Slashdot Mirror

← Back to Stories (view on slashdot.org)

Route-Injection Attacks Detouring Internet Traffic

Posted by Unknown on from the blame-the-nsa dept.

msm1267 writes "Attackers are using route injection attacks against BGP-speaking routers to insert additional hops in the traffic stream, redirecting traffic to third-party locations where it can be inspected before it's sent to its destination. Internet intelligence company Renesys has detected close to 1,500 IP address blocks that have been hijacked on more than 60 days this year, a disturbing trend that indicates attackers could finally have an increased interest in weaknesses inherent in core Internet infrastructure."

20 of 85 comments (clear)

  1. another day by turkeydance · · Score: 2

    another weakness.

    1. Re:another day by khasim · · Score: 4, Interesting

      Maybe yes, but probably not.

      The thing with BGP is that there aren't that many sites using it and in order to pull off the attack as described you'd need a LOT of network resources. On the level of one of the backbone providers.

      In the past there have been problems where bad BGP info resulted in traffic going where it should not have gone. But that appears more like a black hole. Because there is no route back out.

      In order to exploit it the bad network would have to be able to stop the good networks from exchanging routing info. And in order to do that you'd have to be at their level and between them. At which point you already have the access.

    2. Re:another day by Anonymous Coward · · Score: 5, Informative

      The thing with BGP is that there aren't that many sites using it

      Woosh. Do you even know what you're talking about? There are literally NO "sites" using BGP (except inasmuch as sites use routers to convey data back to users). BGP is used by ISPs and Telcos, on peering routers etc.

      On the level of one of the backbone providers.

      Yep that is exactly what they are talking about. Someone is compromising backbone providers. THAT'S WHY THIS IS NEWS.

    3. Re:another day by khasim · · Score: 5, Interesting

      There are literally NO "sites" using BGP (except inasmuch as sites use routers to convey data back to users). BGP is used by ISPs and Telcos, on peering routers etc.

      You are wrong. I've worked at sites that do use BGP because they have to manager multiple incoming lines from multiple ISP's. It's for failover.

      Yep that is exactly what they are talking about. Someone is compromising backbone providers. THAT'S WHY THIS IS NEWS.

      No. Because the ISP's and Telco's exchange BGP information between themselves. So if bad BGP info is uploaded then it will be shared and the packets will only go to the bad network. They will never get to their original destination. Because every time a packet hits a backbone router it will be routed back to the bad network.

      Unless their original destination is off of the bad network in which case why bother with this?

    4. Re:another day by pupsocket · · Score: 2

      You objective is to get traffic to cross boundaries so that it fits into your authority to monitor. Then the traffic is subject to one your existing keyword searches or is eligible to be stamped "authorized" by a Foreign Intelligence Court.

    5. Re:another day by jon3k · · Score: 3, Informative

      Khasim is profoundly wrong about several things, but a lot more than "ISPs and Telcos" run BGP. The entire concept of multihoming is based around announcing your netblock(s) to multiple carriers via BGP. This provides the broader internet with two AS_PATHs to you.

  2. Re:Lost by binarylarry · · Score: 3, Funny

    No, not at all.

    What that's over there?

    -Friendly NSA Spook

    --
    Mod me down, my New Earth Global Warmingist friends!
  3. If we know they are looking... by Ceriel+Nosforit · · Score: 2

    Who are they looking at? - That will tell us who is doing the looking.

    --
    All rites reversed 2010
  4. Encrypt all the things by Lennie · · Score: 3, Insightful

    Really, I think it's time for this.

    The IETF commited themselves to do so, here are the talks (among the speakers: Bruce Schneier) and discussions:
    http://www.youtube.com/watch?v=oV71hhEpQ20#t=23m02s

    Here is the voting part:
    http://www.youtube.com/watch?v=oV71hhEpQ20#t=2h28m20s

    Yes, I think we need some DNSSEC with that too. Not for encryption, but to verify the data (when you route hijack you can easily change some DNS-packets).

    The number of attackers that can get attack to the root and tld keys are limited. Yes, it might include NSA and CIA that can get access to the root*, but that probably means it won't be China or Russia.

    * Although I don't see a way they can get access to the root signing key and stay undetected, that should deter them. Maybe they can get access to the zone signing keys though, they are valid for a couple of months. As VeriSign and ICANN are both organisations in the US. So they would need get access to those keys at least periodically though.

