Through the Looking-Glass, and What Eve Found There

Luca Bruno, Mariano Graziano, Davide Balzarotti, Aurélien Francillon

EURECOM
{firstname.lastname}@eurecom.fr

Abstract of software flaws and widespread misconfigurations in

“looking-glass” software that offers limited web-access
Looking-glasses are web applications commonly de- to backbone routers.
ployed by Autonomous Systems to offer restricted web The paper is organized as follow. In Section 1 we
access to their routing infrastructure, in order to ease re- introduce the concept of “looking-glass” software as a
mote debugging of connectivity issues. In our study, we public-access network debug tool, and its typical code
looked at existing deployments and open-source code to architecture. Then, in Section 3 we outline a possible
assess the security of this critical software. As a result, threat model, along with some of the most severe men-
we found several flaws and misconfigurations that can be aces. Furthermore, in Section 4 and 5 we present the re-
exploited to escalate from a web attack to a remote com- sults of the software review we did, and we describe the
mand execution on backbone routers. indirect experiments we performed to confirm our find-
This paper summarises the results of our study, and ings. The most relevant statistics and results of our ex-
shows how even an attacker with very limited resources periments are shown in Section 6, along with an empir-
can exploit such flaws in operators’ networks and gain ical rough estimation of BGP injection feasibility, based
access to core Internet infrastructure. Depending on sys- on historical records. Finally, Section 8 summarises our
tems configuration, these attacks may result in traffic dis- findings and give some insights on the current state of the
ruption and global BGP routes injection, with severe im- Internet infrastructure.
plications for the security of the Internet.

2 Background
1 Introduction
An AS infrastructure is composed of several network ser-
The Internet is composed by a large number of Autonou- vices, each handled by different systems and devices.
mous Systems (AS) which cooperate to exchange and For the purposes of this paper, we will limit our focus
carry data across their links. Several intra- and extra- to just two categories of systems that are strictly related
AS routing protocols running on backbone routers are to Internet routing: backbone BGP routers and Linux-
responsible for distributing routes in the control plane, based route servers.
across the world. Some of those protocols, however,
have not been designed with security in mind and are not • Backbone routers
specifically resilient against malicious agents [1]. The worldwide Internet backbone is run on top
For example, the Border Gateway Protocol (BGP) [2] of dedicated network devices capable of acceler-
takes care of extra-AS routes distribution, but any mali- ated packet routing in the data-plane, using custom
cious or wrongly configured AS can hijack and re-route ASICs and dedicated hardware.
prefixes owned by other ASes. Therefore, most of In- These devices run a custom OS and control-plane
ternet routing relies on the assumption that no malicious stack which is responsible for computing the rout-
BGP routers are ever allowed to announce bogus routes, ing topology, e.g., by participating in BGP sessions
and that the existing routers are benign and properly se- with neighbors. In addition, all these devices have
cured. one or more interfaces for remote and out-of-band
The aim of our study is to show how these assumptions (OOB) administration, like a telnet service, a SSH
do not hold true in the real-world, by focusing on a series service, or a remote serial port. The access to these
 AS64497
AS64496
Private net Public net

Internet
NOC

NOC

AS64498
Public web (looking-glass)
Private admin (telnet/SSH) NOC

Public IP (data+BGP)

Figure 1: Looking glass architecture.

interfaces should be strictly restricted to Network Looking glass Language Release (date)
Operations Center (NOC) operators and authorized Cougar-LG [6] Perl 1.9 (2004-11-25)
AS personnels.
Cistron-LG [7] Perl 1.01 (1997-10-21)
• Route servers MRLG [8] Perl 5.4.1 (2007-08-30)
Routing software exists for traditional Linux-
MRLG4PHP [9] PHP 1.0.7 (2007-10-11)
based servers to establish BGP sessions with other
routers and servers. Two prominent examples are Telephone [10] PHP 1.2.0 (2012-10-01)
Quagga [3] and Xorp [4], which are used by several
operators and are under active development. Table 1: Open-source looking-glass software.
The usages of route servers are multiple, from pro-
viding a read-only copy of the global BGP table to tional utilities for latency and traceroute measurements.
allowing scripting of BGP rules (e.g., by using tra- Figure 1 briefly shows their typical architecture and de-
ditional UNIX utilities). Also these servers can be ployment.
accessed out-of-band by AS personnel, via telnet or
We decided to focus our attention on looking-glass
SSH.
software, as most of them are small and old web-
Some public services exist, like the Route Views applications that have been last updated in early 2000s.
project [5], which provide unrestricted telnet access In this paper we analyse what we found to be the most
to their route servers to expose a read-only copy of commonly used open-source software looking-glasses,
the BGP table to analysts and researchers. How- as listed in Table 1.
ever, those services are purposefully meant for pub-
lic access, and are therefore outside the scope of this
paper. 3 Threat model

