with these horrible web-uis which want you to buy-buy-buy
and don't support bulk updates. BGP is simple, but I don't know
many people who filter based on the routing announcement information
in the Whois database.
Networking is simple and fun, but good networking is difficult and
time-consuming. Education on good networking is essential, but it's
a "Forever September" kind of issue.
Like Dan Kaminsky found a way to merge two known issues into an
exploit, these two guys did the same. Does it make the world a
less-safe place? Yes. Can we fix it? Yes, with education on good
networking: We beat the SMTP open relays. There are still open DNS
recursors (See http://www.mavetju.org/weblog/html/00122.html on how
it works), there are still ISPs without inbound/outbound traffic
filtering, physical security at colos is often a joke once you're
in the cage, whois information is not always up to date so you have
no idea how to contact these people at 02:00 and proper filtering
on the incoming routes got rid of routes towards important networks.
So euhm... we're not there yet. But then we're only less than 20
years in the game.
(wonder if somebody is still reading, not to mention following what
I mean :-)
Edwin Groothuis | Personal website: http://www.mavetju.org
edwin at mavetju.org | Weblog: http://www.mavetju.org/weblog/
More information about the AusNOG