North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

RE: tcp bgp vulnerability looking glass and route server issues.

  • From: Smith, Donald
  • Date: Thu Apr 22 02:56:27 2004
  • Sensitivity: Private

By providing the 4tuple ip/port dst/src it makes guessing easier. As for
production vs non-production I suspect we have a mix I did not even
begin to audit them. I few spot checks is all I had time for. I would
welcome any assistence in auditing vulnerable looking glass/route
servers and would personally urge any LG/RS owners that were too verbose
to lock them down a little. 

Something I wasn't looking for but found was a full open connect proxy.
With that you can connect to any ip on any port nice way to scan
someelses network and hide your source. I also found a few that allowed
show flash:. Personally the exact image we run on a router isn't
something I would want to publish:-)
Will locking down looking glass/route servers stop the tcp vulnerablity?
NO. 
Does providing information assist in trouble shooting a bgp issue? NO.
I tend to error on the side of caution.
[email protected] GCIA
http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xAF00EDCC
I reserve the right to be wrong and exercise as required.


-----Original Message-----
From: Lane Patterson [mailto:[email protected]] 
Sent: Wednesday, April 21, 2004 5:22 PM
To: Smith, Donald; [email protected]
Subject: RE: tcp bgp vulnerability looking glass and route server
issues.
Sensitivity: Private


While I agree that publicly open route-views routers should not allow
display of "sho ip bgp nei" information, this is only giving away
4-tuple info regarding non-production BGP sessions, right?  So folks
could potentially flap the route-views sessions, but this will not
affect any production routing in the data path.

If any folks are allowing "sho ip bgp nei" via looking glass interface
to a production router, then yes, that is a problem.  I haven't seen
any.


> -----Original Message-----
> From: Smith, Donald [mailto:[email protected]]
> Sent: Tuesday, April 20, 2004 1:38 PM
> To: [email protected]
> Subject: tcp bgp vulnerability looking glass and route server issues.
> Sensitivity: Private
> 
> 
> 
> John Fraizer author of MRLG one of the looking glass implementations 
> has updated his code to fix a flaw that provided too much information.
>  
> MRLG-4.3.0 is available at:
> Available here: ftp://ftp.enterzone.net/looking-glass/CURRENT/
> 
> Some route servers also provide too much info.
> This audit was performed yesterday so if you have already
> fixed this issue please ignore:-)
> Part of this issue is the fact that some router servers 
> provide too much information.
> Without knowing the source/destination ports and IP's this is 
> still a difficult vulnerability to exploit. 
> 
> From this URL I did a quick audit. 
> http://www.traceroute.org/#Route%20Servers
> I did NOT look at the looking glass URLs just the route servers.
> 
> This is the list of open route servers I did a quick audit on. No 
> connection means I was unable to connect to it. Not misconfigured 
> meant sho ip bgp nei did NOT work. Sho ip bgp nei gives full ports/ips

> means what you think it means. You have may want to see if any of them

> are yours of if you peer / are the upstream for any of them.
> 
> "Route Servers"
> 
> "telnet://ner-routes.bbnplanet.net"; BBN Planet NER route monitor
> No connection
> 
> "telnet://route-server.belwue.de"; BelWue (AS553)
> Sho ip bgp nei gives full ports/ips.
> 
> "telnet://route-views.on.bb.telus.com";>Telus - East Coast (AS852) Sho 
> ip bgp nei gives full ports/ips.
> 
> telnet://route-views.ab.bb.telus.com"; Telus - West Coast (AS852) Sho 
> ip bgp nei gives full ports/ips.
> 
> "telnet://route-server.cerf.net";>CerfNet Route Server
> (AS1838)</A></LI>
> Sho ip bgp nei gives full ports/ips.
> 
> "telnet://route-server.ip.tiscali.net";>Tiscali (AS3257)</A></LI> Sho 
> ip bgp nei gives full ports/ips.
> 
> "telnet://route-server.gblx.net";>Global Crossing (AS3549)</A></LI> Not