When debugging BGP routing problems, NOC oper- A looking-glass is an often overlooked critical part of an
ators are often facing issues affecting only a few ASes. operator infrastructure, as it sits at the border between the
Such problems are harder to debug due to the lack of a public web and restricted admin consoles. As such, the
view on the remote routing table. threat model encompasses both the typical web security
For this reason, a new category of web-applications scenario and some more custom networking threats.
emerged in the ’90s to permit a restricted set of opera- We categorized some of the most relevant issues as
tions on AS routers and route servers by the large public, follow:
over the web. This kind of software is usually referred as
“looking-glass”, as it offers a local observation point to • Reverse Cross-Channel Scripting (Reverse-XCS)
remote network engineers. Reverse-XCS are defined by Bojinov et al. [11] as
Looking-glasses are web scripts, usually implemented “the use of web interface to eventually attack a non-
in Perl or PHP and directly connected to routers admin web channel”.
interfaces (i.e., telnet or SSH). These scripts are designed In our scenario, this translates to two relevant cases:
to relay textual commands from the web to the router and
print back the router’ replies. They run on top of com- – Malicious command injection
mon Linux/Apache stacks, and sometimes provide addi- Bypassing a weak or non-existent commands

2
 sanitization, an attacker may trick the looking- as plain-text to anyone querying the proper URL. By in-
glass into sending malformed commands to a specting source code and looking at default file names, it
router console, e.g., to trigger a DoS on the is possible to guess the URL of configuration files and, if
control-plane. not properly protected, retrieve them.
– Routing Information Base (RIB) manipulation Finally, some software allows advanced authentication
By exploiting flaws in the looking-glass, an at- methods, for example by using SSH public/private key-
tacker may inject arbitrary commands to ma- pairs instead of cleartext passwords. In this case, the
nipulate the RIB on the router, e.g., by chang- path to the SSH key is stored in the configuration files,
ing the BGP configuration. If the attacked instead of the full passwords. However, the SSH keys
router relays its topology to neighboring ASs, themselves could be stored by mistake in the same path,
this may also affect remote networks. openly readable to the entire world.

