Core Internet technology found vulnerable

[Guus]

?? As soon as some application is running over a network, you know that at least one connection exists. If you can snif the network, you should have everything you need to kill it - or maybe that's exactly what you're saying

[MrLinus]

As soon as some application is running over a network, you know that at least one connection exists. If you can snif the network, you should have everything you need to kill it - or maybe that's exactly what you're saying

Yes but here's the trick: I can detect connections running on MY network but say a connection from Australia to a location in Germany? For example, TheRealAphex's tool requires both source and destination IP. I might have one for a remote location but both? I don't know if this could be as wide as they claim it.

And yes, if I can sniff the network I can kill it (proven before elsewhere) which makes me wonder as to how "new" this is. Sounds more like FUD to me.

[Guus]

Originally posted here by MsMittens


Yes but here's the trick: I can detect connections running on MY network but say a connection from Australia to a location in Germany? For example, TheRealAphex's tool requires both source and destination IP. I might have one for a remote location but both?(snip)

Isn't that the problem with all injection-based attacks?

[MrLinus]

Isn't that the problem with all injection-based attacks?

Yes but the media is blowing it out of proportion. I had a colleague in a panic yesterday because he heard on the radio about the vulnerability and that "hackers could bring down the Internet". It's a FUD issue.

[Tiger Shark]

Ms. M:

I think the key to the "danger" here is that you only need to be able to guess the source and destination. You may be able to go further and determine whether the routers are using BGP by making BGP reqeusts to them and seeing if they respond appropriately.

For example a tracert to yahoo comes up with these hops.... These are going to be fairly important routers. I can see that hop 8 can talk to hop 9 directly. If I want I can spoof hop 8's address at hop 9's router and try to tear down the connection. If I'm lucky and succeed then I put that route down for the period it takes to bring the connection back up and rebuild the routing tables.

8 30 ms 20 ms 50 ms p5-2-0-1.rar1.chicago-il.us.xo.net [65.106.6.173]
9 30 ms 60 ms 40 ms p0-0.ir1.chicago2-il.us.xo.net [65.106.6.134]
10 91 ms 60 ms 30 ms so-2-3-3.edge1.chicago1.level3.net [209.0.225.13]

If I'm a bit fancier I'll send a BGP request to both routers, (I'm not familiar with BGP but they have to respond in a recognizable fashion). If I get a satisfactory response from either or both I can bring down one or the other or both.

An automated app collecting tracert info and passing the middle router's information to a "scan" engine that looks for BGP and or any other exploitable protocol/implementation that then passes the vulnerable routers IP's to the attack engine would probably be fairly trivial for someone to come up with. If that were to happen then the impact would be noticable along given routes. It's mitigable by the fact that the original source could be tracked in a fairly short time and blocked. But that's where the imagination and planning of the attacker comes in.

Yes, I think this could be a fairly damaging attack were it to be properly executed.... But I think you'll find that many of the routers that are quite key to the backbones are being upgraded/patched/mitigated as we speak.

[chsh]

So basically this amounts to: If ISPs implemented proper egress/ingress filtering, this would be a non-issue. Good to know.

[Tiger Shark]

csch: You said if...... Little word..... Big meaning....

[chsh]

Originally posted here by Tiger Shark
csch: You said if...... Little word..... Big meaning....

Tegir Shrak: Yes, I did say If, not all do. Some do however.

[gore]

Originally posted here by THEJRC
Or I could be off base and the age old TCP protocol may be in desparate need of revamping, why IPV6 never rolled the way they planned is another question we may need to ask. Rates right up there with why people still dont update antivirus, why VPN's arent in use more often, and why we've all become so reliant on vendors to patch things in "the nick of time".

/end rant

IPV6 has been talked about long before I even owned a computer...Which isn't long, but There is more to this than "Well just switch to IPv6 and all the problems go away right?" No, This from what I understand hasn't had the testing IPv4 has. Remember when the internet came together?

IPv6 is not ready yet. They may have professional security guys working on it to see what could happen, but those security guys know what they are looking for, and can NOT create the same problems the average moron on the internet could. It takes an idiot to find/create REAL problems, security research guys can find most of the usual bugs in something, but like I said, let Alabama have a crack at it before it gets released to the public.

And what the hell are we going to do with enough IPs to give every person on earth one?

[TheRealAphex]

@MsMittens

yes my tool requires a bit of information but information that doesn't require you to actually know the full tcp header. in fact you only need 2 things that aren't obviously given to you. the client source ip and port.

for someone connected to irc with a hostmask or a webserver serving pages to individuals, it wouldn't be that useful because you wouldn't know the ips of all the users and it would require disconnecting them each but for example 2 IRC servers that are linked, you would know both IPs and you would know the range of the ports on one side of the connection (6660-6669 for example or a port scan could reveal a non-standard port) and the other side could be detected using various probes.

then armed with a few details that aren't that hard to obtain, you can cause a netsplit, and you could do it in under 8 minutes on a cable modem with one host.

to say nothing of a distibuted attack with some fat pipes.