Extreme Exploits: Advanced Defenses Against Hardcore Hacks
By Victor Oppleman, Oliver Friedrichs and Brett Watso
Published by McGraw-Hill/Osborne
ISBN: 0072259558 Buy Now!
Published:July 18, 2005
ISP Route Filter Policy
There are routers available on the Internet that provide information publicly regarding what is in the routing table for a
particular organization. These routers (or the service provided on them) are known as route servers. Route servers are made
available publicly by providers for one general purpose. When routing deficiencies are being experienced, these route servers
can be used by service providers to see what is happening across other service providers from alternative perspectives. The
route server is generally not a production system but a system connected into production that contains the same routing table
(obviously locked down and limited in its capabilities for security reasons). As security analysts, we can use route servers
to probe the public infrastructure further to determine whether other network blocks exist besides what we were provided or
have already found. In our Acme assessment, we have already identified additional address space that we must include in our
theatre of war; it is entirely possible other network space exists as well.
The first step is to telnet to a public route server. Route servers do not require any authentication (as they are in place for public use). When we check routes in the route server for Acme, we will use 22.214.171.124/20 since we know that definitely exists.
Search the Internet for public route servers. Several links to route server listings are available through Google or other search engines.
root@scanner:~# telnet route-server.gblx.net Trying 126.96.36.199... Connected to loop0.route-server.phx1.gblx.net. Escape character is ^]. CC ############################################## # Global Crossing International IP Network # # Route View Server # # # # TELNET to route-server.eu.gblx.net # # for European Route View Server # # # # All connections and keystrokes logged # # Contact: GBLX-IP NOC: firstname.lastname@example.org # # 800-404-7714 # ############################################## route-server.phx1>show ip bgp 188.8.131.52 BGP routing table entry for 184.108.40.206/20, version 10400836 Paths: (4 available, best #1) Not advertised to any peer 67234 62550, (received & used) 220.127.116.11 from 18.104.22.168 (22.214.171.124) Origin IGP, metric 50, localpref 200, valid, internal, best Community: 3549:2401 3549:30840 Originator: 126.96.36.199, Cluster list: 0.0.0.81 67234 62550, (received & used) 188.8.131.52 from 184.108.40.206 (220.127.116.11) Origin IGP, metric 50, localpref 200, valid, internal Community: 3549:2401 3549:30840 Originator: 18.104.22.168, Cluster list: 0.0.0.81 67234 62550, (received & used) 22.214.171.124 from 126.96.36.199 (188.8.131.52) Origin IGP, metric 50, localpref 200, valid, internal Community: 3549:2102 3549:30840 Originator: 184.108.40.206, Cluster list: 0.0.0.21 67234 62550, (received & used) 220.127.116.11 from 18.104.22.168 (22.214.171.124) Origin IGP, metric 50, localpref 200, valid, internal Community: 3549:2102 3549:30840 Originator: 126.96.36.199, Cluster list: 0.0.0.21
We show the same information we found in our looking glass checks earlier, confirming the additional address space we found earlier. An additional command we can run will check if any other networks exist under the AS number for Acme:
route-server.phx1>show ip bgp regexp _62550$ BGP table version is 10558572, local router ID is 188.8.131.52 Status codes: s suppressed, d damped, h history, * valid, > best, i - internal, S Stale Origin codes: i - IGP, e - EGP, ? - incomplete Network Next Hop Metric LocPrf Weight Path *>i184.108.40.206/20 220.127.116.11 50 200 0 67234 62550 i * i 18.104.22.168 50 200 0 67234 62550 i * i 22.214.171.124 50 200 0 67234 62550 i * i 126.96.36.199 50 200 0 67234 62550 i route-server.phx1>
Based on our findings with the regexp query, we did not find any additional address space for Acme. If there were any other network blocks for Acme's AS number, they would show up listed as additional networks. The 188.8.131.52/20 network appears to be all address space announced for Acme; however, there are some more checks we will conduct before we are convinced we have all address space.
