On Wed, 11 Aug 2004, Jim Fenton wrote:
As promised at last week's meeting, I'd like to propose description of
an additional attack for the Security Considerations section of marid-core:
-----
6.4 Address Space Hijacking
This mechanism assumes the integrity of IP address space for
determining whether a given client is authorized to send messages from a
given PRA. In addition to the TCP attack given in section 6.2, a
sufficiently resourceful attacker might be able to alter the IP routing
structure to permit two-way communication using a specified IP address.
It would then be possible to execute an SMTP session that appears to
come from an authorized address, without the need to guess TCP sequence
numbers or transmit in the blind.
Such an attack might occur if the attacker obtained access to a router
which participates in external BGP routing. Such a router could
advertise a more specific route to a rogue SMTP client, temporarily
overriding the legitimate owner of the address.
-----
Considering that I know quite a bit about ip hijacking (as maintainer of
http://completewhois.com/hijacked), I don't particularly see it as big
threat just because of MARID. First of MARID is not a strong identity by
any means and should not be relied on 100% guarantee that client is who
he says he is - we're trying to build system that "in mass" is capable
of answering this question with fairly good statistical accuracy, but this
does not mean perfect accuracy for each individual case. In such a view,
there should be no easy way for somebody to crack the system and ip
hijacking requires quite a bit of effort and carries strong consequences.
It not an easy thing to achieve for somebody to try to use somebody elses
(otherwise already actively used) ip space, this will be quickly discovered
and tracked to the source ASN doing the announcement. Just having hacked
access to bgp router is also not enough, you need to actually have prior
authorization with upstream, which it itself will usually require access
to email account of isp or organization attacker is trying to appear as.
And if somebody does have hacked access to large enough bgp router they
could actualy do a lot lot worth things then just spam or phishing
(routers are worth quite a bit on the black market, on the order of
1:10,000 or more what zombie is worth).
Now it is not exactly that I'm saying its not a threat or that it can not
happen (it probably will), but there are a easier means to achieve similar
result, like using zombies or if access to particular net is desired hacking
computer on that net. But if others do really feel like this should be
included as possible threat, my opinion is that first paragraph is all
that should be included and is enough (lets not give a spammer who have read
the document any ideas about hacking bgp routers, as you so allegantly put
at the end it this "is a place where none of us would like to see them go").
--
William Leibzon
Elan Networks
william(_at_)elan(_dot_)net