• Web flaws 4.2 Poor network policies

Typical web threats applies here too. In particular,
we highlight two of the most relevant cases: Backbone routers are parts of a critical infrastructure and
as such their admin interfaces have to be properly se-
– Exposed routers credentials cured. Cisco’s own best practices [13], for example, rec-
The configuration files of a looking glass con- ommend exposing consoles only over out-of-band loop-
tain IP addresses, usernames, and passwords back interfaces, unreachable from the public Internet
in cleartext. If not properly secured, an at- (e.g., by using private addresses and placing them in ded-
tacker may be able to gather credentials by icated admin VLANs).
guessing the URLs of configuration files. However, some operators may decide to put loopback
interfaces on publicly routable networks, or to expose ad-
– Cookies stealing via XSS
ministration services on all router’s interfaces. In such
Even though looking-glass applications are
cases, a remote attacker may be able to directly login
usually unauthenticated, an attacker may ex-
onto them, e.g., by using stolen credentials.
ploit XSS flaws in them to gather admin cook-
ies for other administration web-applications
served under the same-origin domain. 4.3 Web security
It is usually recommended that actionable web applica-
4 Threat Analysis tions make use of captcha or other automation blocker to
avoid scripted attacks [14]. While this may not look like
4.1 Misconfigurations a big issue for looking-glasses, the lack of this counter-
measure can effectively help an attacker to automatically
Misconfiguration or improper access control of resources map resources in an AS infrastructure and scan them for
are two of the most basic, yet important, issues for web information gathering. This may also result in automated
security. bot attacks aimed at DoSing connected devices or other
First of all, if server modules are not properly con- parts of the network.
figured, it may be possible to get a listing of suppos- Moreover, an attacker may be able to exploit insuffi-
edly private files – including source codes and config- cient input parameters sanitization to perform XSS and
uration files. In this case, search engine bots are capable inject HTML/JS code in web responses. While looking-
of crawling and inspecting the files content, thus making glasses are usually unauthenticated, this flaw can be used
login credentials easy to gather by searching for ad-hoc to steal admin cookies for other panels hosted under the
Google-dorks [12]. same-origin domain.
Another possible issue comes from temporary files. In Similarly, it could be possible to perform a Reverse-
this case, source code and configurations could be recov- XCS against the network infrastructure. If web input is
ered by looking for temporary editor files (e.g., ending not properly sanitized, an attacker may forge input pa-
in ∼) on the web server. This can as well help an at- rameters to inject custom commands into the router con-
tacker confirm which version of the software is run by sole. This directly means an escalation from a web at-
a targeted operator, and may pose a bigger problem for tack to an Internet routing attack if the attacker manages
proprietary/custom looking-glasses. to modify the router configuration.
Moreover, configurations and login credentials for Finally, some software may come with additional tools
routers may be stored as plain text files in the same web to be deployed directly on the web-server to perform
server directory. By default, web-servers will serve them advanced measurements (e.g., high granularity latency

3
measurements). Such tools may as well include vulnera- Since in this paper we conducted a comprehensive study,
bilities, leading to remote code execution on the looking- encompassing 26 countries with different legislations,
glass server itself. we took ethical considerations as a top priority. For this
reason we avoided any direct connections to routers and
4.4 Impact other devices we found online, even when credentials
where publicly exposed. We performed our analysis and
Most of the threats described so far can result in an at- code review of the looking-glass software in a local set-
tacker getting unauthorised access to the administration ting, performing the injection experiments in a controlled
interface of a router, under the same access level of the environment, as described further below.
looking-glass software. During our research we found several vulnerabili-
In a typical network topology designed as in Figure 1, ties and misconfigurations. Unfortunately, in most of
this results into having an observation point into the pri- the cases these flaws were trivial to detect and to ex-
vate part of an AS infrastructure, and possibly manip- ploit, significantly increasing the relevance of our study.
ulating portions of it. Moreover, an attacker with re- For this reason, we decided to responsible disclose the
stricted console access to a router could easily elevate his vulnerabilities and misconfigurations by contacting the
privileges by cracking weakly-hashed secrets [15] (e.g., CERT/CC in order to coordinate all the entities involved.
Cisco’s ciphers Type-0, Type-5 and Type-4 [16]) or by In addition, we contacted and reported our findings to
abusing known authorization bypass vulnerabilities that the software developers, who acknowledged the prob-
affected several top vendors [17, 18]. lems and are working on fixes.
The impact of a malicious attacker with elevated priv-
ileges on a backbone routers are manifold with respect
to both the local AS infrastructure and the global Inter- 5.2 Methodology
net. For example, by altering internal or external routing Not all ASes provide public looking-glasses, and there is
configurations, an attacker may be able to blackhole or not a single central list containing all of them. As such,
disrupt specific subnetworks, or set up traffic mirroring we compiled a list of known ones on a best-effort basis
or re-routing scenarios for further attacks. by collecting URL from operators-related resources.
We consider the post-exploitation analysis of such a Such resources are not updated frequently and may
scenario to be complex and quite specific to single ven- contain unreachable or inactive services, while missing
dors, devices, and network setup. As a result, we will not recent ones. We started filtering out the inactive entries
cover post-exploitation details in the rest of this paper. by connecting to them and looking for network or web
However, we would like to stress the fact that backbone failures. For the remaining ones, we performed a sim-
routers are usually capable of announcing routes both in- ple HTTP request, matching the returned page with a set
ternally (e.g., into an OSPF domain) and to the whole of HTML signatures we developed for each open-source
Internet (i.e., to peering ASes via BGP). As such, in this looking glass we were able to download. At the end of
threat analysis we have highlighted one possible path for this fingerprinting phase, we obtained the list of the most
a remote attacker with modest resources to escalate from popular open-source software, and which ASes are using
a web attack, to a remote command injection into mul- them.
tiple backbone routers, to injecting malicious announces We then proceed to perform a security review of their
into the Internet BGP table. codebase, especially looking for the kind of issues we de-
scribed in Section 4. At the same time, we also collected
5 Experiments a list of default paths for configuration files, sources, and
keys. This knowledge base was subsequently used to
Given the theoretical attack surface presented in Sec- scan web servers and search engine indexes for publicly
tion 3, we tried to assess how many ASes worldwide exposed configurations and key files.
were actually vulnerable to remote attackers. Our goal At this point, we focused our tests on the subset of
was complicated by the fact that, due to ethical and legal ASes for which we identified an existing security prob-
considerations, we could not perform direct experiments, lem. In our experiment, we first tried to enumerate at
e.g., by injecting commands on remote routers or by just least one public IP for all routers connected to a looking-
trying to login into them. glass, by requesting an ICMP echo request to one pub-
lic IP address under our control. We then looked for
IP addresses publicly exposing an admin service (telnet
5.1 Ethical concerns
or SSH). We performed this test by checking for pub-
Unauthorized access to computers and network devices licly routable loopbacks or services listening on rout-
is prosecuted by several national and international laws. ing interfaces. These actions were easy to automate, as

