Slashdot Mirror

← Back to Stories (view on slashdot.org)

Route-Injection Attacks Detouring Internet Traffic

Posted by Unknown on from the blame-the-nsa dept.

msm1267 writes "Attackers are using route injection attacks against BGP-speaking routers to insert additional hops in the traffic stream, redirecting traffic to third-party locations where it can be inspected before it's sent to its destination. Internet intelligence company Renesys has detected close to 1,500 IP address blocks that have been hijacked on more than 60 days this year, a disturbing trend that indicates attackers could finally have an increased interest in weaknesses inherent in core Internet infrastructure."

85 comments

  1. Lost by Anonymous Coward · · Score: 1

    Oh no did this get re-routed? Damn them.

    1. Re:Lost by binarylarry · · Score: 3, Funny

      No, not at all.

      What that's over there?

      -Friendly NSA Spook

      --
      Mod me down, my New Earth Global Warmingist friends!
  2. another day by turkeydance · · Score: 2

    another weakness.

    1. Re:another day by khasim · · Score: 4, Interesting

      Maybe yes, but probably not.

      The thing with BGP is that there aren't that many sites using it and in order to pull off the attack as described you'd need a LOT of network resources. On the level of one of the backbone providers.

      In the past there have been problems where bad BGP info resulted in traffic going where it should not have gone. But that appears more like a black hole. Because there is no route back out.

      In order to exploit it the bad network would have to be able to stop the good networks from exchanging routing info. And in order to do that you'd have to be at their level and between them. At which point you already have the access.

    2. Re:another day by fisted · · Score: 1

      The thing with BGP is that there aren't that many sites using it

      Hahahaha. What?

      --
      CLI paste? paste.pr0.tips!
    3. Re:another day by Anonymous Coward · · Score: 5, Informative

      The thing with BGP is that there aren't that many sites using it

      Woosh. Do you even know what you're talking about? There are literally NO "sites" using BGP (except inasmuch as sites use routers to convey data back to users). BGP is used by ISPs and Telcos, on peering routers etc.

      On the level of one of the backbone providers.

      Yep that is exactly what they are talking about. Someone is compromising backbone providers. THAT'S WHY THIS IS NEWS.

    4. Re:another day by khasim · · Score: 5, Interesting

      There are literally NO "sites" using BGP (except inasmuch as sites use routers to convey data back to users). BGP is used by ISPs and Telcos, on peering routers etc.

      You are wrong. I've worked at sites that do use BGP because they have to manager multiple incoming lines from multiple ISP's. It's for failover.

      Yep that is exactly what they are talking about. Someone is compromising backbone providers. THAT'S WHY THIS IS NEWS.

      No. Because the ISP's and Telco's exchange BGP information between themselves. So if bad BGP info is uploaded then it will be shared and the packets will only go to the bad network. They will never get to their original destination. Because every time a packet hits a backbone router it will be routed back to the bad network.

      Unless their original destination is off of the bad network in which case why bother with this?

    5. Re:another day by philip.paradis · · Score: 1

      You've demonstrated you have no idea how these attacks work, why they're important, or even how BGP itself works.

      --
      Write failed: Broken pipe
    6. Re:another day by Anonymous Coward · · Score: 0

      Because you can intercept and reroute back to the valid network, granted there is still a valid path. Read the article, dumbo.

    7. Re:another day by Mashiki · · Score: 1

      You know, I'm pretty sure that the guy with the 4uid might have a better clue about what they're talking about...just maybe.

      --
      Om, nomnomnom...
    8. Re:another day by citizenr · · Score: 1

      what if target has few IPs? or ipv6?

      --
      Who logs in to gdm? Not I, said the duck.
    9. Re:another day by citizenr · · Score: 1

      or you hijack small portion of victims network and secure VPN beachhead in another part. You send return traffic over VPN and dump it inside victims network = no BGP involved

      --
      Who logs in to gdm? Not I, said the duck.
    10. Re:another day by philip.paradis · · Score: 1

      Your assumption would be incorrect. Someone existing for a set period of time on this planet is not a reliable indicator of knowledge. That's one of the hardest things I've had to learn in fifteen years of systems work.

