North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical RE: tcp bgp vulnerability looking glass and route server issues.
By providing the 4tuple ip/port dst/src it makes guessing easier. As for production vs non-production I suspect we have a mix I did not even begin to audit them. I few spot checks is all I had time for. I would welcome any assistence in auditing vulnerable looking glass/route servers and would personally urge any LG/RS owners that were too verbose to lock them down a little. Something I wasn't looking for but found was a full open connect proxy. With that you can connect to any ip on any port nice way to scan someelses network and hide your source. I also found a few that allowed show flash:. Personally the exact image we run on a router isn't something I would want to publish:-) Will locking down looking glass/route servers stop the tcp vulnerablity? NO. Does providing information assist in trouble shooting a bgp issue? NO. I tend to error on the side of caution. [email protected] GCIA http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xAF00EDCC I reserve the right to be wrong and exercise as required. -----Original Message----- From: Lane Patterson [mailto:[email protected]] Sent: Wednesday, April 21, 2004 5:22 PM To: Smith, Donald; [email protected] Subject: RE: tcp bgp vulnerability looking glass and route server issues. Sensitivity: Private While I agree that publicly open route-views routers should not allow display of "sho ip bgp nei" information, this is only giving away 4-tuple info regarding non-production BGP sessions, right? So folks could potentially flap the route-views sessions, but this will not affect any production routing in the data path. If any folks are allowing "sho ip bgp nei" via looking glass interface to a production router, then yes, that is a problem. I haven't seen any. > -----Original Message----- > From: Smith, Donald [mailto:[email protected]] > Sent: Tuesday, April 20, 2004 1:38 PM > To: [email protected] > Subject: tcp bgp vulnerability looking glass and route server issues. > Sensitivity: Private > > > > John Fraizer author of MRLG one of the looking glass implementations > has updated his code to fix a flaw that provided too much information. > > MRLG-4.3.0 is available at: > Available here: ftp://ftp.enterzone.net/looking-glass/CURRENT/ > > Some route servers also provide too much info. > This audit was performed yesterday so if you have already > fixed this issue please ignore:-) > Part of this issue is the fact that some router servers > provide too much information. > Without knowing the source/destination ports and IP's this is > still a difficult vulnerability to exploit. > > From this URL I did a quick audit. > http://www.traceroute.org/#Route%20Servers > I did NOT look at the looking glass URLs just the route servers. > > This is the list of open route servers I did a quick audit on. No > connection means I was unable to connect to it. Not misconfigured > meant sho ip bgp nei did NOT work. Sho ip bgp nei gives full ports/ips > means what you think it means. You have may want to see if any of them > are yours of if you peer / are the upstream for any of them. > > "Route Servers" > > "telnet://ner-routes.bbnplanet.net" BBN Planet NER route monitor > No connection > > "telnet://route-server.belwue.de" BelWue (AS553) > Sho ip bgp nei gives full ports/ips. > > "telnet://route-views.on.bb.telus.com">Telus - East Coast (AS852) Sho > ip bgp nei gives full ports/ips. > > telnet://route-views.ab.bb.telus.com" Telus - West Coast (AS852) Sho > ip bgp nei gives full ports/ips. > > "telnet://route-server.cerf.net">CerfNet Route Server > (AS1838)</A></LI> > Sho ip bgp nei gives full ports/ips. > > "telnet://route-server.ip.tiscali.net">Tiscali (AS3257)</A></LI> Sho > ip bgp nei gives full ports/ips. > > "telnet://route-server.gblx.net">Global Crossing (AS3549)</A></LI> Not > misconfigured:-) > > "telnet://route-server.savvis.net/">SAVVIS Communications > (AS3561)</A></LI> > Sho ip bgp nei gives full ports/ips. > > "telnet://public-route-server.is.co.za" TARGET=NEW>Internet > Solutions (AS3741)</A></LI> > Sho ip bgp nei gives full ports/ips. > > "telnet://route-server-ap.exodus.net">Exodus Communications > Asia (AS4197)</A></LI> > No connection > > "telnet://route-server.as5388.net">Planet Online (AS5388)</A></LI> Sho > ip bgp nei gives full ports/ips. > > "telnet://route-server.opentransit.net">Opentransit (AS5511)</A></LI> > Not misconfigured:-) > > "telnet://tpr-route-server.saix.net">South African Internet > eXchange SAIX (AS5713)</A></LI> > Not misconfigure:-) > > "telnet://route-server.gt.ca">GT Group Telecom (AS6539)</A></LI> Sho > ip bgp nei gives full ports/ips. > > "telnet://route-server.as6667.net">EUNet Finland (AS6667)</A></LI> Sho > ip bgp nei gives full ports/ips. > > "telnet://route-server.he.net">Hurricane Electric (AS6939)</A></LI> > Sho ip bgp nei gives full ports/ips. > > "telnet://route-server.ip.att.net">AT&T (AS7018)</A></LI> > No connection > > "telnet://route-views.optus.net.au">Optus Route Server > Australia (AS7474)</A></LI> > Sho ip bgp nei gives full ports/ips. > > "telnet://route-server.wcg.net">Wiltel (AS7911)</A></LI> > Sho ip bgp nei gives full ports/ips. > > "telnet://route-server.colt.net">Colt Internet (AS8220)</A></LI> Sho > ip bgp nei gives full ports/ips. > > "telnet://route-server-eu.exodus.net">Exodus Communications > Europe (AS8709)</A></LI> > No connection > > "telnet://route-views.bmcag.net">Broadnet mediascape > communications AG (AS9132)</A></LI> > Not misconfigured:-) > > "telnet://route-server-au.exodus.net">Exodus Communications > Australia (AS9328)</A></LI> > No connection > > "telnet://route-server.manilaix.net.ph">Manila Internet > Exchange, Philippines (AS9670)</A></LI> > Sho ip bgp nei gives full ports/ips. > > "telnet://route-server.east.attcanada.com">ATT Canada - East > (AS15290)</A></LI> > Sho ip bgp nei gives full ports/ips. > > "telnet://route-server.west.attcanada.com">ATT Canada - West > (AS15290)</A></LI> > Sho ip bgp nei gives full ports/ips. > > "telnet://route-server.ip.ndsoftware.net">NDSoftware > (AS25358)</A></LI> > Sho ip bgp nei gives full ports/ips. > > "telnet://route-server.loudpacket.net">Loud Packet (AS27276)</A></LI> > No connection. > > "telnet://route-server.as28747.net/">RealROOT (AS28747)</A></LI> No > connection > > "telnet://route-views.oregon-ix.net">Oregon-ix.net Route > Server</A></LI> > Sho ip bgp nei appears it WOULD provide full ports/ips if > they had any? The command executed but came back empty!!?? > This one can be used as a proxy bounce (connect ip port) too:-( > > "telnet://route-server.utah.rep.net">Utah Regional Exchange > Point Route Server</A></LI> > Sho ip bgp nei gives full ports/ips. > > "telnet://www.netlantis.org">The NetLantis Project Route > Server</A></LI> > Not misconfigured. > > > http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xAF00EDCC > pgpFingerPrint:9CE4 227B B9B3 601F B500 D076 43F1 0767 AF00 EDCC > Increased trust is received by not violating the trust you have > received. > |