My Awesome NetBIOS and Token Ring Beacon Attack Will Pwn the Internets!
I was blipping through my RSS reader this evening and noticed this new little doozy of a headline referencing a story that is now weeks old:
Revealed: The Internet’s Biggest Security Hole
Holy crap! That’s pretty scary looking, huh? Another Internet’s biggest security hole!? I can’t take another. I don’t have another poem in me. What sort of "fool" disclosure is this!?
Then again, there are plenty of big ‘holes on the Internet, so I thought I better make sure it wasn’t me this time 😉
Kapela’s and Pilosov’s cool performance at Defcon was sadly drowned out by Uncle Dan’s DNS flaw and the sheer weight of his grandma’s cookies (which I received zero samples of, by the way ;( )
The gist of this story is that by utilizing the built-in friendliness of BGP, you can cause bad things™ to happen by redirecting, intercepting and then sending traffic back on its way with a high likelihood of not being detected.
"We’re not doing anything out of the ordinary," Kapela told Wired.com.
"There’s no vulnerabilities, no protocol errors, there are no software
problems. The problem arises (from) the level of interconnectivity
that’s needed to maintain this mess, to keep it all working."
It’s another case of "everyone knows this can (and probably does) happen, but we’re just hoping it doesn’t," and very smart people have been warning others about this for years. You shouldn’t drink the water overseas, either.
Even as recently as the YouTube/Pakistan issue which was a BGP-related issue that caused a DoS, not-so-smart people such as your humble author suggested exactly this sort of thing was possible:
Yes, this is really a demonstration of unavailability, but
what I’m getting at here is that fundamentally, the core routing
protocol we depend upon for the backbone Internet transport is roughly
governed by the same rules that we depend upon whilst driving down a
road separated by nothing more than painted lines…you simply
hope/trust that nobody crosses the line and crashes into you head-on.
There is very little preventing someone from re-routing traffic.
This could result in either a denial of service (as the traffic would
not reach its destination) or even something akin to an interception,
"storage" and eventual forwarding for nefarious means.
So, here we have a case where again we depend upon a protocol that
was designed to provide (A)vailability, yet C and I are left
floundering in the wings. We’ll no doubt see another round of folks
who will try and evangelize the need for secure BGP — just like secure
DNS, secure SMTP, secure…
This will hit deaf ears until we see the same thing happen again…
Ooooh. I must be psychic.
Wait until I demonstrate how to redirect the NetBIOS traffic of every Win2K/XP box that has NBT bound to the NICs by a cleverly devious combination of ICMP source quench, token ring beacons and uPnP.
I’ll be FAMOUS!