A relatively new and alternative method of getting up-to-date routing-related information is a service called Prefix WhoIs (developed by the authors). By using Prefix WhoIs, a savvy administrator can retrieve current routing-related information (like the data available from route-view servers) directly from their command line using a standard whois client. (See http://www.pwhois.org for further details.) An example of a Prefix WhoIs query using any standard whois client may look like this:
> whois -h whois.pwhois.org 184.108.40.206 IP: 220.127.116.11 Origin-AS: 3356 Prefix: 18.104.22.168/8 AS-Path: 3356 Cache-Date: 1114682701
Prefix WhoIs also supplies its own advanced whois client named WhoB that is distributed with the Layer Four Traceroute tool discussed later in this chapter. WhoB makes it easy to query Prefix WhoIs and other whois data sources for only the most important information. An example query using WhoB may look like this:
> whob -tuo www.google.com 22.214.171.124 | origin-as 15169 (126.96.36.199/24) | 28-Apr-05 10:05:01 GMT | Google
About the author
Victor Oppleman is an accomplished author, speaker, and teacher in the field of network security and a specialized consultant to some of the world's most admired companies. Mr. Oppleman's open source software has been distributed to hundreds of thousands of computers worldwide and some is used in graduate-level college curricula to demonstrate advanced networking techniques. Early in his career as an engineer, Mr. Oppleman developed portions of the backbone systems infrastructure for Genuity, the first Internet data center company. Later, as a senior architect for BBN and GTE Internetworking, Mr. Oppleman developed security-related products and services centered on public key infrastructure (PKI). A great deal of Mr. Oppleman's professional career has been dedicated to tactical engineering and consulting for global telecom operators and critical infrastructure organizations in industries such as power and water, financial services, and defense. Some of the largest global companies frequently call upon Mr. Oppleman to perform advanced vulnerability assessments, provide expert counsel, and navigate complex regulatory issues concerning information security. An accomplished executive and engineer in network security, data hosting services, and software development, Mr. Oppleman also holds U.S. intellectual property patents in distributed adaptive routing and wireless consumer applications.
Oliver Friedrichs is a Senior Manager in Symantec Security Response, the organization responsible for the delivery of antivirus definitions, intrusion detection updates, and early warning technologies within Symantec. Mr. Friedrichs served as co-founder and Director of Engineering at SecurityFocus until the company's acquisition by Symantec in 2002. At SecurityFocus Mr. Friedrichs managed the development of the industry's first early warning technology for Internet attacks, the DeepSight Threat Management System. Mr. Friedrichs also created and grew the DeepSight Threat Analyst team, providing thorough analysis of emerging Internet threats. Prior to SecurityFocus, he served as co-founder and Vice President of Engineering at Secure Networks, Inc., which was acquired by Network Associates in 1998. At Secure Networks, Mr. Friedrichs architected and managed the development of Ballista network security auditing software, later rebranded CyberCop Scanner by Network Associates. At Network Associates Mr. Friedrichs also founded COVERT (Computer Vulnerability Exploitation Research Team) with the exclusive goal of researching and discovering new security vulnerabilities. Mr. Friedrichs also architected and developed a prototype of the industry's first commercial penetration testing product, CORE Impact, developed and sold by CORE Security Technologies. Mr. Friedrichs has over 13 years of expertise in security technologies, including network assessment, intrusion detection systems, firewalls, penetration testing, and honeypots. As a frequent speaker, he has shared his expertise with many of the world's most powerful organizations, including the Department of Homeland Security, U.S. Secret Service, the IRS, the DOD, NASA, AFOSI, and the Canadian DND.
Brett Watson has 17 years experience in network architecture and security, including large-scale IP networking, optical networking, and security and vulnerability assessments. Mr. Watson currently works for Internet Systems Consortium's DNS Operations, Analysis, and Research Center (DNS OARC) doing macroscopic analysis of global DNS behavior. Prior to joining ISC, Mr. Watson helped deploy and maintain the original MCI and Genuity IP backbones, and designed the first metropolitan IP-over-Gigibit Ethernet product for Metromedia Fiber Networks. Mr. Watson has spent the last several years performing custom network and vulnerability assessments, and consulting on information security issues for some of the largest healthcare, water, and power industries in the United States. In addition, Mr. Watson holds a patent for one of the first large-scale, content distribution platforms known as Hopscotch.