nanog mailing list archives

RE: tcp bgp vulnerability looking glass and route server issues.

From: "Burton, Chris" <Chris.Burton () dig com>
Date: Wed, 21 Apr 2004 16:46:02 -0700


        Although "show ip bgp nei" command is by far the easiest way to
get the BGP peer information and should not be enabled on any production
BGP peering routers that allow non-trusted or public connectivity it is
not the only way to get the information; anyone who does not do inbound
SNMP filtering on their border routers or has a week community string
and has SNMP enabled could potentially give away their production BGP
peer information for both source/destination IP address and
source/destination ports. And since most Cisco devices I have seen
usually use the 11000 (other too I assume) range for source ports it
just makes things easier.

        Although it is rare to come across networks that do not have
SNMP filtering at their edge or at the very least Strong community
strings it does happen even if it happens by accident.

Chris Burton
Network Engineer
Walt Disney Internet Group: Network Services

The information contained in this e-mail message is confidential,
intended only for the use of the individual or entity named above. If
the reader of this e-mail is not the intended recipient, or the employee
or agent responsible to deliver it to the intended recipient, you are
hereby notified that any review, dissemination, distribution or copying
of this communication is strictly prohibited. If you have received this
e-mail in error, please contact Walt Disney Internet Group at
206-664-4000.



-----Original Message-----
From: owner-nanog () merit edu [mailto:owner-nanog () merit edu] On Behalf Of
Lane Patterson
Sent: Wednesday, April 21, 2004 4:22 PM
To: Smith, Donald; nanog () merit edu
Subject: RE: tcp bgp vulnerability looking glass and route server
issues.
Sensitivity: Private


While I agree that publicly open route-views routers should not allow
display of "sho ip bgp nei" information, this is only giving away
4-tuple info regarding non-production BGP sessions, right?  So folks
could potentially flap the route-views sessions, but this will not
affect any production routing in the data path.

If any folks are allowing "sho ip bgp nei" via looking glass interface
to a production router, then yes, that is a problem.  I haven't seen
any.

-----Original Message-----
From: Smith, Donald [mailto:Donald.Smith () qwest com]
Sent: Tuesday, April 20, 2004 1:38 PM
To: nanog () merit edu
Subject: tcp bgp vulnerability looking glass and route server issues.
Sensitivity: Private

John Fraizer author of MRLG one of the looking glass implementations
has updated his code to fix a flaw that provided too much information.

MRLG-4.3.0 is available at:
Available here:
ftp://ftp.enterzone.net/looking-glass/CURRENT/

Some route servers also provide too much info.
This audit was performed yesterday so if you have already 
fixed this issue please ignore:-)
Part of this issue is the fact that some router servers 
provide too much information.
Without knowing the source/destination ports and IP's this is 
still a difficult vulnerability to exploit. 

From this URL I did a quick audit.
http://www.traceroute.org/#Route%20Servers
I did NOT look at the looking glass URLs just the route servers.

This is the list of open route servers I did a quick audit on.
No connection means I was unable to connect to it.
Not misconfigured meant sho ip bgp nei did NOT work.
Sho ip bgp nei gives full ports/ips means what you think it means.
You have may want to see if any of them are yours of 
if you peer / are the upstream for any of them.

"Route Servers"

"telnet://ner-routes.bbnplanet.net" BBN Planet NER route monitor 
No connection

"telnet://route-server.belwue.de" BelWue (AS553)
Sho ip bgp nei gives full ports/ips.

"telnet://route-views.on.bb.telus.com">Telus - East Coast (AS852)
Sho ip bgp nei gives full ports/ips.

telnet://route-views.ab.bb.telus.com" Telus - West Coast (AS852)
Sho ip bgp nei gives full ports/ips.

"telnet://route-server.cerf.net">CerfNet Route Server 
(AS1838)</A></LI>
Sho ip bgp nei gives full ports/ips.

"telnet://route-server.ip.tiscali.net">Tiscali (AS3257)</A></LI>
Sho ip bgp nei gives full ports/ips.

"telnet://route-server.gblx.net">Global Crossing (AS3549)</A></LI>
Not misconfigured:-)

"telnet://route-server.savvis.net/">SAVVIS Communications 
(AS3561)</A></LI>
Sho ip bgp nei gives full ports/ips.

