IETF Logo Mail Archive

RE: Re: [RPSEC] DDoS of routing ?

"Manral, Vishwas" <VishwasM@netplane.com> Fri, 14 March 2003 05:18 UTC

Received: from www1.ietf.org (ietf.org [132.151.1.19] (may be forged)) by ietf.org (8.9.1a/8.9.1a) with ESMTP id AAA03611 for <rpsec-archive@odin.ietf.org>; Fri, 14 Mar 2003 00:18:15 -0500 (EST)
Received: (from mailnull@localhost) by www1.ietf.org (8.11.6/8.11.6) id h2E5X1p32578 for rpsec-archive@odin.ietf.org; Fri, 14 Mar 2003 00:33:01 -0500
Received: from ietf.org (odin.ietf.org [132.151.1.176]) by www1.ietf.org (8.11.6/8.11.6) with ESMTP id h2E5X1O32575 for <rpsec-web-archive@optimus.ietf.org>; Fri, 14 Mar 2003 00:33:01 -0500
Received: from www1.ietf.org (ietf-mx.ietf.org [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id AAA03603 for <rpsec-web-archive@ietf.org>; Fri, 14 Mar 2003 00:17:44 -0500 (EST)
Received: from www1.ietf.org (localhost.localdomain [127.0.0.1]) by www1.ietf.org (8.11.6/8.11.6) with ESMTP id h2E5WDO32530; Fri, 14 Mar 2003 00:32:13 -0500
Received: from ietf.org (odin.ietf.org [132.151.1.176]) by www1.ietf.org (8.11.6/8.11.6) with ESMTP id h2E5W0O32516 for <rpsec@optimus.ietf.org>; Fri, 14 Mar 2003 00:32:00 -0500
Received: from motgate.mot.com (ietf-mx.ietf.org [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id AAA03592 for <rpsec@ietf.org>; Fri, 14 Mar 2003 00:16:43 -0500 (EST)
Received: from pobox.mot.com (pobox.mot.com [129.188.137.100]) by motgate.mot.com (Motorola/Motgate) with ESMTP id h2E5IqIG011488 for <rpsec@ietf.org>; Thu, 13 Mar 2003 22:18:52 -0700 (MST)
Received: [from xover.corp.mot.com (xover.corp.mot.com [10.1.148.18]) by pobox.mot.com (MOT-pobox 2.0) with ESMTP id WAA25922 for <rpsec@ietf.org>; Thu, 13 Mar 2003 22:18:52 -0700 (MST)]
Received: by xover.corp.mot.com with Internet Mail Service (5.5.2653.19) id <GWFMMSN7>; Fri, 14 Mar 2003 00:18:49 -0500
Message-ID: <E7E13AAF2F3ED41197C100508BD6A32879216E@india_exch.corp.mot.com>
From: "Manral, Vishwas" <VishwasM@netplane.com>
To: 'John Ioannidis' <ji@research.att.com>, Alex Zinin <zinin@psg.com>
Cc: Iljitsch van Beijnum <iljitsch@muada.com>, "Ayyasamy, Senthilkumar (UMKC-Student)" <saq66@umkc.edu>, rpsec@ietf.org
Subject: RE: Re: [RPSEC] DDoS of routing ?
Date: Fri, 14 Mar 2003 00:20:27 -0500
MIME-Version: 1.0
X-Mailer: Internet Mail Service (5.5.2653.19)
Content-Type: text/plain; charset="iso-8859-1"
Sender: rpsec-admin@ietf.org
Errors-To: rpsec-admin@ietf.org
X-BeenThere: rpsec@ietf.org
X-Mailman-Version: 2.0.12
Precedence: bulk
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/rpsec>, <mailto:rpsec-request@ietf.org?subject=unsubscribe>
List-Id: Routing Protocol Security Requirements <rpsec.ietf.org>
List-Post: <mailto:rpsec@ietf.org>
List-Help: <mailto:rpsec-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/rpsec>, <mailto:rpsec-request@ietf.org?subject=subscribe>

Hi ji,

Maybe the same thing can be done for OSPF too. All non-ABR's allow only a
one hop reduced in TTL/hop limit, so a value of 254 or 255. Only ABR's that
have virtual links configured should be allowed to process packets that are
not received from one hop away. 

