Some interesting stuff I found on IX LANs
10 hours ago
- #Network Security
- #Internet Exchanges
- #BGP
- Internet exchanges (IXs) still exist despite the internet's shift to point-to-point Ethernet circuits.
- IXs function similarly to home Ethernet switches but handle terabits of traffic.
- Default configurations on home/SMB routers can be problematic on IX LANs with untrusted participants.
- bgp.tools monitors IX ports for misconfigurations and reports them via alerts.
- Common misconfigurations include LLDP, CDP, and MikroTik Neighbor Discovery Protocol, which leak device information.
- DHCP and IPv6 Router Advertisements on IXs can lead to traffic redirection or free transit abuse.
- OSPF, IS-IS, and RIP misconfigurations can cause unintended route exchanges between networks.
- MPLS Label Distribution Protocol exposure can allow manipulation of MPLS labels.
- Proprietary loop detection protocols and STP can cause local disruptions.
- SONiC's poor software quality leads to unnecessary broadcast traffic on IXs.
- Bizarre configurations like NTP broadcast, RoMON, DECnet, and SSDP/UPnP appear on IXs.
- NETBIOS and MDNS leaks often indicate misconfigured devices or accidental connections.
- VRRP and HSRP can trigger unintended failovers on IXs.
- Cisco devices broadcast DNS queries and CLI typos, revealing internal network details.
- IXs often lack enforcement of traffic rules, though ACLs could mitigate many issues.