Symantec ThreatCon
Nov 15 2005 12:30AM
Symantec ThreatCon
Search: Home Bugtraq Vulnerabilities Mailing Lists Security Jobs Tools
(page 3 of 4 ) previous  next 
Extreme Exploits: Advanced Defenses Against Hardcore Hacks


By Victor Oppleman, Oliver Friedrichs and Brett Watso
Published by McGraw-Hill/Osborne
ISBN: 0072259558   Buy Now!
Published:July 18, 2005
Pages:544

 About the author
 Buy the book

ISP Route Filter Policy

There are routers available on the Internet that provide information publicly regarding what is in the routing table for a particular organization. These routers (or the service provided on them) are known as route servers. Route servers are made available publicly by providers for one general purpose. When routing deficiencies are being experienced, these route servers can be used by service providers to see what is happening across other service providers from alternative perspectives. The route server is generally not a production system but a system connected into production that contains the same routing table (obviously locked down and limited in its capabilities for security reasons). As security analysts, we can use route servers to probe the public infrastructure further to determine whether other network blocks exist besides what we were provided or have already found. In our Acme assessment, we have already identified additional address space that we must include in our theatre of war; it is entirely possible other network space exists as well.
The first step is to telnet to a public route server. Route servers do not require any authentication (as they are in place for public use). When we check routes in the route server for Acme, we will use 2.2.0.0/20 since we know that definitely exists.

NOTE
Search the Internet for public route servers. Several links to route server listings are available through Google or other search engines.

root@scanner:~# telnet route-server.gblx.net
Trying 67.17.81.28...
Connected to loop0.route-server.phx1.gblx.net.
Escape character is ‘^]’.
CC
##############################################
# Global Crossing International IP Network   #
# Route View Server                          #
#                                            #
# TELNET to route-server.eu.gblx.net         #
# for European Route View Server             #
#                                            #
# All connections and keystrokes logged      #
# Contact: GBLX-IP NOC: gc-noc@gblx.net      #
# 800-404-7714                               #
##############################################

route-server.phx1>show ip bgp 2.2.0.0
BGP routing table entry for 2.2.0.0/20, version 10400836
Paths: (4 available, best #1)
  Not advertised to any peer
  67234 62550, (received & used)
    67.17.77.193 from 67.17.81.117 (67.17.81.117)
      Origin IGP, metric 50, localpref 200, valid, internal, best
      Community: 3549:2401 3549:30840
      Originator: 67.17.80.182, Cluster list: 0.0.0.81
  67234 62550, (received & used)
    67.17.77.193 from 67.17.81.167 (67.17.81.167)
      Origin IGP, metric 50, localpref 200, valid, internal
      Community: 3549:2401 3549:30840
      Originator: 67.17.80.182, Cluster list: 0.0.0.81
  67234 62550, (received & used)
    67.17.77.193 from 67.17.80.232 (67.17.80.232)
      Origin IGP, metric 50, localpref 200, valid, internal
      Community: 3549:2102 3549:30840
      Originator: 67.17.80.219, Cluster list: 0.0.0.21
  67234 62550, (received & used)
    67.17.77.193 from 67.17.80.221 (67.17.80.221)
      Origin IGP, metric 50, localpref 200, valid, internal
      Community: 3549:2102 3549:30840
      Originator: 67.17.80.219, Cluster list: 0.0.0.21

We show the same information we found in our looking glass checks earlier, confirming the additional address space we found earlier. An additional command we can run will check if any other networks exist under the AS number for Acme:

route-server.phx1>show ip bgp regexp _62550$
BGP table version is 10558572, local router ID is 67.17.81.28
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
              S Stale
Origin codes: i - IGP, e - EGP, ? - incomplete

Network		Next Hop 		Metric LocPrf Weight Path
*>i2.2.0.0/20 	67.17.77.193 	50 	200 	0 67234 62550 i
* i 		67.17.77.193 	50 	200 	0 67234 62550 i
* i 		67.17.77.193 	50 	200 	0 67234 62550 i
* i 		67.17.77.193 	50 	200 	0 67234 62550 i
route-server.phx1>

Based on our findings with the regexp query, we did not find any additional address space for Acme. If there were any other network blocks for Acme's AS number, they would show up listed as additional networks. The 2.2.0.0/20 network appears to be all address space announced for Acme; however, there are some more checks we will conduct before we are convinced we have all address space.

