Slashdot Mirror
The Internet's Biggest Security Hole Revealed
At DEFCON, Tony Kapela and Alex Pilosov demonstrated a drastic weakness in the Internet's infrastructure that had long been rumored, but wasn't believed practical. They showed how to hijack BGP (the border gateway protocol) in order to eavesdrop on Net traffic in a way that wouldn't be simple to detect. Quoting: "'It's at least as big an issue as the DNS issue, if not bigger,' said Peiter 'Mudge' Zatko, noted computer security expert and former member of the L0pht hacking group, who testified to Congress in 1998 that he could bring down the internet in 30 minutes using a similar BGP attack, and disclosed privately to government agents how BGP could also be exploited to eavesdrop. 'I went around screaming my head about this about ten or twelve years ago... We described this to intelligence agencies and to the National Security Council, in detail.' The man-in-the-middle attack exploits BGP to fool routers into re-directing data to an eavesdropper's network." Here's the PDF of Kapela and Pilosov's presentation.
Must have the world's largest collection of online porn.
Which would figure, actually.
Help stamp out iliturcy.
Depends on how much you value your privacy.
IMAGE VERIFICATION IS EVIL!
I hope that all of those people who thought that getting users to blindly accept self signed certs was a good idea are starting to feel a bit stupid now...
An SSL cert signed by a trusted central authority isn't the absolute solution to all mitm attacks, but it's a whole lot closer to 'safer' than not.
Let's put it this way. Email right? It's delivered between hosts completely unencrypted. Imagine you could sniff all the email passing into, say, the white house.. would that be worth something?
Note, I've also given you the hint to prevent this bullshit from being a problem.
How we know is more important than what we know.
I find the thought of this genuinley scary. Correct me if I am wrong, but we would have to change the BGP protocol itself to fix this issue. That isn't going to happen anytime soon I reckon, so I guess there is nothing we can do but encrypt senstive transmissions and hope for the best.
Find me an internet provider not using BGP, and I'll show you a European who favours ESES. Yes, this is a major problem, BGP is (almost) the only WAN protocol anyone takes seriously and is the only one meaningfully deployed. I've worried about the possibility of BGP poisoning attacks myself, but only because we have a virtual monoculture and monocultures are generally a Bad Idea. They are dangerous animals.
It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
Depends on how much you value your privacy, Mr. Stephen P Wallagher of 4242 Green Leafy Forest Terrace, Springfield, Ohio 55538, Phone number 1-900-Hot Dude, alias "Lovestospooge."
fixed.
If you can read this, I forgot to post anonymously.
BGP is almost always setup manually, at least when first configured. Network admins: DO NOT PUT UNTRUSTED PEERS IN THE ACLs. Joe smith running BGP on 123abcxxxhost.nl has no business being in your tables. If you're accepting adverts from any AS you deserve what you get.
The routing on the Internet has always been hierarchical: get updates from your upstreams. If they send you bad info you're SOL anyway, just like SSL certs and Verisign's root certs.
Website Hosting
...that the good folks at the NSA (and/or the FBI, CIA, DHS, ATF, etc., as well as their counterparts in other nations) have been exploiting this for years.
With spending like this, exactly what are "conservatives" conserving?
Let's put it this way. Email right? It's delivered between hosts completely unencrypted. Imagine you could sniff all the email passing into, say, the white house.. would that be worth something?
Note, I've also given you the hint to prevent this bullshit from being a problem.
So we need to destroy the White House?
Yes. Someone had managed to re-open the goatse.cx site again.
if you don't believe me, you know there is only one way to find out
A hacker marauding by the name "Goatse" exposed it quite effectively some years back.
I record my sleeptalking
It was really cool, opened a lot of peoples eyes. Here is the archive, http://www.stits.org/fp/Defcon_16/. Please don't flood it and only download it if you will use the info. I also took a ton of photos: http://www.flickr.com/photos/stits/sets/72157606608859399/ Hope to see you all next year!
Wait, you're telling me that they taught US intelligence agencies and the National Security guys how to attack the internet with man-in-the-middle attacks and exploits to fool routers into re-directing data to an eavesdropper's network...
and they didn't do anything to end the interception and eavesdropping problem???
I am shocked.
-
- - You can't take something off the Internet! That's like trying to take pee out of a swimming pool.
The guy's been involved in many of security's moments in history.
Just disrupt the deflector shield with a tachyon burst.
There is a lot of harm you can do, least for a short while. But I have to say, this seems like a lot of FUD to me.
