[LUGOS-SEC] Re: [LUGOS] IDS

Tue Jul 6 09:53:27 CEST 2004

In the message I received, =?iso-8859-2?Q?Primo=BE_Gabrijel=E8i=E8?= writes:

Hojla Primoz,

>No, bodimo realni. Na splo=B9no se popolnoma strinjam s tabo. Ampak =
>problem je
>vseeno realen in ne teoreti=E8en, to pa zato, ker nekateri proizvajalci
>omre=BEnih =B9katel, ki se jim ime za=E8ne na C, v nekaterih =B9katlah, =
>ki govorijo
>BGP, uporabljajo totalno polomljene TCP/IP sklade, ki so a) predvidljivi =
>in
>b) ne preverjajo da je RST postavljen =E8isto na konec TCP okna.

V prejsnjem zivljenju sem bral dokument, ki ga je napisal Barry
Greene[1]: 
www.cymru.com/Documents/barry2.pdf

Vse, ki se bojijo TCP RST napadov pozivam, da si preberejo drugo
stran.

Kratek povzetek:

To successfully spoof a TCP session supporting the BGP peers, the
following must be achieved[2]:

Source IP address must be spoofed. The source address of the BGP
Neighbor must be spoofed. In most cases this address can be determined
through ICMP traceroutes from various places on the Internet through the
BGP peer.[3] This form of mapping is a more advanced technique, requiring
an understanding of how routing and ISP peering works on the Internet.

Source Port must be spoofed. One of the two BGP peers initiates the BGP
session. The peer that initiates the BGP session will have a randomly or
sequentially selected port number with in a port range (port range is
depended on the TCP implementation)[4]. The BGP initiator will connect to
its peer.s BGP port 179. Since it cannot be predicted which side is
using the random port and which side is using port 179 in the TCP
session, packet capturing is required.

IP.s TTL must match. The IP TTL is a safety mechanism that ensures lost
packets on the Internet will eventually expire and get dropped. Most ISP
peering connections use eBGP. Since eBGP session assumes the peers are
directly connected through a Layer 2 medium, the TTL of the IP packet is
required to be 1. The BGP packet is dropped if the TTL is greater than
1. Since the BGP speaker the attacker is trying to connect to will (most
likely) be transmitting its packets with a TTL of 1, the attacker will
need to be attached to the same layer 2 segment (local segment) as the
router it is attempting to attack to receive the BGP
packets. Alternatively, the attacker must measure the number of hops to
the targeted eBGP router and determine the exact value needed to count
down the TTL to equal 1.[5] Asymmetry on the Internet will add to the
difficulty of TTL count down determination, but not eliminate the
risk. It should be noted that TTL in of itself is not a security
mechanism. But does add another layer of difficulty, when combined with
other TCP/BGP session management/validation techniques.

Zanimivo branje o BGP in predvsem varnosti le-tega.

In tu sploh se ne omenja MD5 avtentikacije ...

Kar se tice Ciscotovega IP sklada, je predvidljiv le prvih par
minut/najvec par ur po zagonu. Zakaj je to tako, sem napisal v enem od
prejsnjih e-mailov. In usmerjevalniki so obicajno zadeve, ki se jih ne
resetira kar tako, zaradi lepsega.

LP,

Saso

[1] Barry Greene dela pri Cisco Networks.

[2] These spoofing requirements have only been validated with the TCP
and BGP implementations in IOS 12.0S.  Further testing on GateD, Zebra,
and other vendor implementations are required

[3] There are two techniques to hide the IP addresses used for eBGP
sessions. One technique uses loopback address to do the eBGP
peering. The other technique uses secondary addresses for the eBGP
peering. Both techniques hide the peering addresses from traceroutes.

[4] The randomness of the port number depends on the TCP implementation.

[5] If you are 5 hops away from the router, you must set the packet.s
TTL to be 6. This would decrement the packet by one so that it will be a
TTL of 1 when it hits the targeted eBGP session.