The reason I'm not worried about it is that exploiting this can't be done from just anywhere.
For one thing, you can't just fire up BGP on any Internet host and expect to get another host to peer with you. In fact, most BGP hosts are configured with their intended peers, and authenticate them to boot. Real routers tend to have extensive route filters configured, and the backbone more or less refuses to accept long prefixes. Furthermore, BGP packets are blocked on a lot of links.
Another issue is that it's pretty likely to be noticed, despite the researchers' claims to the contrary. What you're effectively doing is creating a backhaul of all the data for the network under attack. Most of the data will end up being hairpinned at the snooping point, and providers keep a careful eye out for that (because it costs them a lot of unnecessary money). In general, there is a lot of scrutiny of worldwide BGP activity; the data is public and can show a lot of useful (and, often, financially profitable) trends.
The danger in this kind of attack isn't so much from script kiddies as from governments and other deep-pockets organizations. They can afford the bandwidth requirements, as well as the many and widely connected links needed to avoid hairpinning. And, of course, they will be running BGP legitimately to connect up those big, complicated networks.
[Disclaimer: although I work on packet forwarding in large routers, I wouldn't consider myself a real expert in routing protocols. I do know a bit, though.]
![[personal profile]](https://www.dreamwidth.org/img/silk/identity/user.png){kind=small}
(no subject)
Date: 2008-08-28 07:02 pm (UTC)For one thing, you can't just fire up BGP on any Internet host and expect to get another host to peer with you. In fact, most BGP hosts are configured with their intended peers, and authenticate them to boot. Real routers tend to have extensive route filters configured, and the backbone more or less refuses to accept long prefixes. Furthermore, BGP packets are blocked on a lot of links.
Another issue is that it's pretty likely to be noticed, despite the researchers' claims to the contrary. What you're effectively doing is creating a backhaul of all the data for the network under attack. Most of the data will end up being hairpinned at the snooping point, and providers keep a careful eye out for that (because it costs them a lot of unnecessary money). In general, there is a lot of scrutiny of worldwide BGP activity; the data is public and can show a lot of useful (and, often, financially profitable) trends.
The danger in this kind of attack isn't so much from script kiddies as from governments and other deep-pockets organizations. They can afford the bandwidth requirements, as well as the many and widely connected links needed to avoid hairpinning. And, of course, they will be running BGP legitimately to connect up those big, complicated networks.
[Disclaimer: although I work on packet forwarding in large routers, I wouldn't consider myself a real expert in routing protocols. I do know a bit, though.]