It is not trivial to get BGP peering, or to keep it if you are doing bad things. You will need one or more peers, and they will have to do this for you manually, not automatically. And (as I can attest) the AS prepending this attack relies on is a very blunt instrument.
Here are the troubles I see
- You need to be able to offer a better path from Point A to Point B than the existing Internet topology
- Unless you are Dr. Evil and can afford infinite bandwidth, this better path had better not also apply to a large chunk of the Internet, or you will get hosed with a lot of bandwidth (and, also, instantly stick up on the screens of NOCs all over the place) and
- If you are relying on AS prepends, these affect the path from you, but not directly the path to you. They are notoriously tricky and may stop working (because of changes in other people's advertisements) at any time.
So, to me, this is a might work sometimes for some people in some places, but probably not that well on a general basis.
The DNS cache poisoning sounds a lot worse, frankly.
Anyone have any insight as to how serious this ACTUALLY is?
How serious? This could potentially render the entire Internet inoperable. For real. Anyone who knows anything about basic Internet protocols should be shitting themselves right about now.
What we have here is a basic weakness in one of the fundamental Internet protocols; an assumption of trust that is no longer valid. Think spam but a million times worse.
I'm not usually one to fall prey to 'Imminent Collapse Of The Internet' hyperbole, but this one has me really worried.
'I went around screaming my head about this about ten or twelve years ago... We described this to intelligence agencies and to the National Security Council, in detail.'
For a hacker he's pretty dumb. Everyone knows that the best way get attention directed to an exploit is to publish the entire kiddie-porn-folder of the person who can fix it, using the exploit in question.
If you quote this signature there'll be 72 copies of Windows ME waiting for you in Heaven.
I looked at this problem back in the early 1980s, when I was doing some work on TCP. I was trying to come up with a routing protocol that didn't require passing the same information around repeatedly, because backbone networks had very low bandwidth back then, and the existing routing protocols had either O(N^2) traffic or the "hop count to infinity" problem.
I came up with something called "Gateway Database Protocol", which was a scheme for passing tuples of the form "X says Y=Z" around. The idea was that any node seeing inconsistencies in "X says ..." would propagate the tuple back to X, revealing the problem to X.
This is enough to detect hijacking, but not enough to stop it. I'd worked out a scheme good enough to automatically correct erroneous data, but not one good enough to deal with the insertion of hostile data. The design goal back then was to guarantee that if the hostile site was removed from the network (perhaps forcibly), the system would then stabilize into a valid state.
That's not enough any more. But it is worthwhile considering that a routing protocol should have the property that if X's info is being faked anywhere in the network, X hears about it. BGP doesn't do that.
Monoculture is bad? Good thing Internet Explorer offers a different take on W3C standards...
I kid, I kid.
DATABASE WOW WOW
I've seen implementations of ISIS, and have deployed it myself in both IP and ATM environments. I've never seen an actual deployment of ESES, and I've never heard of one either. I've encountered ISIS adjacencies which don't form correctly, and come up as ESIS, though.
What hardware supports ESES?
Need Geek Rock? Try The Franchise!
The whole MITM thing would raise a flag unless the attackers were close enough to the real routers for the ip address block it was hijacking. Several companies I know notice when BGP screws up and doubles their latency. They notice and complain loudly.
Well.. maybe. Or Maybe not. But Definitely not sort of.
Let's see. MPLS, SCTP, STP (Scheduled Transfer Protocol), UDP-over-v4, TCP-over-v4, MPLS, UDP-over-v6, TCP-over-V6, IP-over-ATM, IP-over-SCSI, IP-over-IB, IP-over-power, IP-over-carrier-pidgeon, V6-over-V4, V4-over-V6, V6-over-V6, optional recognition of TOS, optional handling of ECN, scalable reliable multicast, anycast, optional recognition of source-based routing, optional recognition of TCP cookies, optional support for packet dropping (RED, GRED, WRED, BLUE, Stochastic Blue, GREEN, BLACK, PURPLE, WHITE), optional support for enhanced authentication packets, IPv6 extended headers, support for unidirectional links, optional support for transitory addressing schemes, optional support for Mobile IP, optional support within Mobile IP for routing realignment, optional support for NEMO, optional use of any of the experimental protocols defined under the names of TUBA, IPv5 and IPv7, anything-over-IPSEC (tunnel or host), anything-over-SKIP -- I've not bothered to keep count, but my Internet link hasn't fallen over yet from diversity. Pity to hear about yours.
It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
Heh. Standards should be the starting point, not the end goal (or, in IE's case, the work of fiction based on the screenplay based on a True Story of one man and his chair).