4
 Looking glass Number of ASes Vulnerabilities Affected ASes
Custom/Unknown 515 Exposed configuration files 28
Unreachable 184 Remote command injection 12
Cougar-LG 175 Misconfigured CGI 4
Cistron-LG 15 Exposed SSH private keys 2
MRLG4PHP 12
MRLG 11 Table 3: Number of vulnerable ASes.
Telephone 7

Table 2: Looking-glass software deployments. Looking for misconfigurations, we observed a large

number of exposed credentials by just visiting the default
configuration paths for each software, as gathered from
none of the open-source looking-glass software employ the source code. At least 28 configuration files contain-
CAPTCHAs. ing IPs and credentials can be directly downloaded by
At the end of our experiments, we identified a subset malicious attackers, and in two cases we also observed
of vulnerable ASes, for which an attacker could be capa- private SSH keys exposed on the web server.
ble of directly injecting commands on the router or could Focusing on the source-code, we observed a general
be able to recover the credentials required to remotely log lack of basic security practices. As already said, none
in in a publicly accessible interface. of above software make use of anti-automation mecha-
We then correlated this list of ASes with histori- nisms. The most worrisome result of our review was one
cal records of BGP announces collected by RIPE RIS case of missing input sanitation mechanism which allows
through several probes and peers, all over the world. The injection of arbitrary commands to the router console
results suggest that by compromising some of these ASes (CVE-2014-3927 [19]). We also observed three cases
it would probably be possible for an attacker to announce of insecure default paths and permissions, mostly the
routes that would not be properly filtered by neighbour- cause of the exposed credentials mentioned above (CVE-
ing ASes. 2014-3928 [20], CVE-2014-3929 [21] and CVE-2014-
3930 [22]). In one case, the result page was vulnerable
We acknowledge that this methodology may result in
to a XSS attack (CVE-2014-3926 [23]).
several false-negatives (URLs not in the original list,
On the host side, an interesting finding was a re-
unavailable at the time of the experiment, or missed
mote memory corruption related to the parsing of ICMP-
while fingerprinting) and few false-positives (updated
response fields in a bundled ping-like utility, meant to
and well-configured routers with proper ACL).
be run as SUID on the looking-glass web server (CVE-
For the former, one could repeat the experiments in the
2014-3931 [24]).
future to compare the results. Unfortunately, it is impos-
To summarize, we detected a total of 46 vulnerable
sible to remove the false positives without performing a
ASes, which could be targeted by attackers in order to
real test on the routers – action that we could not perform
gain access to the Internet infrastructure. A quick sum-
for ethical reasons.
mary of the issues is shown in Table 3.
Figure 2 plots the number of affects ASes by country.
The most vulnerable nation is Russia with six ASes, fol-
6 Results
lowed by Poland with four. Then there are 16 countries
with a vulnerable AS. However, none of these ASes are
After an initial fingerprinting phase, we collected 919
known tier-1 provider.
unique URLs of looking-glass applications, out of which
Through the use of looking-glasses and network
220 were running one of open-source software listed in
probes, we globally identified 53 routers across 20 ASes
Table 1. The remaining ones were either unreachable
publicly exposing telnet or SSH services. This figure
(184 cases), or running a custom code we were not able
does not include known public route servers, typically
to identify with our signatures (515).
accessed over telnet, which have been filtered out from
this set.
6.1 Impacted ASes Finally, by combining all this data, we were able
to correlate two leaked configurations to ASes whose
An initial lookup on web search engines already proved routers administration services were listening on routable
fruitful, with at least 4 configuration files crawled by in- IPs. In total, we observed six routers connected to
dexing bots. looking-glass instances which are directly reachable over

