-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Hello. krishna e bera wrote:
Is the stated vulnerability an actively exploited problem or is this a DoS attack by scaremongering?
My guess is it is neither. I would be that it's just some over-excited researchers who want to get the news out about just how awful BGP is. But, while it is "exploitable", there's not much that can be done with it. All an attacker could do is cause the connections destined for your relay to go to their servers instead. But crucially, they do not have your relay key, so all other relays and clients would refuse to connect to them. I suppose it could be used in combination with a guard discovery attack to deanonymize a small set of people if the attacker does not have any access between you and the targets (and cannot buy NetFlow logs, etc.). They could perform BGP hijacking then monitor which IPs are trying to connect to them to discover if they are users of your guard. Such an attack is very noisy and would not go unnoticed for long. Think of it like a remote denial of service attack where the attackers are also able to see who is getting denied.
I have turned off the Guard capability for now.
You don't have to turn it off. It's still helpful to the network. Regards, forest -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEvLrj6cuOL+I/KdxYBh18rEKN1gsFAmlFHysACgkQBh18rEKN 1gsQzRAAgsyP9JwTEdQUlnDC+f49rcvlrSzCSQ5bXIw5XofWcmvITWlX4/ll/sjE x/GUEF5CEXI0EISosWNp2u+w3/BwYou0Zz/ihcrH+STACnt2OaD2x6Em2jEebYUU +WKmIlCVqIlsBNr99KecS0QOz2pBUthkb1/sw6quwgPi/Yi2HIQpKzUXECJwgBbc RpVZCE7xAGS1rsm2oNR3KDbUXGrbvY0WAOFxYbBtJtPvA3sbsWNIrMm6Q1QVqmf9 9j6cUP+aNs8uKi9BWLcEhQAv9Pb657IUvONHI90mq8aGz+iW3oN/bRFd/1XLUrL7 sE2zmuEvQsLDFEyZrK0eQTShtO7ZVT9D37AiBxUxIDM3XdDpCNgd9HqlVd0Nbr0G j9aK2k3W+BdpptjHVTfaL/M9P9UePNMzuZTCTNsHygx3b8aJsOFuYKOAgitcfmYY mkRjtW343IzKC67MCJEGe+qISodnnzXJ9iMiEj0gqNknOzbaJaZm0ndhDcTovijy YiNVZ84H/+JA5DnRZ43JkXLTjitO+vZbWvR9obCs9fkgDXm6Z4CJadHiXCEkTwpj UIySlPjq0au4ln2uzKoYO4fwSJ+M/sMbDVu9IxtL1UlENMBTd4v6XLUvv7T1SmT2 DUodg7WO2uzRfdpacm5uYafLh5mkAnCmc5ZLE6wkvsLArW0z/VQ= =hGdW -----END PGP SIGNATURE-----