Skip to main content

12. Security Considerations

  1. Security Considerations

The introduction of routing protocols that support classless prefixes

and a move to a forwarding model that mandates that more-specific

(longest-match) routes be preferred when they overlap with routes to

less-specific prefixes introduces at least two security concerns:

  1. Traffic can be hijacked by advertising a prefix for a given

    destination that is more specific than the aggregate that is

    normally advertised for that destination. For example, assume

    that a popular end system with the address 192.168.17.100 is

    connected to a service provider that advertises 192.168.16.0/20.

    A malicious network operator interested in intercepting traffic

    for this site might advertise, or at least attempt to advertise,

    192.168.17.0/24 into the global routing system. Because this

    prefix is more specific than the "normal" prefix, traffic will be

    diverted away from the legitimate end system and to the network

    owned by the malicious operator. Prior to the advent of CIDR, it

    was possible to induce traffic from some parts of the network to

    follow a false advertisement that exactly matched a particular

    network number; CIDR makes this problem somewhat worse, since

    longest-match routing generally causes all traffic to prefer

    more-specific routes over less-specific routes. The remedy for

    the CIDR-based attack, though, is the same as for a pre-CIDR-

    based attack: establishment of trust relationships between

    providers, coupled with and strong route policy filters at

    provider borders. Unfortunately, the implementation of such

    filters is difficult in the highly de-centralized Internet. As a

    workaround, many providers do implement generic filters that set

    upper bounds, derived from RIR guidelines for the sizes of blocks

    that they allocate, on the lengths of prefixes that are accepted

    from other providers. Note that "spammers" have been observed

    using this sort of attack to hijack address space temporarily in

    order to hide the origin of the traffic ("spam" email messages)

    that they generate.

  2. Denial-of-service attacks can be launched against many parts of

    the Internet infrastructure by advertising a large number of

    routes into the system. Such an attack is intended to cause

    router failures by overflowing routing and forwarding tables. A

    good example of a non-malicious incident that caused this sort of

    failure was the infamous "AS 7007" event [7007], where a router

    mis-configuration by an operator caused a huge number of invalid

    routes to be propagated through the global routing system.

    Again, this sort of attack is not really new with CIDR; using

    legacy Class A/B/C routes, it was possible to advertise a maximum

    of 16843008 unique network numbers into the global routing

    system, a number that is sufficient to cause problems for even

the most modern routing equipment made in 2005. What is

different is that the moderate complexity of correctly

configuring routers in the presence of CIDR tends to make

accidental "attacks" of this sort more likely. Measures to

prevent this sort of attack are much the same as those described

above for the hijacking, with the addition that best common

practice is also to configure a reasonable maximum number of

prefixes that a border router will accept from its neighbors.

Note that this is not intended to be an exhaustive analysis of the

sorts of attacks that CIDR makes easier; a more comprehensive

analysis of security vulnerabilities in the global routing system is

beyond the scope of this document.

Last updated on