"telnet://public-route-server.is.co.za" TARGET=NEW>Internet 
Solutions (AS3741)</A></LI>
Sho ip bgp nei gives full ports/ips.

"telnet://route-server-ap.exodus.net">Exodus Communications 
Asia (AS4197)</A></LI>
No connection

"telnet://route-server.as5388.net">Planet Online (AS5388)</A></LI>
Sho ip bgp nei gives full ports/ips.

"telnet://route-server.opentransit.net">Opentransit (AS5511)</A></LI>
Not misconfigured:-)

"telnet://tpr-route-server.saix.net">South African Internet 
eXchange SAIX (AS5713)</A></LI>
Not misconfigure:-)

"telnet://route-server.gt.ca">GT Group Telecom (AS6539)</A></LI>
Sho ip bgp nei gives full ports/ips.

"telnet://route-server.as6667.net">EUNet Finland (AS6667)</A></LI>
Sho ip bgp nei gives full ports/ips.

"telnet://route-server.he.net">Hurricane Electric (AS6939)</A></LI>
Sho ip bgp nei gives full ports/ips.

"telnet://route-server.ip.att.net">AT&T (AS7018)</A></LI>
No connection

"telnet://route-views.optus.net.au">Optus Route Server 
Australia (AS7474)</A></LI>
Sho ip bgp nei gives full ports/ips.

"telnet://route-server.wcg.net">Wiltel (AS7911)</A></LI>
Sho ip bgp nei gives full ports/ips.

"telnet://route-server.colt.net">Colt Internet (AS8220)</A></LI>
Sho ip bgp nei gives full ports/ips.

"telnet://route-server-eu.exodus.net">Exodus Communications 
Europe (AS8709)</A></LI>
No connection

"telnet://route-views.bmcag.net">Broadnet mediascape 
communications AG (AS9132)</A></LI>
Not misconfigured:-)

"telnet://route-server-au.exodus.net">Exodus Communications 
Australia (AS9328)</A></LI>
No connection

"telnet://route-server.manilaix.net.ph">Manila Internet 
Exchange, Philippines (AS9670)</A></LI>
Sho ip bgp nei gives full ports/ips.

"telnet://route-server.east.attcanada.com">ATT Canada - East 
(AS15290)</A></LI>
Sho ip bgp nei gives full ports/ips.

"telnet://route-server.west.attcanada.com">ATT Canada - West 
(AS15290)</A></LI>
Sho ip bgp nei gives full ports/ips.

"telnet://route-server.ip.ndsoftware.net">NDSoftware 
(AS25358)</A></LI>
Sho ip bgp nei gives full ports/ips.

"telnet://route-server.loudpacket.net">Loud Packet (AS27276)</A></LI>
No connection.

"telnet://route-server.as28747.net/">RealROOT (AS28747)</A></LI>
No connection

"telnet://route-views.oregon-ix.net">Oregon-ix.net Route 
Server</A></LI>
Sho ip bgp nei appears it WOULD provide full ports/ips if 
they had any? The command executed but came back empty!!?? 
This one  can be used as a proxy bounce (connect ip port) too:-(

"telnet://route-server.utah.rep.net">Utah Regional Exchange 
Point Route Server</A></LI>
Sho ip bgp nei gives full ports/ips.

"telnet://www.netlantis.org">The NetLantis Project Route 
Server</A></LI>
Not misconfigured.

http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xAF00EDCC
pgpFingerPrint:9CE4 227B B9B3 601F B500  D076 43F1 0767 AF00 EDCC
Increased trust is received by not violating the trust you 
have received.

Current thread:

tcp bgp vulnerability looking glass and route server issues. Smith, Donald (Apr 20)
- <Possible follow-ups>
- RE: tcp bgp vulnerability looking glass and route server issues. Lane Patterson (Apr 21)
  - RE: tcp bgp vulnerability looking glass and route server issues. David Luyer (Apr 21)
  - Re: tcp bgp vulnerability looking glass and route server issues. Troy Davis (Apr 21)
- RE: tcp bgp vulnerability looking glass and route server issues. Burton, Chris (Apr 21)
- RE: tcp bgp vulnerability looking glass and route server issues. Smith, Donald (Apr 21)