A relatively new and alternative method of getting up-to-date routing-related information is a service called Prefix WhoIs (developed by the authors). By using Prefix WhoIs, a savvy administrator can retrieve current routing-related information (like the data available from route-view servers) directly from their command line using a standard whois client. (See http://www.pwhois.org for further details.) An example of a Prefix WhoIs query using any standard whois client may look like this:

> whois -h whois.pwhois.org 4.2.2.1
IP: 4.2.2.1
Origin-AS: 3356
Prefix: 4.0.0.0/8
AS-Path: 3356
Cache-Date: 1114682701

Prefix WhoIs also supplies its own advanced whois client named WhoB that is distributed with the Layer Four Traceroute tool discussed later in this chapter. WhoB makes it easy to query Prefix WhoIs and other whois data sources for only the most important information. An example query using WhoB may look like this:

> whob -tuo www.google.com
66.102.7.104 | origin-as 15169 (66.102.7.0/24) | 28-Apr-05 10:05:01 GMT | Google

Excerpt continued on Page 4 

About the author
Victor Oppleman is an accomplished author, speaker, and teacher in the field of network security and a specialized consultant to some of the world's most admired companies. Mr. Oppleman's open source software has been distributed to hundreds of thousands of computers worldwide and some is used in graduate-level college curricula to demonstrate advanced networking techniques. Early in his career as an engineer, Mr. Oppleman developed portions of the backbone systems infrastructure for Genuity, the first Internet data center company. Later, as a senior architect for BBN and GTE Internetworking, Mr. Oppleman developed security-related products and services centered on public key infrastructure (PKI). A great deal of Mr. Oppleman's professional career has been dedicated to tactical engineering and consulting for global telecom operators and critical infrastructure organizations in industries such as power and water, financial services, and defense. Some of the largest global companies frequently call upon Mr. Oppleman to perform advanced vulnerability assessments, provide expert counsel, and navigate complex regulatory issues concerning information security. An accomplished executive and engineer in network security, data hosting services, and software development, Mr. Oppleman also holds U.S. intellectual property patents in distributed adaptive routing and wireless consumer applications.
Oliver Friedrichs is a Senior Manager in Symantec Security Response, the organization responsible for the delivery of antivirus definitions, intrusion detection updates, and early warning technologies within Symantec. Mr. Friedrichs served as co-founder and Director of Engineering at SecurityFocus until the company's acquisition by Symantec in 2002. At SecurityFocus Mr. Friedrichs managed the development of the industry's first early warning technology for Internet attacks, the DeepSight Threat Management System. Mr. Friedrichs also created and grew the DeepSight Threat Analyst team, providing thorough analysis of emerging Internet threats. Prior to SecurityFocus, he served as co-founder and Vice President of Engineering at Secure Networks, Inc., which was acquired by Network Associates in 1998. At Secure Networks, Mr. Friedrichs architected and managed the development of Ballista network security auditing software, later rebranded CyberCop Scanner by Network Associates. At Network Associates Mr. Friedrichs also founded COVERT (Computer Vulnerability Exploitation Research Team) with the exclusive goal of researching and discovering new security vulnerabilities. Mr. Friedrichs also architected and developed a prototype of the industry's first commercial penetration testing product, CORE Impact, developed and sold by CORE Security Technologies. Mr. Friedrichs has over 13 years of expertise in security technologies, including network assessment, intrusion detection systems, firewalls, penetration testing, and honeypots. As a frequent speaker, he has shared his expertise with many of the world's most powerful organizations, including the Department of Homeland Security, U.S. Secret Service, the IRS, the DOD, NASA, AFOSI, and the Canadian DND.
Brett Watson has 17 years experience in network architecture and security, including large-scale IP networking, optical networking, and security and vulnerability assessments. Mr. Watson currently works for Internet Systems Consortium's DNS Operations, Analysis, and Research Center (DNS OARC) doing macroscopic analysis of global DNS behavior. Prior to joining ISC, Mr. Watson helped deploy and maintain the original MCI and Genuity IP backbones, and designed the first metropolitan IP-over-Gigibit Ethernet product for Metromedia Fiber Networks. Mr. Watson has spent the last several years performing custom network and vulnerability assessments, and consulting on information security issues for some of the largest healthcare, water, and power industries in the United States. In addition, Mr. Watson holds a patent for one of the first large-scale, content distribution platforms known as Hopscotch.
(page 3 of 4 ) previous  next 







 

Privacy Statement
Copyright 2005, SecurityFocus