Slashdot Mirror
Route-Injection Attacks Detouring Internet Traffic
msm1267 writes "Attackers are using route injection attacks against BGP-speaking routers to insert additional hops in the traffic stream, redirecting traffic to third-party locations where it can be inspected before it's sent to its destination. Internet intelligence company Renesys has detected close to 1,500 IP address blocks that have been hijacked on more than 60 days this year, a disturbing trend that indicates attackers could finally have an increased interest in weaknesses inherent in core Internet infrastructure."
Oh no did this get re-routed? Damn them.
another weakness.
Will the dark side be able to disturb the course of this story?
traceroute -m 100 216.81.59.173
Posting a worthwhile comment on this site is like reading Robert Frost to pigs. All you end up with is a book soaked in pigshit.
Who are they looking at? - That will tell us who is doing the looking.
All rites reversed 2010
Really, I think it's time for this.
The IETF commited themselves to do so, here are the talks (among the speakers: Bruce Schneier) and discussions:
http://www.youtube.com/watch?v=oV71hhEpQ20#t=23m02s
Here is the voting part:
http://www.youtube.com/watch?v=oV71hhEpQ20#t=2h28m20s
Yes, I think we need some DNSSEC with that too. Not for encryption, but to verify the data (when you route hijack you can easily change some DNS-packets).
The number of attackers that can get attack to the root and tld keys are limited. Yes, it might include NSA and CIA that can get access to the root*, but that probably means it won't be China or Russia.
* Although I don't see a way they can get access to the root signing key and stay undetected, that should deter them. Maybe they can get access to the zone signing keys though, they are valid for a couple of months. As VeriSign and ICANN are both organisations in the US. So they would need get access to those keys at least periodically though.
New things are always on the horizon
Looks like the NSA has competition
Perhaps some network guru can explain: Why wasn't this exploited long ago?
This whole article smacks of some CISSP pouring over BGP looking glass router logs and having a sophomore Eureka moment. BGP MITM is not practically possible because of the return path problem: the last router that dumped you the traffic believes you are the legitimate endpoint for that traffic and therefore is not going to forward it to the ACTUAL target once you're done doing nefarious things to it. The article tries to explain this away with the following:
"The traffic was likely examined and then returned on a “clean path” to its destination—all of this happening in the blink of an eye."
If the 'clean path' of the internet thinks Mallory is Bob, Mallory's theoretical egress 'Clean Path' will make the same assumption. Perhaps Alice's first hop AS was compromised? If so this is an isolated vendor network problem, not an 'internet at large' problem. Maybe Mallory's 'clean path' is a point to point to Bob? If so Bob's an idiot for signing a peering agreement with a known Hooligan.
This was likely a misconfigured customer router connected to an irresponsible ISP that doesn't filter the routes it accepts, just like the Pakistan/Youtube Incident. The author either doesn't understand the technical impossibility of the attack they're dreaming about or does and is willing to lose credibility in exchange for ad traffic.
"Traitorhands"? Maybe he shares an opinion like much of the people about deficit spending to fund a shiny new police state, and was in a better position to do something about it, then again he may have been at odds about rendering computing security a lost cause. Maybe someone should have mentioned all this before the banks came out with pci security standards and bilked the end users for something that doesn't exist?
specifically? is there a reason renesis does not appear to supply this information, or am i missing it?
"Attackers are using route injection attacks against BGP-speaking routers .. a disturbing trend that indicates attackers could finally have an increased interest in weaknesses inherent in core Internet infrastructure."
...
Like how, if a router is hackable then the weakness resides in the router, not the core Internet infrastructure, the internet is doing what it was designed for, routing packets
*sigh*
Another day, another announcement of an old hack which any serious network admin would have filtered by now. The fact this is happening at ISP/carrier level is extremely disheartening.
"We know what happens to people who stay in the middle of the road. They get run over." - Aneurin Bevan
The NSA does it, was this the NSA?
"If any question why we died, Tell them because our fathers lied."
Conventionally encrypted links naively tell listeners the who, where and when of the communications.
Schneier makes good points in your first link: He asserts metadata=data, and makes special mention of the NSA's hatred for Tor. This is very apt, IMO... Tor is there early in his speech as an NSA bugaboo because anonymization networks are uniquely suited to hiding the metadata. Onion routing provides resistance to traffic analysis, and traffic analysis easily provides the who, where and when details of simplistic crypto links.
