My book: 'Running IPv6' by Iljitsch van Beijnum BGPexpert My book: 'BGP' by Iljitsch van Beijnum

Home · BGP Expert Test · What is BGP? · BGP Vendors · Links · Archives · Books · My BGP Book

BGP (advertisement)
Routers vulnerable to denial of service? and BGP MD5 (posted 2001-12-30)

On December 17th, Yahoo News published an article about hackers attacking the router infrastructure of the Net. The story is pretty much completely without merit. First of all, no incidents or specific threats of hackers actually attacking routers, or realistic ways in which they might accomplish this, are given. The bit about using the default password sounds especially implausible. If only because Cisco routers don't come with a default password: if you don't set a password yourself, it is impossible to telnet to the router. I've never heard of a BGP-running router without adequate password protection.

The idea that routers might be vulnerable to denial of service attacks is not completely out in left field, but adequate access control filters and enough CPU power easily neutralize this threat.

The stuff about MD5 protection of BGP sessions is plain and simple wrong. Have a look at some remarks about BGP passwords and MD5 in the old news (Q3 2001) section for better information. (Or, better yet, read RFC 2385. It's just six pages.)

Secure BGP (S-BGP) might sound like a good idea, but I'm far from sure that making the routing system depend on something as complex and (at least potentially) fragile as a public key infrastructure is a good idea. "We're very sorry, but the root CA certificates expired, so there won't be any internet today." Besides, in the current situation each network can build all the filters it deems necessary. This way, routes are only used when they are announced by the neighboring network and if they're allowed through the manually created filters. The chances of both screwing up in exactly the same way are very small.

Also, a PKI system might open up additional ways in which a router could be the victim of a denial of service attack. The required RSA computations are extremely CPU intensive, so an attacker would only have to deliver a small number of falsified routing updates to keep a router very busy rejecting them.