5
 6 7 Related Work
5
Backbone routers are the main players of the Internet
Vulnerable ASes

4 core infrastructure, and they are considered key points

3 for cyberspace security. For these reasons, these devices
have been studied from several perspectives.
2 Remote exploitation of routers has been studied in the
1 past, with Lindner showing the feasibility and the tech-
nical challenges for Cisco IOS [27, 28, 29] as well as
0 for Huawei VRP [30]. Since then, other researchers fo-
BG
RU
DE

IE
HUS
CH

SG
US
FR

ROR

SE
GB
PL
NL

UA

IT

AU
CZ

AT
MKK

CAL
AL
R

C
B
H
Nations cused their attention on the remote exploitation of Cisco
routers [31, 32] and the firmware diversity problem [33].
Figure 2: Geographical distribution of vulnerable ASes. Despite the importance of these devices, serious local
flaws are still being found [34], allowing an attacker with
console access to escalate his privileges. The impact of
telnet and for which credentials are publicly exposed.
these local flaws could be exacerbated by network engi-
As the final result of our experiments, we identified at
neers not following security best-practices, as shown in
least 14 ASes which are highly interesting for attackers
this paper.
targeting the Internet infrastructure: 12 of them run soft-
Researchers also focused their attention on the de-
ware that is vulnerable to arbitrary commands injection,
facto interdomain routing protocol, BGP. In this case,
while the remaining 2 have a largely exposed infrastruc-
the threat model consists in taking control of a BGP
ture.
device and announcing false routes or hijacking pre-
fixes [35, 36, 26]. This is possible because BGP has been
6.2 BGP injection feasibility designed with the concept of trust, at a time in which se-
curity was not a real concern [1]. Several solutions have
A malicious attacker capable of manipulating BGP ses-
been proposed in the literature, ranging from the use of
sions may affect the network traffic across the world.
cryptography (e.g. PKI for a root of trust) [37, 38] to
Fortunately, several mechanisms exist to limit wordlwide
anomaly detection [39, 40]. Unfortunately, they are not
issues, most notably prefix filtering in which upstreams
widely used by network providers.
and peers filter a neighbouring AS to only announcing
More specific to looking-glass applications, re-
known routes, effectively preventing malicious injection.
searchers have found some vulnerabilities in the past, but
However, several past hijacks [25] and academic stud-
their focus was on the execution of code on the server
ies [26] have shown how often BGP announces are not
running the looking-glass software [41]. Some concerns
properly filtered, resulting in misconfigurations and hi-
related to information leakage were also raised on public
jacks being observed in the wild.
mailing lists [42, 43]. However, to the best of our knowl-
While BGP anomaly analysis is a complex subject out-
edge, no comprehensive studies had been conducted so
side of the scope of this paper, we tried to assess if it is
far on this class of applications.
possible for an attacker controlling any of the above vul-
nerable ASes to announce unfiltered routes. At this point,
we are interested in knowing if some peers of those ASes 8 Conclusions
were not applying proper filters, by looking into anoma-
lies detected by the RIPE RIS. We believe that our study shows how basic best-practices
By manually analysing historical data, we spotted are not uniformly applied by operators across the world,
at least three such cases where anomalous announces and how an attacker can target several ASes to disrupt
where recorded by BGP collectors over the low-visibility the Internet without much effort.
threshold (i.e., relied by multiple peers). Just by looking at public information gathered on the
In two cases, overlong prefixes (more specific than web and applying simple heuristics, we have been able
/24) where observed by multiple participating peers, to detect a large number of attack surfaces in this critical
while in the remaining case an event lasting 8h occurred infrastructure. In particular, we directly identified at least
where one AS briefly announced an unrelated prefixes al- 45 exposed ASes, we found six routers across two ASes
ready in use (a short multi-origin AS event, possibly due which could be remotely accessed by malicious attackers
to a temporary misconfiguration). via exposed credentials, and at least 12 additional ASes
Such unfiltered prefixes hint at the possibility for a re- vulnerable to arbitrary commands injection through the
mote attacker to distribute bogus BGP routes, by com- web interface. Moreover, we have spotted unfiltered pre-
promising one of above ASes. fixes originating from at least three of these ASes in the