      --
      Write failed: Broken pipe
    11. Re:another day by philip.paradis · · Score: 0

      I'll expand upon my last comment a bit: if I had a dollar for every time I've heard the expression "I'm an expert at [insert thing here]" from someone who has the benefits of age and allegedly tons of experience with [insert thing here], and I subsequently have to fix whatever busted server/network/software config was put in place by the "expert," I'd be a wealthy man. Instead, at 32 I've learned that assumptions about competence should never be made based on things like UIDs. You can hope someone who has been in a field for a while knows what he's doing, but you cannot assume it, as you'll simply see that assumption proven wrong too many times and with too many nasty consequences.

      --
      Write failed: Broken pipe
    12. Re:another day by pupsocket · · Score: 2

      You objective is to get traffic to cross boundaries so that it fits into your authority to monitor. Then the traffic is subject to one your existing keyword searches or is eligible to be stamped "authorized" by a Foreign Intelligence Court.

    13. Re:another day by davester666 · · Score: 1

      You would have got first post, but the NSA routed your connection through their server's in Afghanistan.

      --
      Sleep your way to a whiter smile...date a dentist!
    14. Re:another day by AK+Marc · · Score: 1

      Given that I work at the largest ISP in the country (no, not the US), and deal with BGP on a regular basis, I'd have to say that the 4-digit UID guy is wrong, and that the error isn't strictly technical (I'd guess he's not a native speaker).

      --
      Learn to love Alaska
    15. Re:another day by sjames · · Score: 1

      No, you just have to advertise a shorter and/or more specific route to the destination. The other routers will accept that. The tricky part is making sure you don't create a routing loop that would prevent you from getting the re-routed traffic to the original destination. Because of that, you are unlikely to ever be able to grab all of the traffic, but you can grab portions of it.

    16. Re:another day by philip.paradis · · Score: 1

      Roger that (pun intended, if my guess is correct). Thanks for the backup; it's a bit unsettling how many people are taken seriously on topics like these when they don't actually know what they're talking about. Oh well, I suppose we get what we get.

      --
      Write failed: Broken pipe
    17. Re:another day by Anonymous Coward · · Score: 0

      You might want to RTFA instead of assuming a low UID means he knows what he's talking about.

      Spoiler: he doesn't.

    18. Re:another day by jon3k · · Score: 3, Informative

      Khasim is profoundly wrong about several things, but a lot more than "ISPs and Telcos" run BGP. The entire concept of multihoming is based around announcing your netblock(s) to multiple carriers via BGP. This provides the broader internet with two AS_PATHs to you.

    19. Re:another day by BigLonn · · Score: 1

      You are correct, he doesn't know what he's talking about , but can you ditch the self absorbing vitriol already, it makes you look like a jerk!

    20. Re:another day by Anonymous Coward · · Score: 0

      No. Because the ISP's and Telco's exchange BGP information between themselves. So if bad BGP info is uploaded then it will be shared and the packets will only go to the bad network.

      No.
      If you want to setup BGP with your ISP you can pay them to do that. But they aren't going to just blindly accept any route you send them- they'll only accept routes which you officially notify them of ahead of time, then they'll put an entry in their whitelist allowing their equipment to accept the route for that IP scope from you.

      It's a relatively simple task to require a company to verify that they own a few IP scopes. But when they are accepting a route from a third party and re-announcing it, it gets more complex. If it's a relatively small operation with just a few dozens routes, it's something you can do pretty easily, but when you're talking about a large peer the logistics of relying on a whitelist can get out of control.

      The big problem is the top-tier transit peering providers. They don't really have (or want) the ability to do 3rd party verification. So often they just have their shit wide open and happily accept any and every route from their peers.

      The trick to pulling off an attack like is being described is finding a place where you can advertise your "phony" route to the destination network as being 'better' than the real route. Usually this also involves compromising at least one router along the normal path and changing the advertisement to make it appear 'worse' than your hijacking route. The fact that the examples given seem to all involve Level 3 networks, a known accomplice to the NSA, suggests to me that these were NOT outside attacks or the random hacker who got his mitts on a core router.
      The fake destination was simply too far away for this to be an "outside" job... most of the traffic would just stop trying to take the Level 3 path and route to the correct destination via a different network. They would have had to change the iBGP (internal BGP) within Level3 itself to prefer the 'false' route, while still allowing eBGP (external BGP) to show the cost of the real route.

    21. Re:another day by Anonymous Coward · · Score: 0

      Khasim is profoundly wrong about several things, but a lot more than "ISPs and Telcos" run BGP. The entire concept of multihoming is based around announcing your netblock(s) to multiple carriers via BGP. This provides the broader internet with two AS_PATHs to you.

