EH-Net

Ethical Hacking Discussions and Related Certifications => Malware => Topic started by: Dark_Knight on September 06, 2008, 10:58:52 PM


Title: Revealed: The Internet's Biggest Hole
Post by: Dark_Knight on September 06, 2008, 10:58:52 PM
I didn't know where to post this or if it is a re post but I found this to be very interesting.http://blog.wired.com/27bstroke6/2008/08/revealed-the-in.html (http://blog.wired.com/27bstroke6/2008/08/revealed-the-in.html)

My question is though how would I demonstrate this to my organization? I have brought it to their attention and we to meet to discuss the implications.

Title: Re: Revealed: The Internet's Biggest Hole
Post by: unicityd on September 07, 2008, 01:12:13 AM
I would suggest not trying to demonstrate it.  Normally BGP Hijacking causes a denial of service attack.  The new method uses AS path prepending so that it can send captured traffic to the real destination; originally, the hijacking AS became a black hole for the captured traffic.  Unless you're really familiar with BGP and with the details of the attack, you're probably just going to cause a denial of service attack.

As I understand it, the attack allows a rogue BGP router to advertise IP addresses that it doesn't actually deliver to.  An attacker wouldn't actually send malicious traffic to your site.  Instead, he'd tell other sites he can deliver to your IPs, read or modify the traffic that is sent to him, then forward it on to your network.  Unless you checked the global BGP routing table, you probably wouldn't notice anything except some extra latency.  To demonstrate the attack, you're going to need BGP routers on two different ASes: one victim and one attacker.

Unless you're an ISP, you can't prevent this attack.  In order to prevent this, ISPs are going to have to be more aggressive about filtering what their neighbor ASes advertise to them.  The best thing you can do is to research the issue so that you and your organization understand it and then contact your ISP to see what they are doing to prevent such attacks--probably, they should be doing some filtering on the advertisements they accept.

That said, I'm not a BGP expert.  What I've said here is based on my own readings about the attack.  If there is anyone on this forum who can offer some more insight (or corrections), I'd be much obliged.

The paper about the attack is located here:

http://blog.wired.com/27bstroke6/files/ballani_et_al_ip_hijack.pdf


Powered by SMF 1.1.18 | SMF © 2013, Simple Machines
Joomla Bridge by JoomlaHacks.com