Slashdot Mirror
Route-Injection Attacks Detouring Internet Traffic
msm1267 writes "Attackers are using route injection attacks against BGP-speaking routers to insert additional hops in the traffic stream, redirecting traffic to third-party locations where it can be inspected before it's sent to its destination. Internet intelligence company Renesys has detected close to 1,500 IP address blocks that have been hijacked on more than 60 days this year, a disturbing trend that indicates attackers could finally have an increased interest in weaknesses inherent in core Internet infrastructure."
This whole article smacks of some CISSP pouring over BGP looking glass router logs and having a sophomore Eureka moment. BGP MITM is not practically possible because of the return path problem: the last router that dumped you the traffic believes you are the legitimate endpoint for that traffic and therefore is not going to forward it to the ACTUAL target once you're done doing nefarious things to it. The article tries to explain this away with the following:
"The traffic was likely examined and then returned on a “clean path” to its destination—all of this happening in the blink of an eye."
If the 'clean path' of the internet thinks Mallory is Bob, Mallory's theoretical egress 'Clean Path' will make the same assumption. Perhaps Alice's first hop AS was compromised? If so this is an isolated vendor network problem, not an 'internet at large' problem. Maybe Mallory's 'clean path' is a point to point to Bob? If so Bob's an idiot for signing a peering agreement with a known Hooligan.
This was likely a misconfigured customer router connected to an irresponsible ISP that doesn't filter the routes it accepts, just like the Pakistan/Youtube Incident. The author either doesn't understand the technical impossibility of the attack they're dreaming about or does and is willing to lose credibility in exchange for ad traffic.
Maybe yes, but probably not.
The thing with BGP is that there aren't that many sites using it and in order to pull off the attack as described you'd need a LOT of network resources. On the level of one of the backbone providers.
In the past there have been problems where bad BGP info resulted in traffic going where it should not have gone. But that appears more like a black hole. Because there is no route back out.
In order to exploit it the bad network would have to be able to stop the good networks from exchanging routing info. And in order to do that you'd have to be at their level and between them. At which point you already have the access.
We've been hearing about this one since the ISPF (ISP Forum) in Atlanta in 1998. A group of xtians took over a block of addresses to push their invisible guy in the sky theory, and several ISPs there talked about how they were fighting the xtians. It's sad to see that those xtianists have buried that story in the media for fifteen years.
You are wrong. I've worked at sites that do use BGP because they have to manager multiple incoming lines from multiple ISP's. It's for failover.
No. Because the ISP's and Telco's exchange BGP information between themselves. So if bad BGP info is uploaded then it will be shared and the packets will only go to the bad network. They will never get to their original destination. Because every time a packet hits a backbone router it will be routed back to the bad network.
Unless their original destination is off of the bad network in which case why bother with this?
Conventionally encrypted links naively tell listeners the who, where and when of the communications.
Schneier makes good points in your first link: He asserts metadata=data, and makes special mention of the NSA's hatred for Tor. This is very apt, IMO... Tor is there early in his speech as an NSA bugaboo because anonymization networks are uniquely suited to hiding the metadata. Onion routing provides resistance to traffic analysis, and traffic analysis easily provides the who, where and when details of simplistic crypto links.
To get past the metadata surveillance problem, our encrypted communications will have to become both decentralized and structured. And the structure that current information technology can provide essentially boils down to a marriage of P2P and onion routing.
Now, if you want verification along with your onion routing, that is simpler than you may think because addresses on these networks also happen to be cryptographic keys that can be used to verify identity. If your systems remain secure, then no one else can reasonably impersonate you or the parties you're communicating with... as long as you stick to using .onion and .i2p addresses. This use of encrypted onion routing is known as 'darknet'.
So... To get past the surveillance problem and facilitate mutual trust, our communications will have to shift toward darknets. Online privacy requires the tools of anonymity every bit as much as it needs the principles of open source.
I'd actually recommend I2P - not Tor - as a model for a privacy- and trust-hardened Internet, because ubiquitous end-to-end encryption means no more need for "exit nodes", and also because I2P is intended to be general purpose, less centralized and more scalable... and the topology more closely mirrors a physical mesh network. They even have a server-less email system based on DHT running.
I2P is almost as old as Tor, and has increased its rate of growth considerably over the past few years. To me, the only real question about how appropriate the I2P concept is for a hardened Internet is just how many nodes it can really scale.
Attackers have wised up? rotfl.
We've known BGP is insecure for 15 years, pretty much since someone first thought of thinking "security" and "BGP" in the same sentence.
But the Telco industry is horrible at security. I should know, I've been the IT security dude for a major ISP.
I would be surprised if active attacks on BGP were younger than 5 years. It's more likely that someone has finally taken a look.
Assorted stuff I do sometimes: Lemuria.org