      This is true, but most of the time if you're not an ISP or telco yourself, you're going to have to detail your IP scope ownership in your Contract agreement with them, and they'll only whitelist those routes. Anything else you attempt to announce simply won't be accepted into their own BGP tables.
      However, on your own side of things, you're probably going to just accept any and all routes the BGP neighbor with your ISP announces to you.

      The problem is when you're an actual ISP, especially if you're in the transit/peering business, the route tables get to hundreds of thousands of route entries. And while you can try to verify the ones being announced directly to you by the owner of the IP scopes, trying to verify the ones your peers are re-advertising can be impossible... or at least functionally unworkable.
      This is the largest and most fundamental weakness in "the Internet". You end up having to Trust your peers, who in turn trust theirs, who in turn trust theirs, etc. all the way back to the source (or within a hop or two anyhow). Because there's no system currently setup to determine if the route you're being presented is really valid or not. And nobody wants to spend the time and effort manually verifying each and every route entry, and in turn verifying that the next guy has properly verified them.

    22. Re:another day by KingMotley · · Score: 1

      And I would propose, that the length of time someone is in a field alone is not a good indicator of real expertise, however, length of time coupled with a remaining desire for the field usually DOES. Since he's on a "news for nerds" site, at least when it was still one, I would have to give him the benefit of the doubt even if I didn't understand the technology, which I do, and he is correct.

    23. Re:another day by KingMotley · · Score: 1

      Ugh, I wish I could take that back. His first answer was correct, but his second wasn't. I guess I should have read the whole thing. Now I have egg on my face, and while it is breakfast time, I prefer it on my plate.

  3. traceroute by rduke15 · · Score: 1

    Will the dark side be able to disturb the course of this story?

    traceroute -m 100 216.81.59.173

    1. Re:traceroute by Anonymous Coward · · Score: 0

      I don't see the big deal here, we hackers have been doing this(and similar things) since mudge made congress aware of it back in '98. Welcome to last millenium, NSA.

    2. Re:traceroute by fisted · · Score: 3, Informative

      All the 'evil party' has to do is not decrement the TTL. It won't show up in your traceroute then.

      --
      CLI paste? paste.pr0.tips!
    3. Re:traceroute by Anonymous Coward · · Score: 0

      As usual, someone on slashdot thinks they are brilliant and have found a humongous flaw in a plan, and as usual it only takes about 2 seconds of though to work around their "flaw"

    4. Re:traceroute by swalve · · Score: 1

      If they can get into backbone networks and compromise their BGP, they probably have the capability of returning a packet to the original network looking just like it did when it left. Their fuckery doesn't have to follow the rules of the internet. It just has to look like it does. Grab a packet, encapsulate it in something, do what they want with it, and then unwrap it at the other end. You could do that with a shell script. It will contain the same src, dest and ttl.

  4. Pointless by The+Cat · · Score: 1, Insightful

    Posting a worthwhile comment on this site is like reading Robert Frost to pigs. All you end up with is a book soaked in pigshit.

    1. Re:Pointless by Lotana · · Score: 4, Insightful

      You'll be surprised. There are diamonds in the shit. Many knowledgeable people frequent this site, but many are repulsed from making a new thread. They jump on a good ones though.

      So this is what stories are: Early threads of jokes by people that don't read the article or summary; Followed by people that read the summary then read relevant Wikipedia article; Finally by people that read the article. Somewhere in the last two categories, insightful or interesting thread will be made and the worthwhile comments will come.

      Of course that won't happen if the good posters take up your attitude and just give up. So if you know something about the subject in the article, don't be shy and make a thread explaining the matter in your own words or make examples. Worst case scenario is that you get joke/grammar nazi responses or get down modded. The former doesn't matter as time goes on you will get insightful resposes after a while. As for the latter: Don't get discouraged. There are lots of us that read at -1.

      As the case here :-)

    2. Re:Pointless by ttucker · · Score: 1

      This guy, The Cat, is an asshole. He makes contentious posts, then pretends to be offended when someone else takes the bait. The self comparison to Robert Frost, while amusing, should probably indicate the grade of turd we are dealing with here.

  5. If we know they are looking... by Ceriel+Nosforit · · Score: 2

    Who are they looking at? - That will tell us who is doing the looking.

    --
    All rites reversed 2010
  6. Encrypt all the things by Lennie · · Score: 3, Insightful

    Really, I think it's time for this.

