Year: 2007

NIST Draft SP 800-54, Border Gateway Protocol Security

NIST has just released draft SP 800-54 entitled Border Gateway Protocol Security (PDF). Few people comprehend the seriousness of an attack on a protocol such as BGP. The introduction section of the paper provides some insight:

Most of the risk to BGP comes from accidental failures, but there is also a significant risk that attackers could disable parts or all of network, disrupting communications, commerce, and possibly putting lives and property in danger. This document discusses the structure and function of BGP, potential attacks, available countermeasures, and the costs and benefits related to countermeasures. The emphasis in this publication is on measures that may be applied either immediately or in a short time. A variety of proposals have been introduced in standards bodies for more comprehensive approaches to BGP security, but issues are not yet settled as to which, if any, of these proposals will be adopted by the producers and consumers of routing equipment. The aim of this document is to give decision makers a selection of measures that can be deployed rapidly, yet provide significant improvements to routing security.

A good explanation of BGP can be found on Wikipedia:

The Border Gateway Protocol (BGP) is the core routing protocol of the Internet. It works by maintaining a table of IP networks or ‘prefixes’ which designate network reachability among autonomous systems (AS). It is described as a path vector protocol. BGP does not use traditional IGP metrics, but makes routing decisions based on path, network policies and/or rulesets. From January 2006, the current version of BGP, version 4, is codified in RFC 4271.

The paper provides detailed explanations, with diagrams, of several potential attacks against the BGP protocol:

  • Peer Spoofing and TCP Resets

    • The goal of the spoofing attack may be to insert false information into a BGP peer’s routing tables. Peer IP addresses can often be found using the ICMP traceroute function, so BGP implementations should include countermeasures against this attack.

  • TCP Resets Using ICMP

    • TCP resets cause loss of BGP peering sessions, forcing a need to rebuild routing tables and possibly causing route flapping.

  • Session Hijacking

    • Like the TCP reset attack, session hijacking involves intrusion into an ongoing BGP session, i.e., the attacker successfully masquerades as one of the peers in a BGP session, and requires the same information needed to accomplish the reset attack. The difference is that a session hijacking attack may be designed to achieve more than simply bringing down a session between BGP peers.

  • Route Flapping

    • Route flapping refers to repetitive changes to the BGP routing table, often several times a minute. A “route flap” occurs when a route is withdrawn and then re-advertised. High-rate route flapping can cause a serious problem for routers, because every flap causes route changes or withdrawals that propagate through the network of ASes.

  • Route Deaggregation

    • Route deaggregation occurs when more specific (i.e., longer prefix) routes are advertised by BGP peers. For example, if prefixes 129.0.0.0/8 and 129.0.0.0/16 are both advertised, BGP algorithms will select the second (for any addresses within 129.0.0.0/16) because it is more specific. In some cases this is normal and appropriate operation as a result of configuration changes, but it can occur as a result of error or malicious activity.

  • Malicious Route Injection

    • BGP exists to spread routing information across the Internet. Routers tell each other what prefixes they can reach and provide data on how efficiently they can reach addresses within these prefixes. In a benign, cooperative environment this works well, but a malicious party could begin sending out updates with incorrect routing information.

  • Unallocated Route Injection

    • A particular variety of malicious route injection involves the transmission of routes to unallocated prefixes. These prefixes specify sets of IP addresses that have not been assigned yet, i.e., no one should be using these addresses, so no traffic should be routed to them. Therefore, any route information for these prefixes is clearly faulty or malicious, and should be dropped.

  • Denial of Service via Resource Exhaustion

    • Like all computers, routers have a finite amount of storage and processing cycles available. One of the most common attacks of this type is known as a “SYN flood”, in which a large number of TCP/IP communication sessions are started using the SYN (synchronization) packet, without follow-up by the appropriate next packet type. This causes the receiving host to reserve storage space for the session. With enough SYN packets, space is eventually exhausted on the host. Since BGP is implemented on TCP/IP, BGP processing can be affected by this attack.

  • Link Cutting Attack

    • An inherent vulnerability in routing protocols is their potential for manipulation by cutting links in the network. By removing links, either through denial of service or physical attacks, an attacker can divert traffic to allow for eavesdropping, blackholing, or traffic analysis. Because routing protocols are designed to find paths around broken links, these attacks are particularly hard to defend against.

I encourage everyone to give this paper a thorough read, especially if you’re responsible for the boarder routers in your organization and leverage the BGP protocol.

Suggested Blog Reading – Tuesday June 5th, 2007

ReadWell my training session has completed and I head back home on the first thing smoking tomorrow morning. At the client site I was amazed to discover that the employees are mandated to take a ten minute break every hour. Not only are they told to take a break but their workstations actually lock them out after a specified period of time or after ‘x’ number of keystrokes. I’m fairly certain this would kill my productivity but it appears to work well for them. Very strange 🙂

Here’s the list:

2007 Security by the Numbers – Good set of statistics for use in your sales or technical presentations.

Phishing, spam, bot networks, trojans, adware, spyware, zero-day threats, data theft, identity theft, credit card fraud… cybercrime isn’t just becoming more prevalent, it’s getting more sophisticated and subtle every day. At least that’s the conclusion suggested by recent threat reports from major industry players and government organizations.

Iframe > malicious javascript > trojan, (Tue, Jun 5th) – Interesting analysis.

The server has since had the iframe removed. The owner was a little less than gracious when we spoke this morning. He was aware that it was compromised and infecting web users. If you are notified that a system you run or own is involved in an incident please take action as soon as you can.