    --
    New things are always on the horizon
  5. misleading & likely incorrect by jgaynor · · Score: 5, Interesting

    This whole article smacks of some CISSP pouring over BGP looking glass router logs and having a sophomore Eureka moment. BGP MITM is not practically possible because of the return path problem: the last router that dumped you the traffic believes you are the legitimate endpoint for that traffic and therefore is not going to forward it to the ACTUAL target once you're done doing nefarious things to it. The article tries to explain this away with the following:

    "The traffic was likely examined and then returned on a “clean path” to its destination—all of this happening in the blink of an eye."

    If the 'clean path' of the internet thinks Mallory is Bob, Mallory's theoretical egress 'Clean Path' will make the same assumption. Perhaps Alice's first hop AS was compromised? If so this is an isolated vendor network problem, not an 'internet at large' problem. Maybe Mallory's 'clean path' is a point to point to Bob? If so Bob's an idiot for signing a peering agreement with a known Hooligan.

    This was likely a misconfigured customer router connected to an irresponsible ISP that doesn't filter the routes it accepts, just like the Pakistan/Youtube Incident. The author either doesn't understand the technical impossibility of the attack they're dreaming about or does and is willing to lose credibility in exchange for ad traffic.

    1. Re:misleading & likely incorrect by PPH · · Score: 3, Insightful

      If so Bob's an idiot for signing a peering agreement with a known Hooligan.

      Unless that hooligan delivers the agreement attached to a National Security letter.

      From TFA:

      Renesys provided two examples of redirection attacks. The first took place every day in February with a new set of victims in the U.S., South Korea, Germany, the Czech Republic, Lithuania, Libya and Iran, being redirected daily to an ISP in Belarus.

      Makes sense. This is exactly the sort of partner I'd expect the NSA to work with. If packets were diverted through Langley, VA or somewhere in Utah, we'd all figure out who was behind this pretty quickly.

      --
      Have gnu, will travel.
    2. Re:misleading & likely incorrect by sjames · · Score: 2

      It;s hard but not impossible as long as you are well connected (in the network topology sense) and accept that you can only hijack a portion of the traffic at once.

      For example, lets say you are directly connected at MAE East and MAE West. Announce your bogus route to some site on the east coast at MAE West. Make sure your announced cost is just short enough to look like the best route to a router in the western half of the U.S. Then tunnel the traffic to your own location for logging and whatever nefarious tricks you care to pull. Then re-inject it into the public internet at MAE East where the legitimate destination's announcement looks like a better route.

      Lather, rinse, repeat for other regions.

  6. Re:traceroute by fisted · · Score: 3, Informative

    All the 'evil party' has to do is not decrement the TTL. It won't show up in your traceroute then.

    --
    CLI paste? paste.pr0.tips!
  7. which 1500 blocks by rewindustry · · Score: 2

    specifically? is there a reason renesis does not appear to supply this information, or am i missing it?

  8. Re:Really? Again? by Antique+Geekmeister · · Score: 4, Insightful

    As a "serious network admin", most groups have little control over the critically necessary BGP handling of their upstream nework provider. Ones is't left your building, it takes considerable extra steps to track and verify the packets to ascertain the packets are being routed outside your upstream venror, or their colleague's, control. By the time you can get the evidence passed along to any party in any of those companies that can actually do anything about the problem, the attack is often already over, if not simply better concealed.

    Unfortunately, BGP has been a necessary evil to _balance_ traffic in a dynamic network. It's also unfortunate that it is often deliberately manipulated, as a matter of corporate strategy, to avoid expensive but faster routes, or to manipulate competitor's traffic reports. The amount of business based manipulation of what was designed as a metric based feedback and tuning system means that it will not ever be used for "honest" routing. I'm afraid that any plan to sanitize the BGP tables will run afoul of business needs and wind up rejected.

  9. Much prefer Invisible Internet (I2P) for that role by Burz · · Score: 3, Interesting

    Conventionally encrypted links naively tell listeners the who, where and when of the communications.

    Schneier makes good points in your first link: He asserts metadata=data, and makes special mention of the NSA's hatred for Tor. This is very apt, IMO... Tor is there early in his speech as an NSA bugaboo because anonymization networks are uniquely suited to hiding the metadata. Onion routing provides resistance to traffic analysis, and traffic analysis easily provides the who, where and when details of simplistic crypto links.

    To get past the metadata surveillance problem, our encrypted communications will have to become both decentralized and structured. And the structure that current information technology can provide essentially boils down to a marriage of P2P and onion routing.