    The IETF commited themselves to do so, here are the talks (among the speakers: Bruce Schneier) and discussions:
    http://www.youtube.com/watch?v=oV71hhEpQ20#t=23m02s

    Here is the voting part:
    http://www.youtube.com/watch?v=oV71hhEpQ20#t=2h28m20s

    Yes, I think we need some DNSSEC with that too. Not for encryption, but to verify the data (when you route hijack you can easily change some DNS-packets).

    The number of attackers that can get attack to the root and tld keys are limited. Yes, it might include NSA and CIA that can get access to the root*, but that probably means it won't be China or Russia.

    * Although I don't see a way they can get access to the root signing key and stay undetected, that should deter them. Maybe they can get access to the zone signing keys though, they are valid for a couple of months. As VeriSign and ICANN are both organisations in the US. So they would need get access to those keys at least periodically though.

    --
    New things are always on the horizon
    1. Re:Encrypt all the things by Anonymous Coward · · Score: 0

      Yes, it might include NSA and CIA that can get access to the root*, but that probably means it won't be China or Russia.

      The problem is, and has been since the start, the likes of Booz Allen and institutionalized reliance on polygraphs. TLA's don't operate as units. The US DoD's trillions of dollars worth of missing accounting is proof of this.

      The US taxpayers pay for security and what gets churned out is paydata on the black market.

    2. Re:Encrypt all the things by Anonymous Coward · · Score: 1

      One attacker which is part of the problem is too many.

      No. We're taking the root away, too. A Nation State Adversary cannot possibly hold the root namespace key, it's a fundamental conflict of interest. And we have the revocation keys. We made sure of that from the beginning.

      You didn't see that vote, because we still have to reach consensus on what replaces it. (And we'd better come up with something good, or as Schneier said in the talk, it'll be the ITU, and that's worse. A new IANA.INT, perhaps.)

    3. Re:Encrypt all the things by pupsocket · · Score: 1

      Let me paraphrase the original article for clarity:

      The NSA has been rerouting traffic at the backbone level in order to obtain traffic patterns that fit the agency's approved search criteria.

  7. It's only competition by Anonymous Coward · · Score: 1

    Looks like the NSA has competition

    1. Re:It's only competition by Anonymous Coward · · Score: 0

      This isn't about Google.

  8. Why wasn't this done before? by guanxi · · Score: 1

    Perhaps some network guru can explain: Why wasn't this exploited long ago?

    1. Re:Why wasn't this done before? by sabri · · Score: 1

      Perhaps some network guru can explain: Why wasn't this exploited long ago?

      This was exploited a decade ago already. The only difference with today is that it was done by one anti-spammer (MAPS) versus another anti-spammer (ORBS) to fight out a war.

      --
      I'm not a complete idiot... Some parts are missing.
    2. Re:Why wasn't this done before? by jd · · Score: 1

      Router poisoning is an old attack, used many times. Sometimes deliberately, sometimes when a router goes bad.

      BGP supports encryption, via certificates or shared secrets. People were supposed to have made the switch years ago, but I have posted time and again that this hasn't happened in practice.

      --
      It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
  9. misleading & likely incorrect by jgaynor · · Score: 5, Interesting

    This whole article smacks of some CISSP pouring over BGP looking glass router logs and having a sophomore Eureka moment. BGP MITM is not practically possible because of the return path problem: the last router that dumped you the traffic believes you are the legitimate endpoint for that traffic and therefore is not going to forward it to the ACTUAL target once you're done doing nefarious things to it. The article tries to explain this away with the following:

    "The traffic was likely examined and then returned on a “clean path” to its destination—all of this happening in the blink of an eye."

    If the 'clean path' of the internet thinks Mallory is Bob, Mallory's theoretical egress 'Clean Path' will make the same assumption. Perhaps Alice's first hop AS was compromised? If so this is an isolated vendor network problem, not an 'internet at large' problem. Maybe Mallory's 'clean path' is a point to point to Bob? If so Bob's an idiot for signing a peering agreement with a known Hooligan.

    This was likely a misconfigured customer router connected to an irresponsible ISP that doesn't filter the routes it accepts, just like the Pakistan/Youtube Incident. The author either doesn't understand the technical impossibility of the attack they're dreaming about or does and is willing to lose credibility in exchange for ad traffic.

    1. Re:misleading & likely incorrect by Anonymous Coward · · Score: 0

      This was likely a misconfigured customer router connected to an irresponsible ISP that doesn't filter the routes it accepts, just like the Pakistan/Youtube Incident.

      Hanlon's Razor never gets dull.

