IETF Logo Mail Archive

Re: [RPSEC] DDoS of routing ?

Alex Zinin <zinin@psg.com> Fri, 14 March 2003 02:57 UTC

Received: from www1.ietf.org (ietf.org [132.151.1.19] (may be forged)) by ietf.org (8.9.1a/8.9.1a) with ESMTP id VAA00477 for <rpsec-archive@odin.ietf.org>; Thu, 13 Mar 2003 21:57:25 -0500 (EST)
Received: (from mailnull@localhost) by www1.ietf.org (8.11.6/8.11.6) id h2E3C9a23978 for rpsec-archive@odin.ietf.org; Thu, 13 Mar 2003 22:12:09 -0500
Received: from ietf.org (odin.ietf.org [132.151.1.176]) by www1.ietf.org (8.11.6/8.11.6) with ESMTP id h2E3C9O23975 for <rpsec-web-archive@optimus.ietf.org>; Thu, 13 Mar 2003 22:12:09 -0500
Received: from www1.ietf.org (ietf-mx.ietf.org [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id VAA00463 for <rpsec-web-archive@ietf.org>; Thu, 13 Mar 2003 21:56:54 -0500 (EST)
Received: from www1.ietf.org (localhost.localdomain [127.0.0.1]) by www1.ietf.org (8.11.6/8.11.6) with ESMTP id h2E3BJO23950; Thu, 13 Mar 2003 22:11:19 -0500
Received: from ietf.org (odin.ietf.org [132.151.1.176]) by www1.ietf.org (8.11.6/8.11.6) with ESMTP id h2E3AJO23894 for <rpsec@optimus.ietf.org>; Thu, 13 Mar 2003 22:10:19 -0500
Received: from psg.com (ietf-mx.ietf.org [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id VAA00445 for <rpsec@ietf.org>; Thu, 13 Mar 2003 21:55:04 -0500 (EST)
Received: from psg.com ([147.28.0.62] helo=127.0.0.1) by psg.com with esmtp (Exim 3.36 #1) id 18tfNf-000HTX-00; Thu, 13 Mar 2003 18:57:11 -0800
Date: Thu, 13 Mar 2003 18:55:21 -0800
From: Alex Zinin <zinin@psg.com>
X-Mailer: The Bat! (v1.62i) Personal
Reply-To: Alex Zinin <zinin@psg.com>
X-Priority: 3 (Normal)
Message-ID: <137211665048.20030313185521@psg.com>
To: Iljitsch van Beijnum <iljitsch@muada.com>
CC: "Ayyasamy, Senthilkumar (UMKC-Student)" <saq66@umkc.edu>, rpsec@ietf.org
Subject: Re: [RPSEC] DDoS of routing ?
In-Reply-To: <20030313143414.V69506-100000@sequoia.muada.com>
References: <20030313143414.V69506-100000@sequoia.muada.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Content-Transfer-Encoding: 7bit
Sender: rpsec-admin@ietf.org
Errors-To: rpsec-admin@ietf.org
X-BeenThere: rpsec@ietf.org
X-Mailman-Version: 2.0.12
Precedence: bulk
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/rpsec>, <mailto:rpsec-request@ietf.org?subject=unsubscribe>
List-Id: Routing Protocol Security Requirements <rpsec.ietf.org>
List-Post: <mailto:rpsec@ietf.org>
List-Help: <mailto:rpsec-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/rpsec>, <mailto:rpsec-request@ietf.org?subject=subscribe>
Content-Transfer-Encoding: 7bit
Content-Transfer-Encoding: 7bit

Iljitsch, Senthil-

<AD hat off wrt this draft>

Thursday, March 13, 2003, 5:58:00 AM, Iljitsch van Beijnum wrote:
> On Thu, 13 Mar 2003, Ayyasamy, Senthilkumar  (UMKC-Student) wrote:

>> while a DoS attack of routing pkts by a peer can lead to RT
>> exhaustion, is DDoS of routing pkts observed previously?

> I think attacks on port 179 of routers have been observed in the wild.

This is what I have heard second hand too.

Note, btw, that user-level attacks against routers are not limited to
those using routing protocols or targeted to CPU/queue exhaustion.
Vulnerabilities related to various forms of buffer overflow, and other
implementations bugs/suboptimalities have been known for long time.
Those can be potentially exploited too.

And the attacks are getting more and more sophisticated, an example
is the recently announced OSPF exploit where an attacker can make
a router execute malicious code.

>> Actually, i had an offline discussion with sandy long back and she
>> mentioned that it doesn't exist.

> You're not saying we should wait to fix holes until someone falls in
> them, are you?

> At the same time, IGPs are somewhat hard to attack as they use
> multicasts that routers aren't going to forward.

This is not entirely true.

IS-IS is indeed not susceptible to user-level attacks, as, in its
original form it uses L2 encapsulation for its PDUs, and because those
are unroutable, a user can't sent an IS-IS packet to a router.
However, I'm hearing that some vendors have actually implemented
ISIS-over-IPv4 though it wasn't accepted by the IS-IS WG. This could
leave a potential backdoor for an attacker if the implementation just
listens to this IP protocol or has it enabled on a set of interfaces.
It would be as good/bad as in the OSPF case, no extra.

OSPF, on the other hand, uses unicast quite extensively. First, on
broadcast media all neighbor-to-neighbor OSPF packet exchanges from
ExStart and higher are done in unicast. Plus we have virtual links
that are exclusively unicast. Besides, the specification suggests to
treat both unicast and multicast packets equally, which is what many
implementations do, especially if they allow manually configured
neighbors. So, it is very possible for an attacker to send a packet to
a router and it will be allowed to go all the way up to the OSPF
process (unless MD5 is done on the LC, of course).

>> context: zinin-rtg-dos-00
>> I guess, zinin draft talks only about DDoS of data traffic.

> Doesn't look that way to me.

Right.

In fact, it does not talk at all about data traffic DDoS. It is all
about protecting routers' control plane from user-level attacks.

Alex

_______________________________________________
RPSEC mailing list
RPSEC@ietf.org
https://www1.ietf.org/mailman/listinfo/rpsec

v2.23.0 | Report a Bug | By Email