BGP Just Got Fun For Me

Started by deanwebb, July 12, 2017, 08:55:00 AM

Previous topic - Next topic

deanwebb

https://www.schneier.com/blog/archives/2017/07/more_on_the_nsa_2.html

Bruce Schneier on forcing traffic out and then back in on particular routes for data exfiltration purposes. As I read it, all of a sudden all of the other stuff I read about BGP started to make way more sense than ever before.

While the article links a leaked NSA document about exfiltration, the logic in the methods used could apply to any government or criminal agency with access to a particular line. If one can force data to use a particular route, then the data goes to the collector and gets harvested.

Very interesting stuff, with thanks to Mr. Schneier.
Take a baseball bat and trash all the routers, shout out "IT'S A NETWORK PROBLEM NOW, SUCKERS!" and then peel out of the parking lot in your Ferrari.
"The world could perish if people only worked on things that were easy to handle." -- Vladimir Savchenko
Вопросы есть? Вопросов нет! | BCEB: Belkin Certified Expert Baffler | "Plan B is Plan A with an element of panic." -- John Clarke
Accounting is architecture, remember that!
Air gaps are high-latency Internet connections.

that1guy15

Sounds similar to BGP FlowSpec for DDoS mitigation. Sure the same concept and technology could be used here
https://supportforums.cisco.com/document/12226726/asr9000xr-understanding-bgp-flowspec-bgp-fs
That1guy15
@that1guy_15
blog.movingonesandzeros.net

deanwebb

Quote from: that1guy15 on July 12, 2017, 09:23:39 AM
Sounds similar to BGP FlowSpec for DDoS mitigation. Sure the same concept and technology could be used here
https://supportforums.cisco.com/document/12226726/asr9000xr-understanding-bgp-flowspec-bgp-fs

Damn that was some tasty code in there! And now I'm getting PBR, as well. I never really understood the use cases for it until I see it in the context of security and, suddenly, I'm getting why one would want to do stuff like that.
Take a baseball bat and trash all the routers, shout out "IT'S A NETWORK PROBLEM NOW, SUCKERS!" and then peel out of the parking lot in your Ferrari.
"The world could perish if people only worked on things that were easy to handle." -- Vladimir Savchenko
Вопросы есть? Вопросов нет! | BCEB: Belkin Certified Expert Baffler | "Plan B is Plan A with an element of panic." -- John Clarke
Accounting is architecture, remember that!
Air gaps are high-latency Internet connections.

icecream-guy

Quote from: deanwebb on July 12, 2017, 10:32:41 AM
Quote from: that1guy15 on July 12, 2017, 09:23:39 AM
Sounds similar to BGP FlowSpec for DDoS mitigation. Sure the same concept and technology could be used here
https://supportforums.cisco.com/document/12226726/asr9000xr-understanding-bgp-flowspec-bgp-fs

Damn that was some tasty code in there! And now I'm getting PBR, as well. I never really understood the use cases for it until I see it in the context of security and, suddenly, I'm getting why one would want to do stuff like that.

Wait until you have to perform SNAT and DNAT on packets to get them out of the way of other flows on the same network so you can policy route them, talk about a troubleshooting nightmare...
:zomgwtfbbq:  :ivan:
:professorcat:

My Moral Fibers have been cut.

deanwebb

SNAT or DNAT to do PBR?  :twitch:

OK, it's un-fun again.
Take a baseball bat and trash all the routers, shout out "IT'S A NETWORK PROBLEM NOW, SUCKERS!" and then peel out of the parking lot in your Ferrari.
"The world could perish if people only worked on things that were easy to handle." -- Vladimir Savchenko
Вопросы есть? Вопросов нет! | BCEB: Belkin Certified Expert Baffler | "Plan B is Plan A with an element of panic." -- John Clarke
Accounting is architecture, remember that!
Air gaps are high-latency Internet connections.

that1guy15

PBR is never fun. Dumpster fire!
That1guy15
@that1guy_15
blog.movingonesandzeros.net

LynK

Quote from: ristau5741 on July 12, 2017, 11:53:06 AM

Wait until you have to perform SNAT and DNAT on packets to get them out of the way of other flows on the same network so you can policy route them, talk about a troubleshooting nightmare...


Or Load-balance them. Take solace in knowing you are not the only one :)



:badass: :haha2: :printer:
Sys Admin: "You have a stuck route"
            Me: "You have an incorrect Default Gateway"