On Mon, Mar 10, 2014 at 3:43 PM, Owen DeLong <owen@delong.com> wrote:

Can you give me an example of what would be the scenario here?  Assuming I am the upstream ISP of the "hosts I control, willing to subject them to vast quantities of traffic".  Would I announce 1.2.3.0/24 upstream, and point it to my customer's link?

I'm not assuming that the upstream ISP would be the malefactor. That is, in fact, a rather odd assumption, is it not?

Very odd, but I was trying to think of ways to force someone to use my servers.
 
OTOH, if you are a malefactor that wants to turn your botnet into anycasted DNS servers to issue incorrect redirections to others, getting said botnet (or its upstream routers if you are able to control them somehow) to announce 1.2.3.0/24 really doesn't pose any problem to you as a result of the traffic it generates.

This is the part that I really do not understand.  Suppose I control a significant number of Windows7 PCs, and a few Cisco Routers, in your network, through a C&C botnet.  How would I get them (the PCs) to make announcements for 1.2.3.0/24?  I could install quagga (after porting it) quietly on them, but who would the Windows 7 PCs peer with?  Only the routers under my control?  In which case, what would be the point?

I could get the Ciscos to startup BGP, and start announcing 1.2.3.0/24 , but to whom?  Again, I can only peer if I control both sides of the link, and if I control both sides, why do anycast anywhay?  I have control on the RIB.

If I controlled the Routers at the edge of your network, I could redirect traffic from your nodes to any address I wished.  This requires no new DNS, or 1.2.3.0/24 routing.

There is one other case I can think of.  Start DNS servers on the zombie PCs, assign them 1.2.3.4, and use them as a DNS server farm.  But who would come to them?  If this was a home network (or any kind of leaf network), assigning 8.8.8.8 to my interface does not make you next to me send your DNS query to me. 
 

Or would I announce 1.2.3.0/24 from another ISP's origin AS?  

Not sure how that would work or help other than in an attempt to cover your tracks.

Thank you, so we can close that scenario I postulated as invalid.
 
How would (evil me) be able to hurt hosts other than on _my_ network?

You are assuming that you are doing this with routers you own (in the commercial sense of the word). I am assuming someone doing this with routers that they control (in the enable access sense of the word) but do not own (in the commercial sense of the word).

Malefactors these days are rather well known for using other people's equipment to carry out their misdeeds, or are you unfamiliar with the term "botnet"?

I am aware of the concept, and some implementations.  And I appreciate your distinction between the the "own" and "control" part, it helps bisect the problem.

Suppose I subvert a router in your network (might be your edge router, might be an internal).  Now what?  Where does 1.2.3.0/24 come into the picture?
 
I am not doubting that people would not want to misuse this, but how would this work in the case you have outlined?

I hope I have adequately clarified.

I can understand if I am being too slow in picking up something obvious.  I am still nt seeing a _new_ attack vector _due_ to 1.2.3.0/24 being allowed to be used internally (and even leaking externally).


--
Sanjeev Gupta
+65 98551208   http://sg.linkedin.com/in/ghane