Slashdot Mirror
Route-Injection Attacks Detouring Internet Traffic
msm1267 writes "Attackers are using route injection attacks against BGP-speaking routers to insert additional hops in the traffic stream, redirecting traffic to third-party locations where it can be inspected before it's sent to its destination. Internet intelligence company Renesys has detected close to 1,500 IP address blocks that have been hijacked on more than 60 days this year, a disturbing trend that indicates attackers could finally have an increased interest in weaknesses inherent in core Internet infrastructure."
No, not at all.
What that's over there?
-Friendly NSA Spook
Mod me down, my New Earth Global Warmingist friends!
Really, I think it's time for this.
The IETF commited themselves to do so, here are the talks (among the speakers: Bruce Schneier) and discussions:
http://www.youtube.com/watch?v=oV71hhEpQ20#t=23m02s
Here is the voting part:
http://www.youtube.com/watch?v=oV71hhEpQ20#t=2h28m20s
Yes, I think we need some DNSSEC with that too. Not for encryption, but to verify the data (when you route hijack you can easily change some DNS-packets).
The number of attackers that can get attack to the root and tld keys are limited. Yes, it might include NSA and CIA that can get access to the root*, but that probably means it won't be China or Russia.
* Although I don't see a way they can get access to the root signing key and stay undetected, that should deter them. Maybe they can get access to the zone signing keys though, they are valid for a couple of months. As VeriSign and ICANN are both organisations in the US. So they would need get access to those keys at least periodically though.
New things are always on the horizon
This whole article smacks of some CISSP pouring over BGP looking glass router logs and having a sophomore Eureka moment. BGP MITM is not practically possible because of the return path problem: the last router that dumped you the traffic believes you are the legitimate endpoint for that traffic and therefore is not going to forward it to the ACTUAL target once you're done doing nefarious things to it. The article tries to explain this away with the following:
"The traffic was likely examined and then returned on a “clean path” to its destination—all of this happening in the blink of an eye."
If the 'clean path' of the internet thinks Mallory is Bob, Mallory's theoretical egress 'Clean Path' will make the same assumption. Perhaps Alice's first hop AS was compromised? If so this is an isolated vendor network problem, not an 'internet at large' problem. Maybe Mallory's 'clean path' is a point to point to Bob? If so Bob's an idiot for signing a peering agreement with a known Hooligan.
This was likely a misconfigured customer router connected to an irresponsible ISP that doesn't filter the routes it accepts, just like the Pakistan/Youtube Incident. The author either doesn't understand the technical impossibility of the attack they're dreaming about or does and is willing to lose credibility in exchange for ad traffic.
Maybe yes, but probably not.
The thing with BGP is that there aren't that many sites using it and in order to pull off the attack as described you'd need a LOT of network resources. On the level of one of the backbone providers.
In the past there have been problems where bad BGP info resulted in traffic going where it should not have gone. But that appears more like a black hole. Because there is no route back out.
In order to exploit it the bad network would have to be able to stop the good networks from exchanging routing info. And in order to do that you'd have to be at their level and between them. At which point you already have the access.
All the 'evil party' has to do is not decrement the TTL. It won't show up in your traceroute then.
CLI paste? paste.pr0.tips!
The thing with BGP is that there aren't that many sites using it
Woosh. Do you even know what you're talking about? There are literally NO "sites" using BGP (except inasmuch as sites use routers to convey data back to users). BGP is used by ISPs and Telcos, on peering routers etc.
On the level of one of the backbone providers.
Yep that is exactly what they are talking about. Someone is compromising backbone providers. THAT'S WHY THIS IS NEWS.
You are wrong. I've worked at sites that do use BGP because they have to manager multiple incoming lines from multiple ISP's. It's for failover.
No. Because the ISP's and Telco's exchange BGP information between themselves. So if bad BGP info is uploaded then it will be shared and the packets will only go to the bad network. They will never get to their original destination. Because every time a packet hits a backbone router it will be routed back to the bad network.