My Presentation: Interop Moscow Keynote on Security Trends – Always a pleasure to read one of Dr. C’s presentations 🙂

Here is my recent keynote presentation on security trends from Interop Moscow (sorry, teaser version only – I plan to give it again some time)

SQLBrute – SQL Injection Brute Force Tool – New tool to check out.

SQLBrute is a tool for brute forcing data out of databases using blind SQL injection vulnerabilities. It supports time based and error based exploit types on Microsoft SQL Server, and error based exploit on Oracle. It is written in Python, uses multi-threading, and doesn’t require non-standard libraries (there is some code in there for pycurl, but it is disabled because it isn’t finished).

How to find your websites (Road to Website Vulnerability Assessment part 1) – Refresher of steps to take in order to start assessing a website for vulnerabilities.

I spend a lot of time with companies, mostly large and medium sized, who are interested in finding the vulnerabilities in their websites. Obviously the first step in the VA process is to first FIND the websites. Now this may come as a surprise to many, companies with more than 5 or 6 websites tend not to know what they are, what they do, or who’s responsible for them. And if they don’t know what websites they own, there is no hope of securing them.

Suggested Blog Reading – Monday June 4th, 2007

ReadMan it’s hot in Houston…that is all.

Here’s the list:

NIST 800-44 Version 2 – Guidelines on Securing Public Web Servers – Perhaps it’s time to review your current policies on protecting your internet-facing web server?

The newest revision to NIST 800-44 was released on June 1st. While it’s not the complete answer, it’s certainly a useful document in the battle for web-application security.

How To Block Spam Before It Enters The Server (Postfix) – I like my idea of getting a sock full of doorknobs and going door-to-door to explain my hatred of spam…but this is good too…I guess.

The last few weeks have seen a dramatic increase in spam (once again). Estimates say that spam makes now up for 80 – 90% of all emails, and many mail servers have difficulties in managing the additional load caused by the latest spam, and spam filters such as SpamAssassin do not recognize large parts of that spam as they did before. Fortunately, we can block a big amount of that spam at the MTA level, for example by using blacklists, running tests on the sender and recipient domains, etc. An additional benefit of doing this is that it lowers the load on the mail servers because the (resource-hungry) spamfilters have to look at less emails.

Cisco IOS hints and tricks blog – Thanks for the link Mitchell!

I happened across a great blog by author and Cisco CCIE Ivan Pepelnjak covering hints, tips and tricks for Cisco IOS. Ivan is a well published author with books about firewalls, MPLS, VPNs and EIGRP. He also has a blog on AJAX and XLM.

Image Upload XSS – I agree with RSnake. If you’re going to accept uploads make sure you handle them properly.

I’ve talked about this before but I thought I should actually make a tool to make this attack more practical. But one thing I have seen a number of times, is places that upload images, and even check to make sure they are valid but don’t rename them to make sure that the file names themselves aren’t malicious. Well I finally created a tool to help with this type of testing.

The value of 0-day… – I suspect that many governments pay for solutions such as this just like they do for discrete intelligence from foreign operatives. They’d be crazy not to.

Another interesting article regarding the value of 0-day vulnerabilities. Rob Lemos relates the stories of a few researchers who sold their 0-day vulnerability/exploit information for big dollars. The twist here, which is news to some, is who purchased it (the .gov) and for how much (as high as 80k). This is significantly more than vulnerability purchase shops iDefense and ZDI (3COM/Tipping Point) currently offer. The only catch? The big spenders aren’t advertising so you have to have contacts to make such a scale. The scary part? We all know how cheap the U.S. government can be.. so how much are other governments paying?

OWASP Live CD – Burn it…live it…love it!

If you do a lot of application security you may have already heard of the OWASP Live CD. To quote the website, “The OWASP Live CD (LabRat) is a bootable CD akin to knoppix but dedicated to Application Security. It shall serve as a vehicle and distrubition (sic) medium for OWASP tools and guides.” Pretty cool idea, and I’ve used it before, but a few things came to mind as I was re-reading the documentation this morning.

AntiForensics Article – Another great article by Harlan Carvey.

I read an interesting article recently that talks about antiforensics. At first glance, the article is something of an interesting piece, but reading it a second time and thinking about what was actually being said really got me thinking. Not because the article addresses the use of antiforensics, but because it identifies an issue (or issues) that needs to be addressed within the forensics community. Yes, these tools are out there, and we should be thankful that they we made available by someone…otherwise, how could we address the issue? So, what do we need to do to update our methodologies accordingly? Perhaps more importantly, should be be trying to get ahead of the power curve, rather than playing catch up?

PKI Enhancements in Windows Vista and Windows Server 2008 – Good explanation of the 4 “investment pillars” in Windows Server 2008.

The PKI (Public Key Infrastructure) team in Microsoft is responsible for the different technologies related to digital certificates, these technologies and products include the CA (Certificate Authority), the client enrollment API and UI, OCSP (Online Certificate Status Protocol) Responder, SCEP (Simple Certificate Enrollment Protocol) and the smart card subsystem in Windows.

In Windows Vista and Windows Server 2008 the PKI team focused on 4 main investments pillars:

Vista Sudo utility: Run programs as administrator – “sudo”…what a novel idea! 😛

In Windows Vista, you have limited privileges on the machine, although you’re a power user. This means that programs you run have limited permissions, and you must elevate your privileges whenever you want to perform certain administrative-tasks, such as changing system settings or installing programs.

Scroll to top