It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
No, it gets sent through Dick Cheney's hotmail account.
Not quite.
Prepends affect your outbound announcements, and this affects inbound traffic to you. Prepends are the most effective tool for BGP manipulation because they're transitive - announcing more specifics works too, but that's not quite the same thing.
Need Geek Rock? Try The Franchise!
Great, give the very people who want to abuse this the most the inside details, then show shock when it isn't fixed.
I'm an American. I love this country and the freedoms that we used to have.
What, you didn't get your secret decoder server?
that requires one teensy weensy detail to work (in other words, one huge wonking detail)
here, it is to be a bgp level peer
kind of like i can empty a bank of all of its money
all i need is the key to the safe
yeah, minor detail
so do i panic now?
intellectual property law is philosophically incoherent. it is your moral duty to ignore it or sabotage it
How serious? This could potentially render the entire Internet inoperable. For real. Anyone who knows anything about basic Internet protocols should be shitting themselves right about now.
You obviously don't know the basics of Internet protocols then. Anyone who knows BGP basics knows this problem is inherent in current interdomain routing.
This is not an attack that just anyone can pull off (unlike Dan's DNS vulnerability). You need possess a BGP peering relationship with a provider who doesn't filter the prefixes listed in the NLRI of a BGP update message, as well as any further upstream providers. A _very high_ bar to say the least.
We're seen numerous accidental route leakages over the years and even some malicious hijacking of IP space for nefarious activity as noted in the presentation. Any significant hijacking for the purpose of MITM (hijacking for spam really isn't a priority for ISPs) would be tracked down instantly on the NANOG list and have severe peering repercussions for the offending ISP. Bumping the IP TTL isn't going to do squat for all the BGP anomaly detection systems continually monitoring the routing infrastructure (Renesys, PHAS, etc).
Sensitive government communications ride on networks that operate separately from the public Internet.
512 MB RAM, 20 GB disk, 200 GB transfer, five datacenters. $19.95/month.
Yet another case for end-to-end encryption. Folks using the public Internet for sensitive communications without employing crypto, are already in a bad position.
512 MB RAM, 20 GB disk, 200 GB transfer, five datacenters. $19.95/month.
I am familiar with l0phtcrack... I used it to reset a password or two back in the day. It came recommended (believe it or not) by one of the higher-ups in Microsoft network security.
Oh... but it did more than just sniffing cleartext passwords. It would also decipher encrypted passwords over the net, given plenty of time. And it could be used to crack encrypted Hosts passwords.
I always wondered why they did not follow it up.
On your list alone, how many of them are TCP, IP, and UDP? Doesn't matter if there run on top of another layer or simply encapsulated by another protocol, if someone says there's a big hole in TCP...lets not cry about the TCP monoculture. It has nothing to do with monoculture.
Sometimes, a can-skinning standard is the best way to skin the cat. Sorry if that creates a cat-skinning monoculture.
The whole monoculture thing is a stupid argument. If a CSS rendering flaw shows up in the language standard, you could hear MS go "ha ha" cause their "make my own standard" sidestepped the monoculture.
And you left out Infinite Monkey Protocol Suite, which could be run over PPPoE.
THL phish sticks
Eh, I was trying to make a reference to the big email scandal of a while ago, where it turned out that important stuff was being sent (illegally) from email accounts at gwb32.com or georgewbush.com instead of whitehouse.gov. Slashdot coverage.
Repton.
They say that only an experienced wizard can do the tengu shuffle.
Why would someone in the White House use an insecure communications channel to send sensitive correspondence to a foreign official? End-to-end encryption is used in such situations.
Information transmitted from government installations is compartmentalized according to its classification level. Unclassified systems don't reside on the same networks as those intended for classified purposes.
I'm a Navy communications nerd; this is kinda what I do for a living.
512 MB RAM, 20 GB disk, 200 GB transfer, five datacenters. $19.95/month.
You called? Sorry I'm late
The Internet's Biggest Hole Revealed at http://goatse.cz/
> So Firefox's solution has been make it hard to pick the unsafe choice.
Except they really haven't. They've made it hard to make the sorta-kinda-theoretically-less-safe choice, the one that might result in a MITM attack, but in doing so they discourage SSL use generally.
Do you think that hypothetical user you're talking about is going to notice whether the page is using SSL or not? I doubt it. And a lot of companies seem to agree, and use plain old HTTP for all sorts of stuff when they shouldn't (we just had an FPP on this a few days ago, in fact).
As script-kiddyable as MITM attacks may get, they're never going to be as easy as just sniffing unencrypted traffic, and any time you make encryption difficult or complicated, that's the alternative people use.