To get past the metadata surveillance problem, our encrypted communications will have to become both decentralized and structured. And the structure that current information technology can provide essentially boils down to a marriage of P2P and onion routing.
Now, if you want verification along with your onion routing, that is simpler than you may think because addresses on these networks also happen to be cryptographic keys that can be used to verify identity. If your systems remain secure, then no one else can reasonably impersonate you or the parties you're communicating with... as long as you stick to using .onion and .i2p addresses. This use of encrypted onion routing is known as 'darknet'.
So... To get past the surveillance problem and facilitate mutual trust, our communications will have to shift toward darknets. Online privacy requires the tools of anonymity every bit as much as it needs the principles of open source.
I'd actually recommend I2P - not Tor - as a model for a privacy- and trust-hardened Internet, because ubiquitous end-to-end encryption means no more need for "exit nodes", and also because I2P is intended to be general purpose, less centralized and more scalable... and the topology more closely mirrors a physical mesh network. They even have a server-less email system based on DHT running.
I2P is almost as old as Tor, and has increased its rate of growth considerably over the past few years. To me, the only real question about how appropriate the I2P concept is for a hardened Internet is just how many nodes it can really scale.
BTW, you may recognize many of the qualities touted by the Diaspora project in the responses below:
'Ubiquitous encryption' (on backbone, because that's where NSA taps are)
I2P goal is ubiquitous encryption between all routers and clients (which are essentially the same thing to it). Also, its general purpose so its possible ubiquitous among applications.
'Target dispersal'
If each person or organization routes traffic and mints their own crypto-based addresses, then power over communications is far more evenly distributed over the net. In many of the ways that matter, each node is acting as their own ISP and the physical ISPs become far less relevant to the legal machinations of the spies.
'Usable application layer encryption'
Apps are written for / adapted to I2P for the purpose of providing encryption; they will not be able to communicate with other nodes unless the I2P router service is running.
'More open source and standards'
Check - I2P is open source and libre.
'Better integrated anonymity tools'
Anonymity is the initial default for anyone starting to use I2P. Identities and trust relationships can be firmed-up in much the same way as ssh.
'Better assurance against system compromise'
I2P doesn't address this specifically, as the changes here need to begin more at the hardware and OS levels. Qubes OS, for instance, shows the hypervisor-enforced security context of programs via the window frame color. It also has a scheme to verify system authenticity at boot time using TPM hardware (if present). (I'm typing this now on a Qubes system.) Thus I2P apps running on Qubes can be placed in separate trust domains that are verified by the user at a glance.
Note: All of these points can be addressed on PCs; this may even be out of necessity. The surveillance problem is structural more than anything else-- the political and corporate classes are taking advantage of a reborn mainframe monoculture mainly "because we can". And if PCs are what made the Internet interesting and special in the first place, then probably PCs are where the change in the Internet needs to happen.
...which sounds like an oxymoron. I thought the Internet was to be considered a hostile environment, at all times. And if servers generally make this assumption, then everyone should.
Its PCs that need to be made safer, more trustworthy. And the requirements on his list seem to suggest that. For instance, target dispersal. How do you disperse responsibility for net traffic? Create more ISPs? Break them up? No class of corporate aristocrats and their politicos will stand for that. Its laughable! The establishment will only perform legal CYA and face-saving measures in response to surveillance revelations. Even then, the response will be less and less sincere after a short time and then only the people who run these companies will have any measure of privacy while the rest of us get lovingly-crafted PR as comfort.
I argue that the natural destination points for the dispersal are personal computers, in whichever shape they come. I2P is like a marriage of bittorrent and Tor-- THAT is the architecture which actually satisfies Bruce's suggestions. It is disingenuous for him to focus on backbones and ISPs given what he's asking for.
Attackers have wised up? rotfl.
We've known BGP is insecure for 15 years, pretty much since someone first thought of thinking "security" and "BGP" in the same sentence.
But the Telco industry is horrible at security. I should know, I've been the IT security dude for a major ISP.
I would be surprised if active attacks on BGP were younger than 5 years. It's more likely that someone has finally taken a look.
Assorted stuff I do sometimes: Lemuria.org
Screw BGP! let's go back to RIP! RIP is good! Static routes better!
DECNet Phase 3 here we come!
Harrison's Postulate - "For every action there is an equal and opposite criticism"
We use BGP internally here and we're connected to several other enterprises that have large BGP-routed internal networks. We're not a telco or an ISP.