Hi, I'm Iljitsch van Beijnum. This page has all posts about all subjects.
On February 12th, CERT published "CERTxae Advisory CA-2 002-03 Multiple Vulnerabilities in Many Implementations of the Simple Network Ma nagement Protocol (SNMP)".
Details haven't been published yet, but it seems it is possible to do all kinds of bad things by firing off non-spec SNMPv1 packets to boxes from many vendors.
Cisco has a security advisory about the problem. Cisco has a bad track record when SNMP security is concerned: in older IOS versions there were "hidden" SNMP communities that enabled pretty much anyone to manage the router. It seems this problem has resurfaced in another form: when you create a trap community, this automatically enables processing of incoming SNMP messages for this community, even though this community doesn't provide read or write access. However, this is enough to open the router for denial of service attacks. It is possible to apply an access list to the trap community, but this depends on the order in which the configuration is processed, so it will not survive a reboot.
The only way to be completely secure is to turn off SNMPv1 or filter incoming SNMP packets on the interfaces rather than at the time of SNMP processing. (Remember, this is UDP so the source addresses are easily spoofed.) Upgrading your IOS software image will also do the trick, as soon as they are available. Consult a certified Cisco IOS version specialist to help you find the right one (more than half of the advisory consists of a list of IOS versions).
Permalink - posted 2002-03-30
The weeks from September 23 to October 7 saw two heated discussions on the NANOG list. The first one was on filtering BGP routes. It all started with some remarks about Verio's peering filter policy but the discussion became more general after some days, including related topics such as "sub-basement multihoming".
The second discussion was about (ab)use of the Domain Name System for failover (in combination with a NAT box) and load balancing. This discussion seems to be somewhat religious: some people think there is no problem, others nearly start to foam at the mouth just thinking about it.
Permalink - posted 2001-12-31
On December 17th, Yahoo News published an article about hackers attacking the router infrastructure of the Net. The story is pretty much completely without merit. First of all, no incidents or specific threats of hackers actually attacking routers, or realistic ways in which they might accomplish this, are given. The bit about using the default password sounds especially implausible. If only because Cisco routers don't come with a default password: if you don't set a password yourself, it is impossible to telnet to the router. I've never heard of a BGP-running router without adequate password protection.
The idea that routers might be vulnerable to denial of service attacks is not completely out in left field, but adequate access control filters and enough CPU power easily neutralize this threat.
The stuff about MD5 protection of BGP sessions is plain and simple wrong. Have a look at some remarks about BGP passwords and MD5 in the old news (Q3 2001) section for better information. (Or, better yet, read RFC 2385. It's just six pages.)
Secure BGP (S-BGP) might sound like a good idea, but I'm far from sure that making the routing system depend on something as complex and (at least potentially) fragile as a public key infrastructure is a good idea. "We're very sorry, but the root CA certificates expired, so there won't be any internet today." Besides, in the current situation each network can build all the filters it deems necessary. This way, routes are only used when they are announced by the neighboring network and if they're allowed through the manually created filters. The chances of both screwing up in exactly the same way are very small.
Also, a PKI system might open up additional ways in which a router could be the victim of a denial of service attack. The required RSA computations are extremely CPU intensive, so an attacker would only have to deliver a small number of falsified routing updates to keep a router very busy rejecting them.
Permalink - posted 2001-12-30
Jaap Akkerhuis from the .nl TLD registry made an analysis of the impact of the events of September 11th on the net which he presented at the ICANN general meeting mid-November.
Slides of the presentation (PDF)
Extensive archives of the ICANN meeting
(but hard to find specific information)
Permalink - posted 2001-12-27
The Renesys Corporation has published a preliminary report indicating that the Code Red II and Nimda worms caused a somewhat alarming instability in global routing. Remarkably, this instability lasted much longer than those caused by (even quite large) outages. When important links go down, BGP converges within minutes and remains stable after that. The worms on the other hand made the interdomain routing system less stable for many hours.
Global Routing Instabilities during Code Red II and Nimda Worm Propagation (original link is broken, so though archive.org)
Permalink - posted 2001-12-25
Internet Still Growing Dramatically, says Lawrence Roberts, one of the pioneers of the ARPANET.
Permalink - posted 2001-12-24