nanog mailing list archives
RE: tcp bgp vulnerability looking glass and route server issues.
From: "Burton, Chris" <Chris.Burton () dig com>
Date: Wed, 21 Apr 2004 16:46:02 -0700
Although "show ip bgp nei" command is by far the easiest way to get the BGP peer information and should not be enabled on any production BGP peering routers that allow non-trusted or public connectivity it is not the only way to get the information; anyone who does not do inbound SNMP filtering on their border routers or has a week community string and has SNMP enabled could potentially give away their production BGP peer information for both source/destination IP address and source/destination ports. And since most Cisco devices I have seen usually use the 11000 (other too I assume) range for source ports it just makes things easier. Although it is rare to come across networks that do not have SNMP filtering at their edge or at the very least Strong community strings it does happen even if it happens by accident. Chris Burton Network Engineer Walt Disney Internet Group: Network Services The information contained in this e-mail message is confidential, intended only for the use of the individual or entity named above. If the reader of this e-mail is not the intended recipient, or the employee or agent responsible to deliver it to the intended recipient, you are hereby notified that any review, dissemination, distribution or copying of this communication is strictly prohibited. If you have received this e-mail in error, please contact Walt Disney Internet Group at 206-664-4000. -----Original Message----- From: owner-nanog () merit edu [mailto:owner-nanog () merit edu] On Behalf Of Lane Patterson Sent: Wednesday, April 21, 2004 4:22 PM To: Smith, Donald; nanog () merit edu Subject: RE: tcp bgp vulnerability looking glass and route server issues. Sensitivity: Private While I agree that publicly open route-views routers should not allow display of "sho ip bgp nei" information, this is only giving away 4-tuple info regarding non-production BGP sessions, right? So folks could potentially flap the route-views sessions, but this will not affect any production routing in the data path. If any folks are allowing "sho ip bgp nei" via looking glass interface to a production router, then yes, that is a problem. I haven't seen any.
-----Original Message----- From: Smith, Donald [mailto:Donald.Smith () qwest com] Sent: Tuesday, April 20, 2004 1:38 PM To: nanog () merit edu Subject: tcp bgp vulnerability looking glass and route server issues. Sensitivity: Private John Fraizer author of MRLG one of the looking glass implementations has updated his code to fix a flaw that provided too much information. MRLG-4.3.0 is available at: Available here: ftp://ftp.enterzone.net/looking-glass/CURRENT/ Some route servers also provide too much info. This audit was performed yesterday so if you have already fixed this issue please ignore:-) Part of this issue is the fact that some router servers provide too much information. Without knowing the source/destination ports and IP's this is still a difficult vulnerability to exploit. From this URL I did a quick audit. http://www.traceroute.org/#Route%20Servers I did NOT look at the looking glass URLs just the route servers. This is the list of open route servers I did a quick audit on. No connection means I was unable to connect to it. Not misconfigured meant sho ip bgp nei did NOT work. Sho ip bgp nei gives full ports/ips means what you think it means. You have may want to see if any of them are yours of if you peer / are the upstream for any of them. "Route Servers" "telnet://ner-routes.bbnplanet.net" BBN Planet NER route monitor No connection "telnet://route-server.belwue.de" BelWue (AS553) Sho ip bgp nei gives full ports/ips. "telnet://route-views.on.bb.telus.com">Telus - East Coast (AS852) Sho ip bgp nei gives full ports/ips. telnet://route-views.ab.bb.telus.com" Telus - West Coast (AS852) Sho ip bgp nei gives full ports/ips. "telnet://route-server.cerf.net">CerfNet Route Server (AS1838)</A></LI> Sho ip bgp nei gives full ports/ips. "telnet://route-server.ip.tiscali.net">Tiscali (AS3257)</A></LI> Sho ip bgp nei gives full ports/ips. "telnet://route-server.gblx.net">Global Crossing (AS3549)</A></LI> Not misconfigured:-) "telnet://route-server.savvis.net/">SAVVIS Communications (AS3561)</A></LI> Sho ip bgp nei gives full ports/ips. "telnet://public-route-server.is.co.za" TARGET=NEW>Internet Solutions (AS3741)</A></LI> Sho ip bgp nei gives full ports/ips. "telnet://route-server-ap.exodus.net">Exodus Communications Asia (AS4197)</A></LI> No connection "telnet://route-server.as5388.net">Planet Online (AS5388)</A></LI> Sho ip bgp nei gives full ports/ips. "telnet://route-server.opentransit.net">Opentransit (AS5511)</A></LI> Not misconfigured:-) "telnet://tpr-route-server.saix.net">South African Internet eXchange SAIX (AS5713)</A></LI> Not misconfigure:-) "telnet://route-server.gt.ca">GT Group Telecom (AS6539)</A></LI> Sho ip bgp nei gives full ports/ips. "telnet://route-server.as6667.net">EUNet Finland (AS6667)</A></LI> Sho ip bgp nei gives full ports/ips. "telnet://route-server.he.net">Hurricane Electric (AS6939)</A></LI> Sho ip bgp nei gives full ports/ips. "telnet://route-server.ip.att.net">AT&T (AS7018)</A></LI> No connection "telnet://route-views.optus.net.au">Optus Route Server Australia (AS7474)</A></LI> Sho ip bgp nei gives full ports/ips. "telnet://route-server.wcg.net">Wiltel (AS7911)</A></LI> Sho ip bgp nei gives full ports/ips. "telnet://route-server.colt.net">Colt Internet (AS8220)</A></LI> Sho ip bgp nei gives full ports/ips. "telnet://route-server-eu.exodus.net">Exodus Communications Europe (AS8709)</A></LI> No connection "telnet://route-views.bmcag.net">Broadnet mediascape communications AG (AS9132)</A></LI> Not misconfigured:-) "telnet://route-server-au.exodus.net">Exodus Communications Australia (AS9328)</A></LI> No connection "telnet://route-server.manilaix.net.ph">Manila Internet Exchange, Philippines (AS9670)</A></LI> Sho ip bgp nei gives full ports/ips. "telnet://route-server.east.attcanada.com">ATT Canada - East (AS15290)</A></LI> Sho ip bgp nei gives full ports/ips. "telnet://route-server.west.attcanada.com">ATT Canada - West (AS15290)</A></LI> Sho ip bgp nei gives full ports/ips. "telnet://route-server.ip.ndsoftware.net">NDSoftware (AS25358)</A></LI> Sho ip bgp nei gives full ports/ips. "telnet://route-server.loudpacket.net">Loud Packet (AS27276)</A></LI> No connection. "telnet://route-server.as28747.net/">RealROOT (AS28747)</A></LI> No connection "telnet://route-views.oregon-ix.net">Oregon-ix.net Route Server</A></LI> Sho ip bgp nei appears it WOULD provide full ports/ips if they had any? The command executed but came back empty!!?? This one can be used as a proxy bounce (connect ip port) too:-( "telnet://route-server.utah.rep.net">Utah Regional Exchange Point Route Server</A></LI> Sho ip bgp nei gives full ports/ips. "telnet://www.netlantis.org">The NetLantis Project Route Server</A></LI> Not misconfigured. http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xAF00EDCC pgpFingerPrint:9CE4 227B B9B3 601F B500 D076 43F1 0767 AF00 EDCC Increased trust is received by not violating the trust you have received.
Current thread:
- tcp bgp vulnerability looking glass and route server issues. Smith, Donald (Apr 20)
- <Possible follow-ups>
- RE: tcp bgp vulnerability looking glass and route server issues. Lane Patterson (Apr 21)
- RE: tcp bgp vulnerability looking glass and route server issues. David Luyer (Apr 21)
- Re: tcp bgp vulnerability looking glass and route server issues. Troy Davis (Apr 21)
- RE: tcp bgp vulnerability looking glass and route server issues. Burton, Chris (Apr 21)
- RE: tcp bgp vulnerability looking glass and route server issues. Smith, Donald (Apr 21)