Print 18 comment(s) - last by darkfoon.. on Aug 30 at 8:52 PM

Two security researchers demonstrate 'Net vulnerability

A pair of security researchers recently demonstrated that a theoretical attack possible against the internet’s most embedded infrastructure can, in fact, be very real.

The attack exploits normal behavior in the internet routing protocol BGP, which ISPs use to determine how best to route traffic destined for other parts of the internet. If an attacker is positioned correctly – which means, generally, that he either has control of an ISP’s routing equipment, has found a way to intercept and alter another ISP’s BGP traffic, or has found an ISP that doesn’t filter internal BGP traffic originating from someplace other than its routing equipment – he can use the protocol to trick the internet’s routers into diverting traffic to his network, making it available for snooping or man-in-the-middle alteration, all before it reaches its destination.

Detailed by Anton “Tony” Kapela, data center and network director at 5Nines Data, and Alex Pilosov, CEO of Pilosoft, the technique relies heavily on an inherent trust in the data that BGP routers have in each other, once the updates they receive are verified by an admittedly loose authentication scheme – a necessary evil that allows two points in a completely decentralized mesh network, where they are sometimes located across the world, to find the most optimal path between each other.

The weaknesses of that trust became especially clear earlier this year, when an identical phenomenon knocked video-sharing supersite YouTube offline for several hours last February: a Pakistani attempt to block the site inside the country inadvertently spilled out into the world when misconfigured Pakistani routers sent BGP updates to the world, claiming that the country's servers were the best available YouTube route. The resulting traffic quickly overwhelmed its internet capacity, before it was shut off entirely by an upstream provider in Hong Kong.

The duo demonstrated their technique publicly at the DEF CON Conference earlier this month, where they captured traffic bound for the convention and routed it through a data center in New York.

The technique is technically considered to be an IP hijack, and in the past had always resulted in a noticeable outage for the affected networks. The difference, according to Pilosov and Kapela, is that their version works without any outages, and potentially from anywhere in the world.

They are even able to route the traffic successfully in an environment where the Internet’s routers should have “boomeranged” snooped traffic straight back to the snoopers, by using a technique they call “AS path prepending”. When employed, it results in certain routers ignoring “poisoned” BGP updates.

“We're not doing anything out of the ordinary,” said Kapela in an interview with Wired’s Threat Level. “There's no vulnerabilities, no protocol errors, there are no software problems. The problem arises (from) the level of interconnectivity that's needed to maintain this mess, to keep it all working.”

Policing against malicious BGP updates is difficult, since the decentralized, mesh-style network of BGP routers updates constantly to reflect changes in global connectivity. Malicious updates can easily hide amongst a sea of legitimate ones, since links between ISPs go up and down all the time.

Kapela says BGP attacks are 100% preventable; however, the necessary security precautions can carry a very high price.

“Providers can prevent our attack absolutely 100 percent,” he said. “They simply don't because it takes work, and to do sufficient filtering to prevent these kinds of attacks on a global scale is cost prohibitive.”

To that end, the duo says they are devising a way for ISPs to authenticate their ownership of a given address, so that routers can prove their authority to advertise for a particular network. One such proposal, a variation of the BGP protocol called Secure BGP, would have routers digitally sign their updates in a fashion similar to the SSL certificates used in web sites. Such an approach is limited, however, by routers’ limited CPU and memory capacities – most of which is already taxed by a BGP-maintained routing table that current estimates put at over 245,000 entries.

An IETF Internet-Draft paper dated November 2002 hints at this kind of attack, although stops short of speculating on the possibility for eavesdropping. Peiter Zatko (a.k.a. Mudge), a respected security expert and former member of the late L0pht group, spoke to Congress in 1998 that he could have brought down the internet using a similar attack – in about half an hour.

“It's a huge issue. It's at least as big an issue as the DNS issue, if not bigger,” said Zatko. “I went around screaming my head about this about ten or twelve years ago.... We described this to intelligence agencies and to the National Security Council, in detail.”

Comments     Threshold

This article is over a month old, voting and posting comments is disabled

Is it really that big of a deal?
By bhieb on 8/28/2008 9:48:59 AM , Rating: 2
If an attacker is positioned correctly – which means, generally, that he either has control of an ISP’s routing equipment

That is a pretty big "IF". I'm not a hacker, but I do assume that taking control of and ISP's router is pretty difficult and if you could I'm sure there would be a bunch of other bad things you could do.

RE: Is it really that big of a deal?
By bhieb on 8/28/2008 9:54:27 AM , Rating: 2
Sorry there where some other "IF's" embedded there, but they all seem pretty damn hard to accomplish.

If an attacker is positioned correctly – which means, generally, that he either has control of an ISP’s routing equipment, has found a way to intercept and alter another ISP’s BGP traffic, or has found an ISP that doesn’t filter internal BGP traffic originating from someplace other than its routing equipment

RE: Is it really that big of a deal?
By Jim28 on 8/28/2008 1:00:47 PM , Rating: 2
No those IFs are not. Any ISP or worker in an ISP can pull this off. Since it does not result in an outage nobody screams.

RE: Is it really that big of a deal?
By wvh on 8/28/2008 10:36:59 AM , Rating: 3
Imagine you are working at an ISP. Or that you're not a hacker, but a government or law enforcement agency. The problem is that it influences traffic beyond the ISP's scope, causing problems for people far away from the local network.

Case in point: Pakistan DoS'ing (or worse) Youtube.

RE: Is it really that big of a deal?
By bhieb on 8/28/2008 1:26:14 PM , Rating: 2
I understand that, but having an inside man at an ISP is not all that easy. Pakistan is an ISP (sort of) so again they were the inside man.

