A pair of security researchers recently demonstrated that a theoretical attack possible against the internet’s most embedded infrastructure can, in fact, be very real.
The attack exploits normal behavior in the internet routing protocol BGP, which ISPs use to determine how best to route traffic destined for other parts of the internet. If an attacker is positioned correctly – which means, generally, that he either has control of an ISP’s routing equipment, has found a way to intercept and alter another ISP’s BGP traffic, or has found an ISP that doesn’t filter internal BGP traffic originating from someplace other than its routing equipment – he can use the protocol to trick the internet’s routers into diverting traffic to his network, making it available for snooping or man-in-the-middle alteration, all before it reaches its destination.
Detailed by Anton “Tony” Kapela, data center and network director at 5Nines Data, and Alex Pilosov, CEO of Pilosoft, the technique relies heavily on an inherent trust in the data that BGP routers have in each other, once the updates they receive are verified by an admittedly loose authentication scheme – a necessary evil that allows two points in a completely decentralized mesh network, where they are sometimes located across the world, to find the most optimal path between each other.
The weaknesses of that trust became especially clear earlier this year, when an identical phenomenon knocked video-sharing supersite YouTube offline for several hours last February: a Pakistani attempt to block the site inside the country inadvertently spilled out into the world when misconfigured Pakistani routers sent BGP updates to the world, claiming that the country's servers were the best available YouTube route. The resulting traffic quickly overwhelmed its internet capacity, before it was shut off entirely by an upstream provider in Hong Kong.
The duo demonstrated their technique publicly at the DEF CON Conference earlier this month, where they captured traffic bound for the convention and routed it through a data center in New York.
The technique is technically considered to be an IP hijack, and in the past had always resulted in a noticeable outage for the affected networks. The difference, according to Pilosov and Kapela, is that their version works without any outages, and potentially from anywhere in the world.
They are even able to route the traffic successfully in an environment where the Internet’s routers should have “boomeranged” snooped traffic straight back to the snoopers, by using a technique they call “AS path prepending”. When employed, it results in certain routers ignoring “poisoned” BGP updates.
“We're not doing anything out of the ordinary,” said Kapela in an interview with Wired’s Threat Level. “There's no vulnerabilities, no protocol errors, there are no software problems. The problem arises (from) the level of interconnectivity that's needed to maintain this mess, to keep it all working.”
Policing against malicious BGP updates is difficult, since the decentralized, mesh-style network of BGP routers updates constantly to reflect changes in global connectivity. Malicious updates can easily hide amongst a sea of legitimate ones, since links between ISPs go up and down all the time.
Kapela says BGP attacks are 100% preventable; however, the necessary security precautions can carry a very high price.
“Providers can prevent our attack absolutely 100 percent,” he said. “They simply don't because it takes work, and to do sufficient filtering to prevent these kinds of attacks on a global scale is cost prohibitive.”
To that end, the duo says they are devising a way for ISPs to authenticate their ownership of a given address, so that routers can prove their authority to advertise for a particular network. One such proposal, a variation of the BGP protocol called Secure BGP, would have routers digitally sign their updates in a fashion similar to the SSL certificates used in web sites. Such an approach is limited, however, by routers’ limited CPU and memory capacities – most of which is already taxed by a BGP-maintained routing table that current estimates put at over 245,000 entries.
An IETF Internet-Draft paper dated November 2002 hints at this kind of attack, although stops short of speculating on the possibility for eavesdropping. Peiter Zatko (a.k.a. Mudge), a respected security expert and former member of the late L0pht group, spoke to Congress in 1998 that he could have brought down the internet using a similar attack – in about half an hour.
“It's a huge issue. It's at least as big an issue as the DNS issue, if not bigger,” said Zatko. “I went around screaming my head about this about ten or twelve years ago.... We described this to intelligence agencies and to the National Security Council, in detail.”
quote: If an attacker is positioned correctly – which means, generally, that he either has control of an ISP’s routing equipment
quote: If an attacker is positioned correctly – which means, generally, that he either has control of an ISP’s routing equipment, has found a way to intercept and alter another ISP’s BGP traffic, or has found an ISP that doesn’t filter internal BGP traffic originating from someplace other than its routing equipment