6
past. [19] mrlg4php: remote command injection to router’s console via
”argument” parameter. http://www.s3.eurecom.fr/cve/
CVE-2014-3927.txt, 2014.
Acknowledgements [20] Cougar-LG: Unsafe configuration file path/ACL. http://www.
s3.eurecom.fr/cve/CVE-2014-3928.txt, 2014.
We would like to thank Pierre-Antoine Vervier and [21] Cougar-LG: Unsafe SSH keypairs path in default config. http:
Quentin Jacquemart for patiently discussing and advis- //www.s3.eurecom.fr/cve/CVE-2014-3929.txt, 2014.
ing us on the complex topic of BGP analysis. Moreover, [22] Cistron-LG: Unsafe configuration file path/ACL. http://www.
we would like to thank Thijs Kinkhorst and ANSSI per- s3.eurecom.fr/cve/CVE-2014-3930.txt, 2014.
sonnel for directing us in the initial disclosure steps. [23] Cougar-LG: XSS in title via ”addr” parameter. http://www.
s3.eurecom.fr/cve/CVE-2014-3926.txt, 2014.
References [24] MRLG: remote memory corruption in fastping (SUID bi-
nary). http://www.s3.eurecom.fr/cve/CVE-2014-3931.
[1] S. Murphy. BGP Security Vulnerabilities Analysis. RFC 4272 txt, 2014.
(Informational), January 2006. [25] Earl Zmijewski. Indonesia Hijacks the World. http://www.
[2] Y. Rekhter, T. Li, and S. Hares. A Border Gateway Protocol 4 renesys.com/2014/04/indonesia-hijacks-world/.
(BGP-4). RFC 4271 (Draft Standard), January 2006. Updated by
[26] Ballani, Hitesh and Francis, Paul and Zhang, Xinyang. A Study
RFCs 6286, 6608, 6793.
of Prefix Hijacking and Interception in the Internet. In Proceed-
[3] Quagga Routing Suite. http://www.nongnu.org/quagga/. ings of the 2007 Conference on Applications, Technologies, Ar-
[4] Xorp - eXtensible Open Router Platform. http://www.xorp. chitectures, and Protocols for Computer Communications, SIG-
org/. COMM ’07, New York, NY, USA, 2007.
[5] University of Oregon Route Views Project. http://www. [27] FX, FtR and kim0. Attacking networked embedded systems.
routeviews.org/. Black Hat USA, 2002.
[6] Cougar LG. https://github.com/Cougar/lg. [28] Felix ”FX” Lindner. Cisco Vulnerabilities - Yesterday, Today and
Tomorrow. Black Hat USA, 2003.
[7] Cistron LG. http://www.tux.org/pub/people/
miquel-van-smoorenburg/net/. [29] Felix ”FX” Lindner. Cisco IOS Router Exploitation. Black Hat
USA, 2009.
[8] MRLG. http://mrlg.op-sec.us/.
[9] MRLG4PHP. http://freecode.com/projects/mrlg4php. [30] Felix ”FX” Lindner. Hacking Huawei Routers. DEFCON XX,
2012.
[10] Telephone LG. https://github.com/telephone/
LookingGlass. [31] Michael Lynn. Cisco IOS Shellcode. Black Hat USA, 2005.