    2. Re:misleading & likely incorrect by PPH · · Score: 3, Insightful

      If so Bob's an idiot for signing a peering agreement with a known Hooligan.

      Unless that hooligan delivers the agreement attached to a National Security letter.

      From TFA:

      Renesys provided two examples of redirection attacks. The first took place every day in February with a new set of victims in the U.S., South Korea, Germany, the Czech Republic, Lithuania, Libya and Iran, being redirected daily to an ISP in Belarus.

      Makes sense. This is exactly the sort of partner I'd expect the NSA to work with. If packets were diverted through Langley, VA or somewhere in Utah, we'd all figure out who was behind this pretty quickly.

      --
      Have gnu, will travel.
    3. Re:misleading & likely incorrect by Anonymous Coward · · Score: 0

      If the 'clean path' of the internet thinks Mallory is Bob, Mallory's theoretical egress 'Clean Path' will make the same assumption. Perhaps Alice's first hop AS was compromised? If so this is an isolated vendor network problem, not an 'internet at large' problem.

      Depends on how you define "large", especially when you speak of those "isolated" vendors that maintain backbones.

      All it takes is a tap in the right spot or spots to maximize traffic capture. You know the sort of thing the NSA builds maps for.

    4. Re:misleading & likely incorrect by Anonymous Coward · · Score: 0

      Who indeed has the power to do this on a large scale.

    5. Re:misleading & likely incorrect by pupsocket · · Score: 1

      Couldn't help noticing that Ashburn, Virginia is on the list of legitimate hops; it appears to be the last legitimate hop before detour.
      The original UUNET headquarters, now Verizon's Network Operations Center.
      Fortunately it is in a remote area far from the meddling hands of federal agencies and their contractors, the sleepy Dulles corridor.

    6. Re:misleading & likely incorrect by 0123456 · · Score: 1

      Makes sense. This is exactly the sort of partner I'd expect the NSA to work with. If packets were diverted through Langley, VA or somewhere in Utah, we'd all figure out who was behind this pretty quickly.

      Instead, everyone just assumes the NSA are behind it, even if it's actually... whatever the KGB mutated into after the Soviet Union collapsed. Or are they still the KGB these days?

    7. Re:misleading & likely incorrect by Anonymous Coward · · Score: 0

      FSB

    8. Re:misleading & likely incorrect by sjames · · Score: 2

      It;s hard but not impossible as long as you are well connected (in the network topology sense) and accept that you can only hijack a portion of the traffic at once.

      For example, lets say you are directly connected at MAE East and MAE West. Announce your bogus route to some site on the east coast at MAE West. Make sure your announced cost is just short enough to look like the best route to a router in the western half of the U.S. Then tunnel the traffic to your own location for logging and whatever nefarious tricks you care to pull. Then re-inject it into the public internet at MAE East where the legitimate destination's announcement looks like a better route.

      Lather, rinse, repeat for other regions.

    9. Re:misleading & likely incorrect by Anonymous Coward · · Score: 0

      "the last router that dumped you the traffic believes you are the legitimate endpoint for that traffic and therefore is not going to forward it to the ACTUAL target once you're done doing nefarious things to it."

      And the attacker can't learn where the original router was going to deliver the packet, and simply deliver the packet to that IP?

    10. Re:misleading & likely incorrect by Anonymous Coward · · Score: 0

      Hmm, no. Suppose target is a level3 customer: peer with level3, send Evil more specific hijack route there, marked NO_EXPORT. Send normal routes there as well. For the return path, have a different provider which is not going to send the return traffic to level-3 (i.e. which is also an upstream provider of the target).

      Just because you cannot do it to every target doesn't mean you cannot do it. It really just requires the target to be multihomed with two networks that you can also become a customer of.

      And the target doesn't have to be the Autonomous System that hosts the networks you're trying to divert, btw. You can target another AS in the path.

    11. Re:misleading & likely incorrect by PPH · · Score: 1

      I don't think Belarusians are that great allies of Russia thanks to the treatment they suffered under Stalin and later Soviet leaders.

      --
      Have gnu, will travel.
    12. Re:misleading & likely incorrect by Virtucon · · Score: 1

      College Kids, screwin around..

      --
      Harrison's Postulate - "For every action there is an equal and opposite criticism"
    13. Re:misleading & likely incorrect by OdinOdin_ · · Score: 1

      Presumably someone intercepting has more than one route to the victim AS. one to perform the intercept and another to pass on the traffic with to it ends up delivered to the victims AS. so they shunt the traffic inside some MPLS tunnel across their own network (via their inspection device/system).

