Great Circle Associates Firewalls
(February 1995) 		 
Indexed By Date: [Previous] [Next] Indexed By Thread: [Previous] [Next]
Subject: Re: Dynamic Routing: Security Problems?
From: Tom Fitzgerald <fitz @ wang . com>
Date: Wed, 15 Feb 1995 20:49:11 -0500
To: firewalls @ greatcircle . com 
stempfld @
 CC .
 IMS .
 DISA .
 MIL ("Dion Stempfley") writes:

> I was asked by a coworker if it was possible for Joe Badguy to reroute
> some traffic from a network, let's say whitehouse.gov, by using the
> whitehouse.gov ip address and forcing dynamic route updates to each
> router in a path up to the level of the router that the desired source
> uses.

It won't work across the Internet, because the Internet routers use BGP
(border gateway protocol) which is fairly picky about authenticating the
source of routing updates.  Internet service providers generally don't even
trust each other unless they've got a bilateral arrangement.

On the other hand, if you're already inside a private net that's lax about
routing security, you can do a pretty good job of messing them up.  You can
send RIP updates to routers forcing traffic addressed to any given node to
come to you instead.  RIP has no authentication capability.  OSPF does but
I bet lots of sites don't use it.  This is mostly a denial-of-service
attack since once you've got the routes pointing to you, it's real hard to
get the traffic back to the node it was supposed to go to.  I guess if you
wanted to monitor traffic noninvasively, you could try to do it with
source-routing, but it doesn't sound easy.

There's another good denial-of-service attack that can be made on
somebody's Internet connection from the outside, by feeding them routing
updates over the Internet, to tie their border network's route into a knot.
You can't actually get packets out of the organization using this, but you
can stop people inside the organization from accessing their own firewall
(or stop the firewall from getting traffic out to the Internet).

The moral of this story is, if your firewall or your router to the Internet
participate in your own network's internal routing protocol, it's a real
good idea to filter out routing updates (UDP port 520 for RIP) coming in
from the Internet.  Needless to say, filtering on source address doesn't do
much good, and that's all you can do with RIP once it's on the local net.

-- 
Tom Fitzgerald    1-508-967-5278    Wang Labs, Lowell MA, USA    fitz @
 wang .
 com
Indexed By Date Previous: Well, netcom and others compromised - Mitnick arrested
From: John Pettitt <jpp @ software . net>
Next: Getting info about Janus
From: "Ned Smith (nedbob)" <nedbob @ sequent . com>
Indexed By Thread Previous: Re: Dynamic Routing: Security Problems?
From: Darren Reed <avalon @ coombs . anu . edu . au>
Next: Newbie question about implementing a firewall at home
From: Johnathan Corgan <jcorgan @ aeinet . com>
Google
 
Search Internet Search www.greatcircle.com