Practical Network Scanning
上QQ阅读APP看书,第一时间看更新
上一章目录下一章

Security Risk-Border Gateway Protocol

In the networking world, imagine a situation where attackers plug their cable into your network, establish a Border Gateway Protocol (BGP) session, and sniff all the data going into the wire. This is not limited to sniffing your information, but you can cause a lot of trouble for others.

For example:

  • YouTube blockage by PTA:
    • Scenario: Pakistan telecom was connected to the global internet via PCCW telecom
    • Problem: PCCW did not validate a prefix advertised by Pakistan telecom and there was no built-in mechanism in the BGP protocol to authenticate information
    • Impact: DoS to customers, traffic redirection, prefix hijacking, and AS hijacking
  • On 24 February 2008, Pakistan Telecom Authority (PTA) began to advertise a specific prefix of YouTube. PTA intended to block access to YouTube in Pakistan and advertised the specific prefix 208.65.153.0/24. This was part of the prefix used by YouTube 208.65.152.0/22-208.65.155.255. The intention was that YouTube's traffic would be forwarded to Null0 interface and, consequently, YouTube would get blocked within Pakistan. However, the same route was advertised to upstream ISP (PCCW AS number 3491). PCCW presented this information to other peers as well. YouTube then initiated a more specific prefix (208.65.153.128/25) to recover traffic.
  • MAN in the Middle (MITM): This is another example. Think about a situation in which someone from your organization can do the sniffing inside your network by configuring SPAN for switch where all finance employees are connected. All username and password information can be extracted if they are not using a secure way to access the finance portal. This is the reason I say there should be HTTPS for everything. Even hackers can gain access to sniff data, but they cannot decode encrypted data from the system. All these types of hacking come under MITM where attackers have access to data wire or are able to pert traffic.
  • Address Resolution Protocol (ARP): Spoofing can be a similar kind of attack. For local area network-address resolution protocol, it is required to know the computer identity on Local Area Network (LAN). Let's assume you are internet gateway configured in your LAN and all the internet traffic travels via that device. The attacker can do the ARP-spoofing and advertise a new system as an internet gateway. Now all the traffic for internet goes through the attacker's system, and they can sniff your data. There are many tools available on the market for spoofing, which do nothing but change the MAC address of your machine.

MITM attacks can be further pided into two categories: WAN and LAN.

上一章目录下一章