[AusNOG] FYI : Attackers are accessing routers running on the border gateway protocol (BGP) and injecting additional hops

Luke Iggleden luke+ausnog at sisgroup.com.au
Mon Nov 25 10:33:38 EST 2013 

On 25/11/2013 10:15 am, Beeson, Ayden wrote:
> I'd assume it boils down to one of three things:
>
> 1. A lack of training or understanding of the concept / impact.
> 2. It was put open to get it going / fix a problem and they just haven't fixed it.
> 3. A lack of time / staffing to do a job properly.
>
> Of course, we all know how important it is but unless the techs making the change / the managers pushing for jobs to be completed understand, it'll get ignored.
>
> There is always option 4, they just don't care about security till it costs them, but the cost involved in doing this properly is fairly minimal so I doubt in most cases that's the issue...
>
> Thanks,
> Ayden Beeson
>

Spot on I reckon Ayden.

Wonder if enforcing a lower local-pref on large backbone networks for 
BGP peers that haven't included a filter-list or migrated to it would 
assist in motivating peers to implement best practises.

My concern is if the threat continues to grow, network admin's will look 
at announcing /24 or smaller (to domestic peering networks eg) to limit 
the potential for hijacking, growing the Global Routing Table 
exponentially.





>
> -----Original Message-----
> From: AusNOG [mailto:ausnog-bounces at lists.ausnog.net] On Behalf Of Luke Iggleden
> Sent: Monday, 25 November 2013 8:19 AM
> To: ausnog at lists.ausnog.net
> Subject: Re: [AusNOG] FYI : Attackers are accessing routers running on the border gateway protocol (BGP) and injecting additional hops
>
> On 24/11/2013 8:45 pm, Dobbins, Roland wrote:
>>
>> On Nov 24, 2013, at 4:26 PM, Daniel Hood <dsmhood at gmail.com> wrote:
>>
>>> Whats the easiest way one could monitor their netblocks to make sure there is no funny business going on in their paths?
>>
>> BGPMon, as Scott Howard noted, and Renesys are both good services, and there are others, as well.
>>
>
> These services undoubtedly are good for detection, but by the time you get in contact with $insert_isp to get a prefix withdrawn the damage is already done.
>
> It still amazes me after all these years large backbone networks trust smaller BGP peers with open filters.
>
> There are many ways to automate filters, why don't they implement them?
> My bet is until it costs them x (due to legal or direct attack), they don't want to spend x (in prevention), sounds like a typical security scenario to me.
>
> _______________________________________________
> AusNOG mailing list
> AusNOG at lists.ausnog.net
> http://lists.ausnog.net/mailman/listinfo/ausnog
> Charles Sturt University
>
> | ALBURY-WODONGA | BATHURST | CANBERRA | DUBBO | GOULBURN | MELBOURNE | ONTARIO | ORANGE | PORT MACQUARIE | SYDNEY | WAGGA WAGGA |
>
> LEGAL NOTICE
> This email (and any attachment) is confidential and is intended for the use of the addressee(s) only. If you are not the intended recipient of this email, you must not copy, distribute, take any action in reliance on it or disclose it to anyone. Any confidentiality is not waived or lost by reason of mistaken delivery. Email should be checked for viruses and defects before opening. Charles Sturt University (CSU) does not accept liability for viruses or any consequence which arise as a result of this email transmission. Email communications with CSU may be subject to automated email filtering, which could result in the delay or deletion of a legitimate email before it is read at CSU. The views expressed in this email are not necessarily those of CSU.
>
> Charles Sturt University in Australia  http://www.csu.edu.au  The Grange Chancellery, Panorama Avenue, Bathurst NSW Australia 2795  (ABN: 83 878 708 551; CRICOS Provider Numbers: 00005F (NSW), 01947G (VIC), 02960B (ACT)). TEQSA Provider Number: PV12018
>
> Charles Sturt University in Ontario  http://www.charlessturt.ca 860 Harrington Court, Burlington Ontario Canada L7N 3N4  Registration: www.peqab.ca
>
> Consider the environment before printing this email.
>
> Disclaimer added by CodeTwo Exchange Rules 2007
> http://www.codetwo.com
>

More information about the AusNOG mailing list