Slashdot Mirror
Route-Injection Attacks Detouring Internet Traffic
msm1267 writes "Attackers are using route injection attacks against BGP-speaking routers to insert additional hops in the traffic stream, redirecting traffic to third-party locations where it can be inspected before it's sent to its destination. Internet intelligence company Renesys has detected close to 1,500 IP address blocks that have been hijacked on more than 60 days this year, a disturbing trend that indicates attackers could finally have an increased interest in weaknesses inherent in core Internet infrastructure."
This whole article smacks of some CISSP pouring over BGP looking glass router logs and having a sophomore Eureka moment. BGP MITM is not practically possible because of the return path problem: the last router that dumped you the traffic believes you are the legitimate endpoint for that traffic and therefore is not going to forward it to the ACTUAL target once you're done doing nefarious things to it. The article tries to explain this away with the following:
"The traffic was likely examined and then returned on a “clean path” to its destination—all of this happening in the blink of an eye."
If the 'clean path' of the internet thinks Mallory is Bob, Mallory's theoretical egress 'Clean Path' will make the same assumption. Perhaps Alice's first hop AS was compromised? If so this is an isolated vendor network problem, not an 'internet at large' problem. Maybe Mallory's 'clean path' is a point to point to Bob? If so Bob's an idiot for signing a peering agreement with a known Hooligan.
This was likely a misconfigured customer router connected to an irresponsible ISP that doesn't filter the routes it accepts, just like the Pakistan/Youtube Incident. The author either doesn't understand the technical impossibility of the attack they're dreaming about or does and is willing to lose credibility in exchange for ad traffic.
Maybe yes, but probably not.
The thing with BGP is that there aren't that many sites using it and in order to pull off the attack as described you'd need a LOT of network resources. On the level of one of the backbone providers.
In the past there have been problems where bad BGP info resulted in traffic going where it should not have gone. But that appears more like a black hole. Because there is no route back out.
In order to exploit it the bad network would have to be able to stop the good networks from exchanging routing info. And in order to do that you'd have to be at their level and between them. At which point you already have the access.
The thing with BGP is that there aren't that many sites using it
Woosh. Do you even know what you're talking about? There are literally NO "sites" using BGP (except inasmuch as sites use routers to convey data back to users). BGP is used by ISPs and Telcos, on peering routers etc.
On the level of one of the backbone providers.
Yep that is exactly what they are talking about. Someone is compromising backbone providers. THAT'S WHY THIS IS NEWS.
You are wrong. I've worked at sites that do use BGP because they have to manager multiple incoming lines from multiple ISP's. It's for failover.
No. Because the ISP's and Telco's exchange BGP information between themselves. So if bad BGP info is uploaded then it will be shared and the packets will only go to the bad network. They will never get to their original destination. Because every time a packet hits a backbone router it will be routed back to the bad network.
Unless their original destination is off of the bad network in which case why bother with this?
As a "serious network admin", most groups have little control over the critically necessary BGP handling of their upstream nework provider. Ones is't left your building, it takes considerable extra steps to track and verify the packets to ascertain the packets are being routed outside your upstream venror, or their colleague's, control. By the time you can get the evidence passed along to any party in any of those companies that can actually do anything about the problem, the attack is often already over, if not simply better concealed.
Unfortunately, BGP has been a necessary evil to _balance_ traffic in a dynamic network. It's also unfortunate that it is often deliberately manipulated, as a matter of corporate strategy, to avoid expensive but faster routes, or to manipulate competitor's traffic reports. The amount of business based manipulation of what was designed as a metric based feedback and tuning system means that it will not ever be used for "honest" routing. I'm afraid that any plan to sanitize the BGP tables will run afoul of business needs and wind up rejected.
You'll be surprised. There are diamonds in the shit. Many knowledgeable people frequent this site, but many are repulsed from making a new thread. They jump on a good ones though.
So this is what stories are: Early threads of jokes by people that don't read the article or summary; Followed by people that read the summary then read relevant Wikipedia article; Finally by people that read the article. Somewhere in the last two categories, insightful or interesting thread will be made and the worthwhile comments will come.
Of course that won't happen if the good posters take up your attitude and just give up. So if you know something about the subject in the article, don't be shy and make a thread explaining the matter in your own words or make examples. Worst case scenario is that you get joke/grammar nazi responses or get down modded. The former doesn't matter as time goes on you will get insightful resposes after a while. As for the latter: Don't get discouraged. There are lots of us that read at -1.
As the case here :-)