      Now if you are talking about asymmetric routing issues that is a different matter. Since the victim AS won't automatically send the other half of the data stream via your hijacking networking (unless of course you can perform a reciprocal intercept at the other side as well, if it is possible at one sure, then surely it maybe possible at the other).

    14. Re:misleading & likely incorrect by Anonymous Coward · · Score: 0

      Perhaps looking closer to the actual source would help your understanding? One of the instances was traffic from Denver, CO to Denver, CO ended up going through Iceland. While I can believe Denver might not have a peering point in the city, it seems rather unlikely the closest exchange would be in Iceland. This could possibly be explained being due to some network oddity, that still seems rather a bit odd.

    15. Re:misleading & likely incorrect by Eunuchswear · · Score: 1

      This was likely a misconfigured customer router connected to an irresponsible ISP that doesn't filter the routes it accepts,

      The "irresponsible ISP" is most (all?) of them.

      --
      Watch this Heartland Institute video
    16. Re:misleading & likely incorrect by Eunuchswear · · Score: 1

      And the attacker can't learn where the original router was going to deliver the packet, and simply deliver the packet to that IP?

      Only if the attacker is directy connected(*) to the netwok that has that IP. You can't "deliver a packet", you pass it to someone who passes it to someone who...

      (*) or as sjames says enough, more closely connected than the place you stole the packet..

      --
      Watch this Heartland Institute video
  10. Re:No problem here by MobSwatter · · Score: 1

    "Traitorhands"? Maybe he shares an opinion like much of the people about deficit spending to fund a shiny new police state, and was in a better position to do something about it, then again he may have been at odds about rendering computing security a lost cause. Maybe someone should have mentioned all this before the banks came out with pci security standards and bilked the end users for something that doesn't exist?

  11. Old story by Anonymous Coward · · Score: 0, Interesting

    We've been hearing about this one since the ISPF (ISP Forum) in Atlanta in 1998. A group of xtians took over a block of addresses to push their invisible guy in the sky theory, and several ISPs there talked about how they were fighting the xtians. It's sad to see that those xtianists have buried that story in the media for fifteen years.

  12. which 1500 blocks by rewindustry · · Score: 2

    specifically? is there a reason renesis does not appear to supply this information, or am i missing it?

  13. Weakness in core Internet infrastructure .. by codeusirae · · Score: 1

    "Attackers are using route injection attacks against BGP-speaking routers .. a disturbing trend that indicates attackers could finally have an increased interest in weaknesses inherent in core Internet infrastructure."

    Like how, if a router is hackable then the weakness resides in the router, not the core Internet infrastructure, the internet is doing what it was designed for, routing packets ...

  14. Really? Again? by fostware · · Score: 1

    *sigh*

    Another day, another announcement of an old hack which any serious network admin would have filtered by now. The fact this is happening at ISP/carrier level is extremely disheartening.

    --
    "We know what happens to people who stay in the middle of the road. They get run over." - Aneurin Bevan
    1. Re:Really? Again? by Antique+Geekmeister · · Score: 4, Insightful

      As a "serious network admin", most groups have little control over the critically necessary BGP handling of their upstream nework provider. Ones is't left your building, it takes considerable extra steps to track and verify the packets to ascertain the packets are being routed outside your upstream venror, or their colleague's, control. By the time you can get the evidence passed along to any party in any of those companies that can actually do anything about the problem, the attack is often already over, if not simply better concealed.

      Unfortunately, BGP has been a necessary evil to _balance_ traffic in a dynamic network. It's also unfortunate that it is often deliberately manipulated, as a matter of corporate strategy, to avoid expensive but faster routes, or to manipulate competitor's traffic reports. The amount of business based manipulation of what was designed as a metric based feedback and tuning system means that it will not ever be used for "honest" routing. I'm afraid that any plan to sanitize the BGP tables will run afoul of business needs and wind up rejected.

    2. Re: Really? Again? by fostware · · Score: 1

      My point exactly.