Unless their original destination is off of the bad network in which case why bother with this?
As a "serious network admin", most groups have little control over the critically necessary BGP handling of their upstream nework provider. Ones is't left your building, it takes considerable extra steps to track and verify the packets to ascertain the packets are being routed outside your upstream venror, or their colleague's, control. By the time you can get the evidence passed along to any party in any of those companies that can actually do anything about the problem, the attack is often already over, if not simply better concealed.
Unfortunately, BGP has been a necessary evil to _balance_ traffic in a dynamic network. It's also unfortunate that it is often deliberately manipulated, as a matter of corporate strategy, to avoid expensive but faster routes, or to manipulate competitor's traffic reports. The amount of business based manipulation of what was designed as a metric based feedback and tuning system means that it will not ever be used for "honest" routing. I'm afraid that any plan to sanitize the BGP tables will run afoul of business needs and wind up rejected.
Conventionally encrypted links naively tell listeners the who, where and when of the communications.
Schneier makes good points in your first link: He asserts metadata=data, and makes special mention of the NSA's hatred for Tor. This is very apt, IMO... Tor is there early in his speech as an NSA bugaboo because anonymization networks are uniquely suited to hiding the metadata. Onion routing provides resistance to traffic analysis, and traffic analysis easily provides the who, where and when details of simplistic crypto links.
To get past the metadata surveillance problem, our encrypted communications will have to become both decentralized and structured. And the structure that current information technology can provide essentially boils down to a marriage of P2P and onion routing.
Now, if you want verification along with your onion routing, that is simpler than you may think because addresses on these networks also happen to be cryptographic keys that can be used to verify identity. If your systems remain secure, then no one else can reasonably impersonate you or the parties you're communicating with... as long as you stick to using .onion and .i2p addresses. This use of encrypted onion routing is known as 'darknet'.
So... To get past the surveillance problem and facilitate mutual trust, our communications will have to shift toward darknets. Online privacy requires the tools of anonymity every bit as much as it needs the principles of open source.
I'd actually recommend I2P - not Tor - as a model for a privacy- and trust-hardened Internet, because ubiquitous end-to-end encryption means no more need for "exit nodes", and also because I2P is intended to be general purpose, less centralized and more scalable... and the topology more closely mirrors a physical mesh network. They even have a server-less email system based on DHT running.
I2P is almost as old as Tor, and has increased its rate of growth considerably over the past few years. To me, the only real question about how appropriate the I2P concept is for a hardened Internet is just how many nodes it can really scale.
Attackers have wised up? rotfl.
We've known BGP is insecure for 15 years, pretty much since someone first thought of thinking "security" and "BGP" in the same sentence.
But the Telco industry is horrible at security. I should know, I've been the IT security dude for a major ISP.
I would be surprised if active attacks on BGP were younger than 5 years. It's more likely that someone has finally taken a look.
Assorted stuff I do sometimes: Lemuria.org
Khasim is profoundly wrong about several things, but a lot more than "ISPs and Telcos" run BGP. The entire concept of multihoming is based around announcing your netblock(s) to multiple carriers via BGP. This provides the broader internet with two AS_PATHs to you.
You'll be surprised. There are diamonds in the shit. Many knowledgeable people frequent this site, but many are repulsed from making a new thread. They jump on a good ones though.
So this is what stories are: Early threads of jokes by people that don't read the article or summary; Followed by people that read the summary then read relevant Wikipedia article; Finally by people that read the article. Somewhere in the last two categories, insightful or interesting thread will be made and the worthwhile comments will come.
Of course that won't happen if the good posters take up your attitude and just give up. So if you know something about the subject in the article, don't be shy and make a thread explaining the matter in your own words or make examples. Worst case scenario is that you get joke/grammar nazi responses or get down modded. The former doesn't matter as time goes on you will get insightful resposes after a while. As for the latter: Don't get discouraged. There are lots of us that read at -1.
As the case here :-)