Slashdot Mirror

← Back to Stories (view on slashdot.org)

Route-Injection Attacks Detouring Internet Traffic

Posted by Unknown on from the blame-the-nsa dept.

msm1267 writes "Attackers are using route injection attacks against BGP-speaking routers to insert additional hops in the traffic stream, redirecting traffic to third-party locations where it can be inspected before it's sent to its destination. Internet intelligence company Renesys has detected close to 1,500 IP address blocks that have been hijacked on more than 60 days this year, a disturbing trend that indicates attackers could finally have an increased interest in weaknesses inherent in core Internet infrastructure."

5 of 85 comments (clear)

  1. Pointless by The+Cat · · Score: 1, Insightful

    Posting a worthwhile comment on this site is like reading Robert Frost to pigs. All you end up with is a book soaked in pigshit.

    1. Re:Pointless by Lotana · · Score: 4, Insightful

      You'll be surprised. There are diamonds in the shit. Many knowledgeable people frequent this site, but many are repulsed from making a new thread. They jump on a good ones though.

      So this is what stories are: Early threads of jokes by people that don't read the article or summary; Followed by people that read the summary then read relevant Wikipedia article; Finally by people that read the article. Somewhere in the last two categories, insightful or interesting thread will be made and the worthwhile comments will come.

      Of course that won't happen if the good posters take up your attitude and just give up. So if you know something about the subject in the article, don't be shy and make a thread explaining the matter in your own words or make examples. Worst case scenario is that you get joke/grammar nazi responses or get down modded. The former doesn't matter as time goes on you will get insightful resposes after a while. As for the latter: Don't get discouraged. There are lots of us that read at -1.

      As the case here :-)

  2. Encrypt all the things by Lennie · · Score: 3, Insightful

    Really, I think it's time for this.

    The IETF commited themselves to do so, here are the talks (among the speakers: Bruce Schneier) and discussions:
    http://www.youtube.com/watch?v=oV71hhEpQ20#t=23m02s

    Here is the voting part:
    http://www.youtube.com/watch?v=oV71hhEpQ20#t=2h28m20s

    Yes, I think we need some DNSSEC with that too. Not for encryption, but to verify the data (when you route hijack you can easily change some DNS-packets).

    The number of attackers that can get attack to the root and tld keys are limited. Yes, it might include NSA and CIA that can get access to the root*, but that probably means it won't be China or Russia.

    * Although I don't see a way they can get access to the root signing key and stay undetected, that should deter them. Maybe they can get access to the zone signing keys though, they are valid for a couple of months. As VeriSign and ICANN are both organisations in the US. So they would need get access to those keys at least periodically though.

    --
    New things are always on the horizon
  3. Re:misleading & likely incorrect by PPH · · Score: 3, Insightful

    If so Bob's an idiot for signing a peering agreement with a known Hooligan.

    Unless that hooligan delivers the agreement attached to a National Security letter.

    From TFA:

    Renesys provided two examples of redirection attacks. The first took place every day in February with a new set of victims in the U.S., South Korea, Germany, the Czech Republic, Lithuania, Libya and Iran, being redirected daily to an ISP in Belarus.

    Makes sense. This is exactly the sort of partner I'd expect the NSA to work with. If packets were diverted through Langley, VA or somewhere in Utah, we'd all figure out who was behind this pretty quickly.

    --
    Have gnu, will travel.
  4. Re:Really? Again? by Antique+Geekmeister · · Score: 4, Insightful

    As a "serious network admin", most groups have little control over the critically necessary BGP handling of their upstream nework provider. Ones is't left your building, it takes considerable extra steps to track and verify the packets to ascertain the packets are being routed outside your upstream venror, or their colleague's, control. By the time you can get the evidence passed along to any party in any of those companies that can actually do anything about the problem, the attack is often already over, if not simply better concealed.

    Unfortunately, BGP has been a necessary evil to _balance_ traffic in a dynamic network. It's also unfortunate that it is often deliberately manipulated, as a matter of corporate strategy, to avoid expensive but faster routes, or to manipulate competitor's traffic reports. The amount of business based manipulation of what was designed as a metric based feedback and tuning system means that it will not ever be used for "honest" routing. I'm afraid that any plan to sanitize the BGP tables will run afoul of business needs and wind up rejected.