Friday, November 26, 2021

Lumen’s IRR was insecure

And maybe they knew it, but didn’t fix it for years because “because many of its customers still relied on it due to legacy systems.”

I guess Krebs publishing a story — about a proof of concept that could have removed the ~23% of the IPv4 prefixes which Lumen announces to the global table by deleting all those prefixes from IRR and thus removing them from BGP filters automatically built from that IRR data — was motivation enough to finally disable MAIL-FROM “authentication”

https://krebsonsecurity.com/2021/11/the-internet-is-held-together-with-spit-baling-wire/



No comments:

Post a Comment