      I filter the routes I accept from upstream and downstream. I have gone blue with a provider about the fact they were accepting private network advertisements from customers. Needless to say, we're not with that provider anymore. I do monitor odd advertisements from networks we're not directly peered with. Any ISP not monitoring routes is either overworked or slack

      --
      "We know what happens to people who stay in the middle of the road. They get run over." - Aneurin Bevan
  15. Protecting Border Gateway Protocol by Anonymous Coward · · Score: 0

    "Administrators must understand many important aspects of BGP as a protocol to assess where it may be susceptible to various forms of attack and where it must be protected .. administrators must mitigate the risk and potential impact of associated exploit attempts link

    "This document introduces the Border Gateway Protocol (BGP), explains its importance to ... and provides a set of best practices that can help in protecting BGP." link

  16. MITM? by koan · · Score: 1

    The NSA does it, was this the NSA?

    --
    "If any question why we died, Tell them because our fathers lied."
  17. Better to use time by Anonymous Coward · · Score: 0

    The root key is still a single point of weakness.

    I really think *time* is the proper cipher to use. Ultimately if we exchange a key at time t0, then no cleverness on the part of the {NSA, GCHQ, Mossad, FSA, million other badguys} can man in the middle that key. They cannot time travel.

    So instead of trusting a certificate authority to say a key is the right one. We exchange keys regularly, keep track of the first one we got and then start flagging to the user ever attempt to change the key.

    So in practice if a sites DNS reported the key as blah1 at t0, and we use it for years and its blah1, and suddenly it's blah2, the user is warned and can determine if they're being attacked.

    The attack for this is obviously to swap blah1 at t0, but then can you see into the future and determine that you will need to do this on this connection? Nope. Time travel again, you can't skip into the future, determine that this person *will* be a politician, journalist, or any other target, and pop back in time to do the key exchange.

    Obviously you could key exchange 100% of the time from day 1, but that would be obvious and noticeable.

  18. Much prefer Invisible Internet (I2P) for that role by Burz · · Score: 3, Interesting

    Conventionally encrypted links naively tell listeners the who, where and when of the communications.

    Schneier makes good points in your first link: He asserts metadata=data, and makes special mention of the NSA's hatred for Tor. This is very apt, IMO... Tor is there early in his speech as an NSA bugaboo because anonymization networks are uniquely suited to hiding the metadata. Onion routing provides resistance to traffic analysis, and traffic analysis easily provides the who, where and when details of simplistic crypto links.

    To get past the metadata surveillance problem, our encrypted communications will have to become both decentralized and structured. And the structure that current information technology can provide essentially boils down to a marriage of P2P and onion routing.

    Now, if you want verification along with your onion routing, that is simpler than you may think because addresses on these networks also happen to be cryptographic keys that can be used to verify identity. If your systems remain secure, then no one else can reasonably impersonate you or the parties you're communicating with... as long as you stick to using .onion and .i2p addresses. This use of encrypted onion routing is known as 'darknet'.

    So... To get past the surveillance problem and facilitate mutual trust, our communications will have to shift toward darknets. Online privacy requires the tools of anonymity every bit as much as it needs the principles of open source.

    I'd actually recommend I2P - not Tor - as a model for a privacy- and trust-hardened Internet, because ubiquitous end-to-end encryption means no more need for "exit nodes", and also because I2P is intended to be general purpose, less centralized and more scalable... and the topology more closely mirrors a physical mesh network. They even have a server-less email system based on DHT running.

    I2P is almost as old as Tor, and has increased its rate of growth considerably over the past few years. To me, the only real question about how appropriate the I2P concept is for a hardened Internet is just how many nodes it can really scale.

  19. Schneier's bullet list: How I2P stacks up by Burz · · Score: 2

    BTW, you may recognize many of the qualities touted by the Diaspora project in the responses below:

    'Ubiquitous encryption' (on backbone, because that's where NSA taps are)
          I2P goal is ubiquitous encryption between all routers and clients (which are essentially the same thing to it). Also, its general purpose so its possible ubiquitous among applications.

    'Target dispersal'
          If each person or organization routes traffic and mints their own crypto-based addresses, then power over communications is far more evenly distributed over the net. In many of the ways that matter, each node is acting as their own ISP and the physical ISPs become far less relevant to the legal machinations of the spies.

    'Usable application layer encryption'
          Apps are written for / adapted to I2P for the purpose of providing encryption; they will not be able to communicate with other nodes unless the I2P router service is running.

    'More open source and standards'
          Check - I2P is open source and libre.

    'Better integrated anonymity tools'
          Anonymity is the initial default for anyone starting to use I2P. Identities and trust relationships can be firmed-up in much the same way as ssh.