    Now, if you want verification along with your onion routing, that is simpler than you may think because addresses on these networks also happen to be cryptographic keys that can be used to verify identity. If your systems remain secure, then no one else can reasonably impersonate you or the parties you're communicating with... as long as you stick to using .onion and .i2p addresses. This use of encrypted onion routing is known as 'darknet'.

    So... To get past the surveillance problem and facilitate mutual trust, our communications will have to shift toward darknets. Online privacy requires the tools of anonymity every bit as much as it needs the principles of open source.

    I'd actually recommend I2P - not Tor - as a model for a privacy- and trust-hardened Internet, because ubiquitous end-to-end encryption means no more need for "exit nodes", and also because I2P is intended to be general purpose, less centralized and more scalable... and the topology more closely mirrors a physical mesh network. They even have a server-less email system based on DHT running.

    I2P is almost as old as Tor, and has increased its rate of growth considerably over the past few years. To me, the only real question about how appropriate the I2P concept is for a hardened Internet is just how many nodes it can really scale.

  10. Schneier's bullet list: How I2P stacks up by Burz · · Score: 2

    BTW, you may recognize many of the qualities touted by the Diaspora project in the responses below:

    'Ubiquitous encryption' (on backbone, because that's where NSA taps are)
          I2P goal is ubiquitous encryption between all routers and clients (which are essentially the same thing to it). Also, its general purpose so its possible ubiquitous among applications.

    'Target dispersal'
          If each person or organization routes traffic and mints their own crypto-based addresses, then power over communications is far more evenly distributed over the net. In many of the ways that matter, each node is acting as their own ISP and the physical ISPs become far less relevant to the legal machinations of the spies.

    'Usable application layer encryption'
          Apps are written for / adapted to I2P for the purpose of providing encryption; they will not be able to communicate with other nodes unless the I2P router service is running.

    'More open source and standards'
          Check - I2P is open source and libre.

    'Better integrated anonymity tools'
          Anonymity is the initial default for anyone starting to use I2P. Identities and trust relationships can be firmed-up in much the same way as ssh.

    'Better assurance against system compromise'
          I2P doesn't address this specifically, as the changes here need to begin more at the hardware and OS levels. Qubes OS, for instance, shows the hypervisor-enforced security context of programs via the window frame color. It also has a scheme to verify system authenticity at boot time using TPM hardware (if present). (I'm typing this now on a Qubes system.) Thus I2P apps running on Qubes can be placed in separate trust domains that are verified by the user at a glance.

    Note: All of these points can be addressed on PCs; this may even be out of necessity. The surveillance problem is structural more than anything else-- the political and corporate classes are taking advantage of a reborn mainframe monoculture mainly "because we can". And if PCs are what made the Internet interesting and special in the first place, then probably PCs are where the change in the Internet needs to happen.

  11. attackers? by Tom · · Score: 3, Interesting

    Attackers have wised up? rotfl.

    We've known BGP is insecure for 15 years, pretty much since someone first thought of thinking "security" and "BGP" in the same sentence.

    But the Telco industry is horrible at security. I should know, I've been the IT security dude for a major ISP.

    I would be surprised if active attacks on BGP were younger than 5 years. It's more likely that someone has finally taken a look.

    --
    Assorted stuff I do sometimes: Lemuria.org
  12. Back to RIP by Virtucon · · Score: 2

    Screw BGP! let's go back to RIP! RIP is good! Static routes better!

    DECNet Phase 3 here we come!

    --
    Harrison's Postulate - "For every action there is an equal and opposite criticism"
  13. Re:Pointless by Lotana · · Score: 4, Insightful

    You'll be surprised. There are diamonds in the shit. Many knowledgeable people frequent this site, but many are repulsed from making a new thread. They jump on a good ones though.

    So this is what stories are: Early threads of jokes by people that don't read the article or summary; Followed by people that read the summary then read relevant Wikipedia article; Finally by people that read the article. Somewhere in the last two categories, insightful or interesting thread will be made and the worthwhile comments will come.

    Of course that won't happen if the good posters take up your attitude and just give up. So if you know something about the subject in the article, don't be shy and make a thread explaining the matter in your own words or make examples. Worst case scenario is that you get joke/grammar nazi responses or get down modded. The former doesn't matter as time goes on you will get insightful resposes after a while. As for the latter: Don't get discouraged. There are lots of us that read at -1.

    As the case here :-)