"Ladies and gentlemen, my killbot features Lotus Notes and a machine gun. It is the finest available."
Not exactly weird. If cracking networks, etc., is your bag, and somebody offers you a high-paying, stable job where you can not only spend your time doing that, but doing it without fear of prosecution, that could be kind of hard to turn down.
Move to Japan. Nearly all the fiber to the home here is IPv6.
"Freedom in the USA is not the ability to do what you want. It is the ability to stop others from doing what THEY want"
Oh great idea, lets go straight to the NSA, FBI, CIA, SS and any other agency out there and explain in full detail how to spy on the entire world. Wow, real shocker they didn't fix this one. Even bigger Internet Security Hole: Best Intentions.
I admit, I looked.
It's a picture of Bill O'Reilly for some reason.
I... think that's an improvement...?
Just stuff the AS numbers of the BGP anomaly detection systems into the path you're using to hijack and voila! They'll never see it.
The attack uses spoofed AS paths which include the AS numbers of the ASes in the -return path- of your hijacked traffic. It works because the default eBGP behaviour is to drop routes w/ an AS in the path that matches theirs (loop detection!)
Its not fool-proof, but you -can- reasonably selectively remove ASes from receiving the announcements.
Furthermore, if you know the topology near the network you're hijacking, you could figure out all the exit (transit) ASes, spoof those so the announcement never makes it out to the general internet and hijack the traffic near them. Dense peering relationships at multiple places around the internet == your friend in this method.
Heay! That's my private info!
I am now sending a federal law DMCA notice demanding you take my information down.
BTW, please don't run a Slashdot front page story on my DMCA takedown notice & info.
-
- - You can't take something off the Internet! That's like trying to take pee out of a swimming pool.
Whew! Good thing you clicked the "Anonymous Coward" box when you posted that!
-
- - You can't take something off the Internet! That's like trying to take pee out of a swimming pool.
So it's encrypted between the server and your box. What about the other side of the server?
God: An invisible friend for grown-ups.
A man-in-the-middle attack on BGP would require that you intercept and re-write BGP data. The only place to do that is if you can insert some hardware on the physical route between two BGP-speaking routers. That is, on the cable between two ISPs that are peering with each other or have a transit agreement. While the BGP protocol could, in theory, be routed across the internet, my understanding is that in practice it never is.
Add to that that to successfully perform such an attack, you would need appropriate (expensive) network interfaces and hardware capable of speaking fast enough, and this "attack" becomes something that needs a *lot* of resources to pull off. Sure, governments and big corporations can do it, maybe big organised crime could too, but yer average bedroom cracker couldn't.
And why would the big boys bother anyway, when they can just announce bogus routes?
Why can't I mod something "tragic"?
http://www.dieblinkenlights.com
Isn't this why PGP was integrated into many email clients years ago? Since when have people considered the Internet safe from eavesdropping? Since I started using the internet in 1995, I have been warned many times by countless posts and websites informing people of the potential for eavesdropping on the internet. Haven't you seen any of these warnings? This is nothing new.
Or so you would think, but they probably monitoring traffic to /. as well, so now they have his IP. Probably he is now at work, but with his login, they will be able to link it to the times he logged in at home.
Then some more cross referencing and he is on his way to Gitmo.
Don't fight for your country, if your country does not fight for you.
Anyone who knows anything about basic Internet protocols should be shitting themselves right about now.
And those of us who actually do this stuff for a living (who already knew at least most of this) are neither surprised, nor any more paranoid about it. As a matter of fact, this might be the sauce needed to get more providers to properly filter announcements, and possibly more. So making this more public might actually be a good thing.
The ability to hijack space is already very well known to anyone in a position to do it, and most of us have accidentally done so at some point in our careers. I know I haxxored 192.168.0.0 by accident once by announcing it to an upstream. Yeah....it happens. And it never should. TO this day, you'll more often than not see RFC1918 space being announced if you get a full routing table.
BGP routing table entry for 192.168.0.0/16, version 3564
Paths: (1 available, best #1, table Default-IP-Routing-Table)
Advertised to non per-group peers:
202.10.0.201 202.10.0.202
Local
192.0.2.1 from 0.0.0.0 (192.189.54.221)
Origin incomplete, metric 0, localpref 101, weight 32768, valid, sourced, best
Community: 2764:20
Do not fold, spindle or mutilate.
Yes. Definitely a good idea on my part.
Shit.
Attention deficit disorder is a complicated issue, spanning several major... HEY LET'S GO RIDE BIKES!