IETF Logo Mail Archive

Re: [RPSEC] DDoS of routing ?

Alex Zinin <zinin@psg.com> Fri, 14 March 2003 05:38 UTC

Received: from www1.ietf.org (ietf.org [132.151.1.19] (may be forged)) by ietf.org (8.9.1a/8.9.1a) with ESMTP id AAA04063 for <rpsec-archive@odin.ietf.org>; Fri, 14 Mar 2003 00:38:15 -0500 (EST)
Received: (from mailnull@localhost) by www1.ietf.org (8.11.6/8.11.6) id h2E5r0s02226 for rpsec-archive@odin.ietf.org; Fri, 14 Mar 2003 00:53:00 -0500
Received: from ietf.org (odin.ietf.org [132.151.1.176]) by www1.ietf.org (8.11.6/8.11.6) with ESMTP id h2E5r0O02221 for <rpsec-web-archive@optimus.ietf.org>; Fri, 14 Mar 2003 00:53:00 -0500
Received: from www1.ietf.org (ietf-mx.ietf.org [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id AAA04051 for <rpsec-web-archive@ietf.org>; Fri, 14 Mar 2003 00:37:43 -0500 (EST)
Received: from www1.ietf.org (localhost.localdomain [127.0.0.1]) by www1.ietf.org (8.11.6/8.11.6) with ESMTP id h2E5q3O02092; Fri, 14 Mar 2003 00:52:03 -0500
Received: from ietf.org (odin.ietf.org [132.151.1.176]) by www1.ietf.org (8.11.6/8.11.6) with ESMTP id h2E5pxO02077 for <rpsec@optimus.ietf.org>; Fri, 14 Mar 2003 00:51:59 -0500
Received: from psg.com (ietf-mx.ietf.org [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id AAA04026 for <rpsec@ietf.org>; Fri, 14 Mar 2003 00:36:42 -0500 (EST)
Received: from psg.com ([147.28.0.62] helo=127.0.0.1) by psg.com with esmtp (Exim 3.36 #1) id 18thu4-000O7j-00; Thu, 13 Mar 2003 21:38:48 -0800
Date: Thu, 13 Mar 2003 21:38:28 -0800
From: Alex Zinin <zinin@psg.com>
X-Mailer: The Bat! (v1.62i) Personal
Reply-To: Alex Zinin <zinin@psg.com>
X-Priority: 3 (Normal)
Message-ID: <0221452091.20030313213828@psg.com>
To: John Ioannidis <ji@research.att.com>
CC: Iljitsch van Beijnum <iljitsch@muada.com>, "Ayyasamy, Senthilkumar (UMKC-Student)" <saq66@umkc.edu>, rpsec@ietf.org
Subject: Re: [RPSEC] DDoS of routing ?
In-Reply-To: <20030314044946.GC4215@bual.research.att.com>
References: <20030313143414.V69506-100000@sequoia.muada.com> <137211665048.20030313185521@psg.com> <20030314044946.GC4215@bual.research.att.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Content-Transfer-Encoding: 7bit
Sender: rpsec-admin@ietf.org
Errors-To: rpsec-admin@ietf.org
X-BeenThere: rpsec@ietf.org
X-Mailman-Version: 2.0.12
Precedence: bulk
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/rpsec>, <mailto:rpsec-request@ietf.org?subject=unsubscribe>
List-Id: Routing Protocol Security Requirements <rpsec.ietf.org>
List-Post: <mailto:rpsec@ietf.org>
List-Help: <mailto:rpsec-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/rpsec>, <mailto:rpsec-request@ietf.org?subject=subscribe>
Content-Transfer-Encoding: 7bit
Content-Transfer-Encoding: 7bit

JI,

Thursday, March 13, 2003, 8:49:46 PM, John Ioannidis wrote:
> DoS attacks on the BGP port are apparently fairly common, at least
> according to what I heard at the last NANOG.  The problem is that the
> pipe *to* the RP in many current routers is not all that fat, and even
> a small flooding attack against port 179 can take out the RP, and
> hence the router.

The problem is actually not BGP specific. BGP (as well as OSPF, or
LDP) just opens a generic queue and CPU exhaustion vulnerability.
Whenever a potentially forged packet (be that OSPF, RIP, or BGP)
shares resources with a valid packet (any type again), an attack is
possible.

Strictly speaking, the attack is not even MD5-specific, MD5 just
makes its success chances higher because it reduces the rate of
queue draining and increases CPU utilization.

> That particular vulnerability is fairly easy to fix; just deny
> anything *to* port 179 that's not coming from an adjacent router (that
> is, with TTL 255 or 254, depending on exactly what you are running),
> and that can stop all simple attacks.  Obviously, this doesn't work
> against multihop BGP;

Correct. BTSH solves a very focused problem--eBGP. The TTL hack
principle could be described using the notion of "trust radius", which
is (255-TTL). When it is 0 or 1, you're fine, because you don't expect
an attacker to be so close to your eBGP speaker. Once you increase it,
the probability of an attacker being within the trust proximity grows
very fast. So, this does not work for iBGP, or OSPF VLs (as well as
other multihop protocols used within a SP's network such as SSH or
SNMP).

> there you need crypto that's actually terminated
> at the line card (or outside the router); again, you don't want the
> cryptographic verification of your packets happening on the RP, for
> obvious reasons.

draft-zinin-rtg actually tries to solve a generic problem of attacks
from users (the iBGP and OSPF included) without the need for
additional HW, which should allow it to be implemented even on already
installed routers.

Alex

_______________________________________________
RPSEC mailing list
RPSEC@ietf.org
https://www1.ietf.org/mailman/listinfo/rpsec

v2.23.0 | Report a Bug | By Email