Slashdot Mirror

← Back to Stories (view on slashdot.org)

Confronting Address Space Hijackers

Posted by timothy on from the insert-sound-effects dept.

Tawn writes "There's a great story on SecurityFocus about hijackers taking over large allocations of IPv4 space with forged documents and false business fronts. Los Angeles County and some big multinationals have had /16's pulled out from under them in the last few months, and used to inject spam. ARIN and network operators are trying to get a handle on the problem. The owner of a webhosting company that wound up with L.A. County's /16 called it 'borrowed space,' and said he paid $500 for it to a guy he met online."

2 of 334 comments (clear)

  1. Re:Hijackers? by koh · · Score: 0, Troll

    Indeed. A nasty typo escaped the previewing. The beer is to blame ;)

    I guess I woudn't happen if I used MS beer, though.

    --
    Karma cannot be described by words alone.
  2. Re:Score; 2, Thoughtful by Jerk+City+Troll · · Score: 0, Troll

    If PKIs become relevant, we're going to see attacks on CAs (and not just the rather insecure SSL browser PKI).

    Then those attacks will have to be quite sophisticated. PKI security is mathematically provable. Forgery, in so far as immitating someone who authorized to take a particular action, is a social engineering feat. Of course, one can always con an misinformed individual out of passphrases.

    Furthermore, there is currently no large-scale PKI which tracks who is authorized to speak for which company (let alone IP address space!).

    As I understand it, it was not a question of authorization but merely forgery. Someone claiming to be a person who was authorized without provided proof. I never said that PKI would solve the who can, just the who is. This case in particular was the latter of the two. Or perhaps I need to RTFA again.

    All bulk data processing on the net is either done by machines

    Automated authentication of authorized persons is nothing new. In fact, it's very old. :-P

    And let me repeat the major problem: At some point, you have to check that a document dealing with address space allocation issues was sent by someone who is authorized to change the allocation.

    OKay, now I am really wondering what is going through your head. I do not see where the major difficulty is of keeping a secure list of authorized personnel and then authenticating their messages/commands/etc. with PKI (or any other login mechanism).

    Even if you have digital certificate which proves the identity of the sender (a questionable assumption)

    How is that questionable? I don't think you know what you're talking about. Want to try and forge a message coming from my key? It's infeasible unless you're the NSA. If two parties meet, each verifies the identity of the other, then sign each other's keys, then The Factoring Problem must be solved or the one of the symmetric keys compromised in order for the system to break down. If the first happens, it's the end of a lot of computer security as we know it. If the second happens, the parties will generate new keys and secrets and resume.

    still don't know if the sender is authorized for the transaction. Given that we deal with extremely critical infrastructure, I really don't care if I can sue someone afterwards. The goal has to be to avoid processing bogus transactions in the first place.

    Once again, I still don't see how difficult it is to maintain a list of authorized personnel. Every multiuser system in the world does this.

    I hope this makes it a little bit clearer why PKIs can't immediately solve such problems.

    This would have been accomplished if you demonstrated why a manifest of authorized personnel is a difficult to implement or insecurable mechanism.

    --
    Join Tor today!