'Re: How secure is BGP? was Re: Two ISP's to one DMZ -'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       firewalls-gc
Subject:    Re: How secure is BGP? was Re: Two ISP's to one DMZ -
From:       "Mark Horn [ Net Ops ]" <mhorn () funb ! com>
Date:       1997-07-11 9:40:15
[Download RAW message or body]

mikech@avana.net says:
>All of this discussion of the mechanics of BGP made me think. What if I 
>decided to grab Cisco's block of addresses and announce them as being routed 
>through my ISP with BGP? As long as my ISP's are peering with me, will they 
>accept *any* route update? If I announced the Cisco update to my ISP (let's 
>say MCI), would all of the MCI clients trying to access www.cisco.com come to 
>my web server instead? What would happen on with other ISP's? Would they 
>accept this exception route?
>
>Has this happened in the real world?
>
>Is there any mechanism to prevent this?

Previous to this discussion, I thought that this was part of the purpose
of the Route Arbiter.  You could get the advertisement into your upstream
provider, but it would get blocked at the NAP - because the NAP would see
that the route you're advertising belongs to someone else's AS.
Eventually, your upstream provider would see that it was getting two
routes that conflicted - one from the NAP and one from you.  Eventually,
the upstream provider would boot your grubby butt.

But, since this is not the case, it seems like this is a pretty serious
security concern.  How is anyone to know whether I'm advertising a
netblock allocated to me by MCI, or stolen out of the middle of one of
MCI's CIDR's (for example)?  It's not particularly difficult to figure out
what IP addresses our web servers are using.  How can I prevent someone
else from advertising a more specific route than we're advertising?  This
makes it easy to do a trojan horse attack!

-- 
Mark Horn <mhorn@funb.com>

PGP Public Key available from: http://www.es.net/hypertext/pgp.html
PGP KeyID/fingerprt: 00CBA571/32 4E 4E 48 EA C6 74 2E  25 8A 76 E6 04 A1 7F C1

[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic