Donate for the Cryptome archive of files from June 1996 to the present

9 December 2013

Full-Disclosure Comments

From: xxxxxx
Subject: document has credibility issues
Date: Sun, 8 Dec 2013 16:58:45 +0100
To: cryptome[at]

I'm reading the document at

and have an issue with it.

Notably, it only talks about RIP as a routing protocol, when most ISP networks are based on ISIS, BGP, sometimes OSPF, and for large networks MLPS (a lot).

Also, DSL technologies are based on ATM in the last mile, and thus the thing should be talking of VPI/VCI and not VLANs.

PS: I'm run a small ISP in France ;)

[Source responds:]

9 December 2013

Xxxxxx, as an ISP and independent security researcher, you know that ATM is a link layer protocol on top of which TCP/IP operates (is encapsulated), the ATM's VPI/VCI is irrelevant with regard to TCP/IP, for example, BT use Ethernet frames over ATM (EoA), in which Ethernet frames are simply encapsulated into the ATM Adaptation Layer 5 (AAL5) using RFC 1483. The encapsulation supports both routing and bridged networks, IP address management is static or dynamic with the use of DHCP session management.

The Linux open source router (originally known as Zebra, but now more commonly known as Quagga, is installed and running inside these modems, this is not unusual, except the owner/user does not any control or access to it in this case.

Zebra supports RIP, OSPF, ISIS, BGP and MPLS modules, however, in the BT routers, only RIP daemon module is running, this allows the attacker to inject routes remotely (publish routes for specific networks e.g. Google), causing packets to be sent to the attackers gateway.

Presumably the only reason RIP module is installed is because its simple and when combined with a VLAN allows multiple attacks to occur from the same attacker network. Further, a RIP route or a simple static route is all that is needed to redirect all or some (specific network) traffic.

There is a hidden SSH server daemon also running also listening on*, allowing the attacker to simply login and add static routes as he requires, as you will note the version of busybox installed supports both "ip" and "route" commands. This is actually documented in the Edward Snowden revelations and detailed in Full-Disclosure.pdf.

I agree, that the use of a VLAN (i.e. a separate broadcast domain) is not actually required by the attacker to route your traffic, but it does shield the attackers activity at the ISP premises and allow isolation on his own network.


You should note that the routing to the attackers network does not require any assistance from the ISP, unless the victims modem device (end-point) has no backdoor, in which case routing can still happen upstream, but this is much more complicated and not scale-able.

If routed upstream, the attacker will _not_ have access to the users internal LAN network, and in this case the ISP would be forced to use Lawful Interception which would then require a legal warrant.

Lawful Interception -

Please see the FAQ portion of the document, it explains this is an architecture that is not limited to fixed broadband/ATM links, but also works the same one smart mobile phones.

I would also suggest (but have no proof at this point) that larger big brand routers have this same architecture built-in too, this would explain how larger (e.g. entire ISPs) can have their BGP traffic hi-jacked.