Dailydave mailing list archives

Re: tubes clogged

From: "J. Oquendo" <sil () infiltrated net>
Date: Mon, 29 Dec 2008 11:06:20 -0600

On Mon, 29 Dec 2008, Jared DeMott wrote:

Alexander Sotirov wrote:

I hereby grant the security community permission to freely speculate about the
details of our latest research:

http://events.ccc.de/congress/2008/Fahrplan/track/Hacking/3023.en.html

The best guess will win a special T-Shirt!

Take care,
Alex

An attack that leverages overrun routing queues to reroute traffic to a
network of choice?



I'm thinking an attack that causes BGP peers (glue of the internet)
to go through a cascading flapping mechanism forcing them to
continuously dampen each other till they keep breaking adjacency
with each other.

EG:

R1 = 10.10.10.1
R2 = 10.11.12.1
R3 = 10.12.13.1

R1 is peered with R2
R2 is peered with R3

As R2 (spoofed): Fragment R1 randomly appearing as R2
R2 has the potential to flap, if it does flap and R1
is configured (im)properly, it will ignore R2 until
it gets its act in order. During the initial flap a
penalty is given which exponentially grows. During
the time of R2's appearance of flapping, R3 if sending
through R2 to get through to R1 will also ignore that
path.

http://www.ietf.org/rfc/rfc2439.txt
http://www.ripe.net/ripe/meetings/ripe-50/presentations/ripe50-plenary-wed-flap-damping.pdf

Anyhow, so imagine a mesh of flapping routers all
ignoring each other, one after the other. I thought
about something like this a while ago and modified
a lame tool a while back, but never put the theory
to practice. Besides I didn't have an Internet to
play with ;)


=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
J. Oquendo
SGFA, SGFE, C|EH, CNDA, CHFI, OSCP

"Enough research will tend to support your
conclusions." - Arthur Bloch

"A conclusion is the place where you got
tired of thinking" - Arthur Bloch

227C 5D35 7DCB 0893 95AA  4771 1DCE 1FD1 5CCD 6B5E
http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x5CCD6B5E

_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
http://lists.immunitysec.com/mailman/listinfo/dailydave

Current thread:

tubes clogged Alexander Sotirov (Dec 29)
- Re: tubes clogged Jared DeMott (Dec 29)
  - Re: tubes clogged J. Oquendo (Dec 29)
    - Re: tubes clogged Can Erkin Acar (Dec 29)
    - Re: tubes clogged Jess Kitchen (Dec 29)
- Re: tubes clogged H D Moore (Dec 29)
  - Re: tubes clogged Petja van der Lek (Dec 29)
    - Re: tubes clogged Fyodor (Dec 29)
    - Re: tubes clogged Jess Kitchen (Dec 29)
    - Re: tubes clogged Thorsten Holz (Dec 30)
    - Re: tubes clogged dan (Dec 30)
    - Re: tubes clogged Paul Melson (Dec 30)
- Re: tubes clogged Adrien Krunch Kunysz (Dec 30)

(Thread continues...)