And it could clearly be speciefied that allowing virtual links could allow
such an attack.

Thanks,
Vishwas

-----Original Message-----
From: John Ioannidis [mailto:ji@research.att.com]
Sent: Friday, March 14, 2003 10:20 AM
To: Alex Zinin
Cc: Iljitsch van Beijnum; Ayyasamy, Senthilkumar (UMKC-Student);
rpsec@ietf.org
Subject: Re: Re: [RPSEC] DDoS of routing ?


DoS attacks on the BGP port are apparently fairly common, at least
according to what I heard at the last NANOG.  The problem is that the
pipe *to* the RP in many current routers is not all that fat, and even
a small flooding attack against port 179 can take out the RP, and
hence the router.

That particular vulnerability is fairly easy to fix; just deny
anything *to* port 179 that's not coming from an adjacent router (that
is, with TTL 255 or 254, depending on exactly what you are running),
and that can stop all simple attacks.  Obviously, this doesn't work
against multihop BGP; there you need crypto that's actually terminated
at the line card (or outside the router); again, you don't want the
cryptographic verification of your packets happening on the RP, for
obvious reasons.

/ji


On Thu, Mar 13, 2003 at 06:55:21PM -0800, Alex Zinin wrote:
> Iljitsch, Senthil-
> 
> <AD hat off wrt this draft>
> 
> Thursday, March 13, 2003, 5:58:00 AM, Iljitsch van Beijnum wrote:
> > On Thu, 13 Mar 2003, Ayyasamy, Senthilkumar  (UMKC-Student) wrote:
> 
> >> while a DoS attack of routing pkts by a peer can lead to RT
> >> exhaustion, is DDoS of routing pkts observed previously?
> 
> > I think attacks on port 179 of routers have been observed in the wild.
> 
> This is what I have heard second hand too.
> 
> Note, btw, that user-level attacks against routers are not limited to
> those using routing protocols or targeted to CPU/queue exhaustion.
> Vulnerabilities related to various forms of buffer overflow, and other
> implementations bugs/suboptimalities have been known for long time.
> Those can be potentially exploited too.
> 
> And the attacks are getting more and more sophisticated, an example
> is the recently announced OSPF exploit where an attacker can make
> a router execute malicious code.
> 
> >> Actually, i had an offline discussion with sandy long back and she
> >> mentioned that it doesn't exist.
> 
> > You're not saying we should wait to fix holes until someone falls in
> > them, are you?
> 
> > At the same time, IGPs are somewhat hard to attack as they use
> > multicasts that routers aren't going to forward.
> 
> This is not entirely true.
> 
> IS-IS is indeed not susceptible to user-level attacks, as, in its
> original form it uses L2 encapsulation for its PDUs, and because those
> are unroutable, a user can't sent an IS-IS packet to a router.
> However, I'm hearing that some vendors have actually implemented
> ISIS-over-IPv4 though it wasn't accepted by the IS-IS WG. This could
> leave a potential backdoor for an attacker if the implementation just
> listens to this IP protocol or has it enabled on a set of interfaces.
> It would be as good/bad as in the OSPF case, no extra.
> 
> OSPF, on the other hand, uses unicast quite extensively. First, on
> broadcast media all neighbor-to-neighbor OSPF packet exchanges from
> ExStart and higher are done in unicast. Plus we have virtual links
> that are exclusively unicast. Besides, the specification suggests to
> treat both unicast and multicast packets equally, which is what many
> implementations do, especially if they allow manually configured
> neighbors. So, it is very possible for an attacker to send a packet to
> a router and it will be allowed to go all the way up to the OSPF
> process (unless MD5 is done on the LC, of course).
> 
> >> context: zinin-rtg-dos-00
> >> I guess, zinin draft talks only about DDoS of data traffic.
> 
> > Doesn't look that way to me.
> 
> Right.
> 
> In fact, it does not talk at all about data traffic DDoS. It is all
> about protecting routers' control plane from user-level attacks.
> 
> Alex
> 
_______________________________________________
RPSEC mailing list
RPSEC@ietf.org
https://www1.ietf.org/mailman/listinfo/rpsec

v2.23.0 | Report a Bug | By Email