    'Better assurance against system compromise'
          I2P doesn't address this specifically, as the changes here need to begin more at the hardware and OS levels. Qubes OS, for instance, shows the hypervisor-enforced security context of programs via the window frame color. It also has a scheme to verify system authenticity at boot time using TPM hardware (if present). (I'm typing this now on a Qubes system.) Thus I2P apps running on Qubes can be placed in separate trust domains that are verified by the user at a glance.

    Note: All of these points can be addressed on PCs; this may even be out of necessity. The surveillance problem is structural more than anything else-- the political and corporate classes are taking advantage of a reborn mainframe monoculture mainly "because we can". And if PCs are what made the Internet interesting and special in the first place, then probably PCs are where the change in the Internet needs to happen.

    1. Re:Schneier's bullet list: How I2P stacks up by Lennie · · Score: 1

      While I agree with you.

      The real problem is: how do we get all of the public to adopt something like this.

      --
      New things are always on the horizon
    2. Re:Schneier's bullet list: How I2P stacks up by Burz · · Score: 1

      While I agree with you.

      The real problem is: how do we get all of the public to adopt something like this.

      One way is to say, "You can reach me at this address using I2P...". If enough people started using it for their interpersonal communications, it could become a standard of sorts that eventually gets adopted by business. People use Facebook, Skype and Twitter for business communications these days and the latter two had scarcely any marketing to speak of and spread through informal, personal use.

  20. Is Schneier wrong to call for a "safe" Internet by Burz · · Score: 1

    ...which sounds like an oxymoron. I thought the Internet was to be considered a hostile environment, at all times. And if servers generally make this assumption, then everyone should.

    Its PCs that need to be made safer, more trustworthy. And the requirements on his list seem to suggest that. For instance, target dispersal. How do you disperse responsibility for net traffic? Create more ISPs? Break them up? No class of corporate aristocrats and their politicos will stand for that. Its laughable! The establishment will only perform legal CYA and face-saving measures in response to surveillance revelations. Even then, the response will be less and less sincere after a short time and then only the people who run these companies will have any measure of privacy while the rest of us get lovingly-crafted PR as comfort.

    I argue that the natural destination points for the dispersal are personal computers, in whichever shape they come. I2P is like a marriage of bittorrent and Tor-- THAT is the architecture which actually satisfies Bruce's suggestions. It is disingenuous for him to focus on backbones and ISPs given what he's asking for.

  21. Re:No problem here by Anonymous Coward · · Score: 0

    "i see nothing..."
    you could have stopped there and been most accurate...

    don't want to get all 'no true scotsman' on you, but there has barely been any pretense to make a real commie state, most all have been authoritarian states using window-dressing of 'communism', but not adhering to much of its form, either theoretical or practical...
    (much like there is no 'capitalist', 'free market' state, they are all perverted, corrupted versions of capitalism run by the elites for THEIR benefit...) ...and, while i suspect you are almost certainly a closet authoritarian (i HATE you bastards! left and right), you are definitely part of the ignorant propaganda victims who know nothing but the lies Empire tells them...

  22. attackers? by Tom · · Score: 3, Interesting

    Attackers have wised up? rotfl.

    We've known BGP is insecure for 15 years, pretty much since someone first thought of thinking "security" and "BGP" in the same sentence.

    But the Telco industry is horrible at security. I should know, I've been the IT security dude for a major ISP.

    I would be surprised if active attacks on BGP were younger than 5 years. It's more likely that someone has finally taken a look.

    --
    Assorted stuff I do sometimes: Lemuria.org
  23. Ahh slashdot by Anonymous Coward · · Score: 0

    Maybe slashdot should get one mod that understands networking. This site is developer heavy and it shows. There's nothing to see here and responsible network operators have been mitigating this for years.

  24. Back to RIP by Virtucon · · Score: 2

    Screw BGP! let's go back to RIP! RIP is good! Static routes better!

    DECNet Phase 3 here we come!

    --
    Harrison's Postulate - "For every action there is an equal and opposite criticism"
  25. Unknown Attacker my ass - it's NSA by Anonymous Coward · · Score: 0

    Pretty obviously it's NSA, not some "unk\nown attacker"

  26. That was modded "informative?" Jesus wept. by Medievalist · · Score: 1

    Do you even know what you're talking about? There are literally NO "sites" using BGP (except inasmuch as sites use routers to convey data back to users). BGP is used by ISPs and Telcos, on peering routers etc.

    We use BGP internally here and we're connected to several other enterprises that have large BGP-routed internal networks. We're not a telco or an ISP.