9 December 2013
Subject: document has credibility issues
Date: Sun, 8 Dec 2013 16:58:45 +0100
I'm reading the document at
and have an issue with it.
Notably, it only talks about RIP as a routing protocol, when most ISP networks
are based on ISIS, BGP, sometimes OSPF, and for large networks MLPS (a lot).
Also, DSL technologies are based on ATM in the last mile, and thus the thing
should be talking of VPI/VCI and not VLANs.
PS: I'm run a small ISP in France ;)
9 December 2013
Xxxxxx, as an ISP and independent security researcher, you know that ATM
is a link layer protocol on top of which TCP/IP operates (is encapsulated),
the ATM's VPI/VCI is irrelevant with regard to TCP/IP, for example, BT use
Ethernet frames over ATM (EoA), in which Ethernet frames are simply encapsulated
into the ATM Adaptation Layer 5 (AAL5) using RFC 1483. The encapsulation
supports both routing and bridged networks, IP address management is static
or dynamic with the use of DHCP session management.
The Linux open source router (originally known as Zebra, but now more commonly
known as Quagga http://www.nongnu.org/quagga/), is installed and running
inside these modems, this is not unusual, except the owner/user does not
any control or access to it in this case.
Zebra supports RIP, OSPF, ISIS, BGP and MPLS modules, however, in the BT
routers, only RIP daemon module is running, this allows the attacker to inject
routes remotely (publish routes for specific networks e.g. Google), causing
packets to be sent to the attackers gateway.
Presumably the only reason RIP module is installed is because its simple
and when combined with a VLAN allows multiple attacks to occur from the same
attacker network. Further, a RIP route or a simple static route is all that
is needed to redirect all or some (specific network) traffic.
There is a hidden SSH server daemon also running also listening on 0.0.0.0:*,
allowing the attacker to simply login and add static routes as he requires,
as you will note the version of busybox installed supports both "ip" and
"route" commands. This is actually documented in the Edward Snowden revelations
and detailed in Full-Disclosure.pdf.
I agree, that the use of a VLAN (i.e. a separate broadcast domain) is not
actually required by the attacker to route your traffic, but it does shield
the attackers activity at the ISP premises and allow isolation on his own
VLAN over ATM
You should note that the routing to the attackers network does not require
any assistance from the ISP, unless the victims modem device (end-point)
has no backdoor, in which case routing can still happen upstream, but this
is much more complicated and not scale-able.
If routed upstream, the attacker will _not_ have access to the users internal
LAN network, and in this case the ISP would be forced to use Lawful Interception
which would then require a legal warrant.
Lawful Interception -
Please see the FAQ portion of the document, it explains this is an architecture
that is not limited to fixed broadband/ATM links, but also works the same
one smart mobile phones.
I would also suggest (but have no proof at this point) that larger big brand
routers have this same architecture built-in too, this would explain how
larger (e.g. entire ISPs) can have their BGP traffic hi-jacked.