Is this really surprising? The complexities of BGP4 allow plenty of room for mistakes. BGP began its life in 1989... the current version (BGP-4) was not developed until 1994. Hardly the "age of innocence" of the Internet.

In any case launching an attack from "dark" address space requires either a) compromise of a providers routers, or b) collusion with a very irresponsible provider. Unlike some other routing protocols, BGP peers do not automatically form adjacencies. The session must be manually configured at the borders of *both* Autonomous Systems (AS). As such, the answer to this problem is more responsible inbound route filtering at the provider end (to ensure a peer is only advertising netblocks it owns), and of course, better security on border routers.

[ reply ]

Link to this comment: http://www.securityfocus.com/comments/articles/282/8783#8783