[11] Hristo Bojinov, Elie Bursztein, and Dan Boneh. XCS: cross chan- [32] Andy Davis. Remote Cisco IOS FTP exploit, 2007.
nel scripting and its impact on web applications. In ACM Con- [33] Ang Cui and Jatin Kataria and Salvatore J. Stolfo. Killing the
ference on Computer and Communications Security, pages 420– Myth of Cisco IOS Diversity: Recent Advances in Reliable Shell-
431, 2009. code Design. In WOOT, pages 19–27, 2011.
[12] Johnny Long. Google Hacking for Penetration Testers. Black Hat [34] Juniper Networks SIRT. Multiple privilege escala-
USA, 2005. tion vulnerabilities in Junos CLI (CVE-2014-0615).
[13] Cisco on Cisco Best Practices – IP Addressing Policies. http://kb.juniper.net/InfoCenter/index?page=
https://www.cisco.com/web/about/ciscoitatwork/ content&id=JSA10608&actp=search&viewlocale=en_
downloads/ciscoitatwork/pdf/Cisco_IT_IP_ US&searchid=1400663655904, 2014.
Addressing_Best_Practices.pdf, 2010. [35] Butler, Kevin R. B. and Farley, Toni R. and McDaniel, Patrick
[14] Ahn, Luis Von and Blum, Manuel and Hopper, Nicholas J. and and Rexford, Jennifer. A Survey of BGP Security Issues and
Langford, John. CAPTCHA: Using Hard AI Problems for Se- Solutions. Proceedings of the IEEE, 98:100–122, 2010.
curity. In Proceedings of the 22Nd International Conference on [36] Ramachandran, Anirudh and Feamster, Nick. Understanding the
Theory and Applications of Cryptographic Techniques, EURO- Network-level Behavior of Spammers. In Proceedings of the
CRYPT’03, 2003. 2006 Conference on Applications, Technologies, Architectures,
[15] Cisco IOS Password Encryption Facts. http://www. and Protocols for Computer Communications, SIGCOMM ’06,
cisco.com/c/en/us/support/docs/security-vpn/ 2006.
remote-authentication-dial-user-service-radius/ [37] Public-key infrastructure for the Secure Border Gateway Protocol
107614-64.html. (S-BGP), 2001.
[16] Cisco PSIRT. Cisco IOS and Cisco IOS XE Type
[38] RFC 2385 - Protection of BGP Sessions via the TCP MD5 Sig-
4 Passwords Issue . http://tools.cisco.com/
nature Option. http://www.ietf.org/rfc/rfc2385.txt,
security/center/content/CiscoSecurityResponse/
1998.
cisco-sr-20130318-type4.
[39] Caesar, M. and Rexford, J. BGP Routing Policies in ISP Net-
[17] Cisco PSIRT. AAA Command Authorization by-pass
works. Netwrk. Mag. of Global Internetwkg., 2005.
. http://tools.cisco.com/security/center/content/
CiscoSecurityResponse/cisco-sr-20060125-aaatcl. [40] Nordström, Ola and Dovrolis, Constantinos. Beware of BGP At-
tacks. SIGCOMM Comput. Commun. Rev.
[18] Juniper Networks SIRT. Unauthorized user can obtain root access
using cli. http://kb.juniper.net/InfoCenter/index? [41] rgod. Looking Glass v20040427 arbitrary commands execution
page=content&id=JSA10420&actp=search&viewlocale= / cross site scripting. http://retrogod.altervista.org/
en_US&searchid=1400663655904, 2010. lookingglass.html, 2005.

7
[42] BGP vulnerability? http://www.gossamer-threads.
com/lists/cisco/nsp/11323?do=post_view_threaded#
11323, 2004.
[43] TCP BGP vulnerability looking glass and route server issues.
http://www.nanog.org/mailinglist/mailarchives/
old_archive/2004-04/msg00684.html, 2004.