> misconfigured:-)
> 
> "telnet://route-server.savvis.net/";>SAVVIS Communications
> (AS3561)</A></LI>
> Sho ip bgp nei gives full ports/ips.
> 
> "telnet://public-route-server.is.co.za"; TARGET=NEW>Internet
> Solutions (AS3741)</A></LI>
> Sho ip bgp nei gives full ports/ips.
> 
> "telnet://route-server-ap.exodus.net";>Exodus Communications
> Asia (AS4197)</A></LI>
> No connection
> 
> "telnet://route-server.as5388.net";>Planet Online (AS5388)</A></LI> Sho

> ip bgp nei gives full ports/ips.
> 
> "telnet://route-server.opentransit.net";>Opentransit (AS5511)</A></LI> 
> Not misconfigured:-)
> 
> "telnet://tpr-route-server.saix.net";>South African Internet
> eXchange SAIX (AS5713)</A></LI>
> Not misconfigure:-)
> 
> "telnet://route-server.gt.ca";>GT Group Telecom (AS6539)</A></LI> Sho 
> ip bgp nei gives full ports/ips.
> 
> "telnet://route-server.as6667.net";>EUNet Finland (AS6667)</A></LI> Sho

> ip bgp nei gives full ports/ips.
> 
> "telnet://route-server.he.net";>Hurricane Electric (AS6939)</A></LI> 
> Sho ip bgp nei gives full ports/ips.
> 
> "telnet://route-server.ip.att.net";>AT&T (AS7018)</A></LI>
> No connection
> 
> "telnet://route-views.optus.net.au";>Optus Route Server
> Australia (AS7474)</A></LI>
> Sho ip bgp nei gives full ports/ips.
> 
> "telnet://route-server.wcg.net";>Wiltel (AS7911)</A></LI>
> Sho ip bgp nei gives full ports/ips.
> 
> "telnet://route-server.colt.net";>Colt Internet (AS8220)</A></LI> Sho 
> ip bgp nei gives full ports/ips.
> 
> "telnet://route-server-eu.exodus.net";>Exodus Communications
> Europe (AS8709)</A></LI>
> No connection
> 
> "telnet://route-views.bmcag.net";>Broadnet mediascape
> communications AG (AS9132)</A></LI>
> Not misconfigured:-)
> 
> "telnet://route-server-au.exodus.net";>Exodus Communications
> Australia (AS9328)</A></LI>
> No connection
> 
> "telnet://route-server.manilaix.net.ph";>Manila Internet
> Exchange, Philippines (AS9670)</A></LI>
> Sho ip bgp nei gives full ports/ips.
> 
> "telnet://route-server.east.attcanada.com";>ATT Canada - East
> (AS15290)</A></LI>
> Sho ip bgp nei gives full ports/ips.
> 
> "telnet://route-server.west.attcanada.com";>ATT Canada - West
> (AS15290)</A></LI>
> Sho ip bgp nei gives full ports/ips.
> 
> "telnet://route-server.ip.ndsoftware.net";>NDSoftware
> (AS25358)</A></LI>
> Sho ip bgp nei gives full ports/ips.
> 
> "telnet://route-server.loudpacket.net";>Loud Packet (AS27276)</A></LI> 
> No connection.
> 
> "telnet://route-server.as28747.net/";>RealROOT (AS28747)</A></LI> No 
> connection
> 
> "telnet://route-views.oregon-ix.net";>Oregon-ix.net Route
> Server</A></LI>
> Sho ip bgp nei appears it WOULD provide full ports/ips if 
> they had any? The command executed but came back empty!!?? 
> This one  can be used as a proxy bounce (connect ip port) too:-(
> 
> "telnet://route-server.utah.rep.net";>Utah Regional Exchange
> Point Route Server</A></LI>
> Sho ip bgp nei gives full ports/ips.
> 
> "telnet://www.netlantis.org";>The NetLantis Project Route
> Server</A></LI>
> Not misconfigured.
> 
> 
> http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xAF00EDCC
> pgpFingerPrint:9CE4 227B B9B3 601F B500  D076 43F1 0767 AF00 EDCC 
> Increased trust is received by not violating the trust you have 
> received.
>