Not saying there is nothing to worry about, rather it is probably not as likely as the salesmen ...I mean ... developers of the solution would like you to believe.

RE: Is it really that big of a deal?
By m1ldslide1 on 8/28/2008 11:42:22 AM , Rating: 3
You don't really need to seize control of an ISP's router - if you're a foreign ISP and are actively peering with BGP, then you can simply advertise a network that doesn't belong to you, and you'll receive whichever portion of the traffic sees you as the best path. Conscientious and detailed filtering policies can prevent diversion of traffic in this way, but I'd imagine that most ISP's don't bother with this for their tier 1 peering sessions. Like the article mentioned, it would be very time intensive for a major ISP to determine which networks go which way and trying to filter accordingly. This would also have to be maintained, which could require almost daily monitoring and re-configuring depending on the level of granularity desired.

So yes, it could and does happen, but it usually won't affect everybody and it should be fairly easy to detect and filter. That's a cool idea about authenticating networks that you're permitted to advertise with SSL, but backwards compatibility would be a necessity as many internet routers aren't beefy enough to handle this additional CPU load.

RE: Is it really that big of a deal?
By Jim28 on 8/28/2008 1:06:12 PM , Rating: 2
Yes and no.

International links are fairly easy to filter as they have a set of defined boundries for their IP space that do not change rapidly over time.
A simple sanifty filter would be to have an inbound filter in the US routers. that rejects any US IP prefixes that are injected from outside the US. True it is a fair amount of networks, but they can be supernetted failry easily. This will not protect countries outside the US from this type of an attack but it would protect the US.

i-patriot act
By NeoConned08 on 8/28/2008 9:53:18 AM , Rating: 2
The internet is the last form of mass media not expressly controlled by some form of power elite. It's a way the masses can communicate unfettered in disseminating information.

Because of this I'm thinking the odds are pretty high the next *terrorist* attack will by of a cyber kind and the DHS will then have to regulate and control the internet to *protect* us all.

They probably already have the legislation drawn up and just waiting for it to occur, just as they had the Patriot Act waiting to push through Congress years before 9/11.

Just remember, those that would give up a little liberty for security deserve neither and lose both. It's time to quit being scared of all the boogeymen and look the real criminals in the eye and tell them we the people of this planet aren't going to take it any more.

RE: i-patriot act
By bhieb on 8/28/2008 9:58:26 AM , Rating: 2
Wow loosen up the tin foil hat man. I am no big fan of "Big Brother" either, but this article really has nothing to do with your rant. I re-read it to be sure but there was not a single mention about the Patriot Act, terrorists, or government in anyway.

Time and place for such comments... this article is not it.

RE: i-patriot act
By Jim28 on 8/28/2008 1:29:40 PM , Rating: 2
troll go away.

RE: i-patriot act
By darkfoon on 8/30/2008 8:52:46 PM , Rating: 2
I'm glad to see somebody else was reading the same article I am.

But I disagree that the DHS is waiting for some event to occur to begin "protecting" us.

The article states that this allows a man-in-the-middle attack without any apparent internet outages. So, why wait for an event, when DHS or NSA or some alphabet soup can just have all the traffic routed through them and scan it for information.

An AT&T informant already came forward about NSA secret rooms in the switching facilities, this could have been happening there the whole time.

Call me crazy, call me paranoid. But it's because of security analysts and paranoiacs that this stuff gets noticed or fixed.

By wvh on 8/28/2008 10:31:55 AM , Rating: 2
Wasn't IPv6 supposed to clean up some of the BGP complexity?

I've been running IPv6 since 1999, but sadly enough it doesn't seem to be going anywhere even after all this time. In some cases, the internet's lack of a central authority makes life very difficult, such as when major changes to popular protocols or important infrastructure are needed.

RE: IPv6
By m1ldslide1 on 8/28/2008 11:31:25 AM , Rating: 2
Nope - BGP functions the same whether its IPv4 or v6.

PKI looks like the best solution...
By SeanMI on 8/28/2008 8:15:32 AM , Rating: 2
But how do you choose the trusted third party? Whoever that ends up being will have a huge target on their back...

I want my mommy....
By Tegrat on 8/28/2008 10:42:22 AM , Rating: 2
Shuts blinds, grabs blanky and sucks thumb in the fetal position...

By StoatWarbler on 8/28/2008 12:36:03 PM , Rating: 2
The world's phone routing systems use very similar protocols to BGP, with even less sanity checking - because "everyone involved is trusted"

This resulted in porn providers hijacking unassigned blocks of numbers belonging to places as diverse as Chile, Tuvaalu and Niue earlier this decade. Calls would be routed to local call centres but charged at international rates == lucrative.

Those vulnerabilities could just as easily be used for man-in-the-middle attacks by governments for spying purposes.

Remember China and CNN
By Narcofis on 8/28/2008 2:51:20 PM , Rating: 2
This brings to mind when China attacked the CNN website and tried to shut their story down about Tibet.

I really think this could be a major problem for let's say National Security Reasons. Now we know that China or whomever can divert traffic and making it look like nothing happen. Also the reverse is possible. Maybe the Intelligence agency ignored his request back then because they're already spying on everybody that way.

Just my little conspiracy theory.

By vhx on 8/28/2008 3:39:40 PM , Rating: 2
You just KNOW the government is waiting for one of these e-attacks so they have an excuse to censorship and control the internets as much as possible.

"I want people to see my movies in the best formats possible. For [Paramount] to deny people who have Blu-ray sucks!" -- Movie Director Michael Bay
Related Articles

Copyright 2016 DailyTech LLC. - RSS Feed | Advertise | About Us | Ethics | FAQ | Terms, Conditions & Privacy Information | Kristopher Kubicki