Vigil@nce: BGP, hijacking traffic
August 2008 by Vigil@nce
An attacker can change BGP routes in order to capture traffic.
– Gravity: 2/4
– Consequences: data reading
– Provenance: internet client
– Means of attack: no proof of concept, no attack
– Ability of attacker: expert (4/4)
– Confidence: confirmed by the editor (5/5)
– Diffusion of the vulnerable configuration: high (3/3)
– Creation date: 28/08/2008
– Identifier: VIGILANCE-VUL-8071
IMPACTED PRODUCTS
- BGP
DESCRIPTION
BGP (Border Gateway Protocol) is the main internet routing
protocol.
An attacker with a BGP router can send a message to change the
path in order to receive packets destined to an IP address.
However, if he wishes to transmit packets to the legitimate
recipient, these packets come back to him (because he is indicated
as path). This old attack type is not efficient and quickly
detected.
A variant was published. Indeed, if the attacker uses different
network masks (1.2.3.0/24, and 1.2.3.0/26 which is more
restrictive thus has a higher priority) and prepends Autonomous
System numbers (via the command "route-map ... set as-prepend" of
a Cisco router), the path is not propagated to some routers. The
attacker then receives packets via the route for 1.2.3.0/26 and
can transmit them to the legitimate recipient via the route for
1.2.3.0/24.
The attacker can thus capture data without being detected by the
legitimate recipient.
CHARACTERISTICS
– Identifiers: VIGILANCE-VUL-8071
– Url: https://vigilance.aql.fr/tree/1/8071