Slashdot Mirror

← Back to Stories (view on slashdot.org)

Route-Injection Attacks Detouring Internet Traffic

Posted by Unknown on from the blame-the-nsa dept.

msm1267 writes "Attackers are using route injection attacks against BGP-speaking routers to insert additional hops in the traffic stream, redirecting traffic to third-party locations where it can be inspected before it's sent to its destination. Internet intelligence company Renesys has detected close to 1,500 IP address blocks that have been hijacked on more than 60 days this year, a disturbing trend that indicates attackers could finally have an increased interest in weaknesses inherent in core Internet infrastructure."

3 of 85 comments (clear)

  1. misleading & likely incorrect by jgaynor · · Score: 5, Interesting

    This whole article smacks of some CISSP pouring over BGP looking glass router logs and having a sophomore Eureka moment. BGP MITM is not practically possible because of the return path problem: the last router that dumped you the traffic believes you are the legitimate endpoint for that traffic and therefore is not going to forward it to the ACTUAL target once you're done doing nefarious things to it. The article tries to explain this away with the following:

    "The traffic was likely examined and then returned on a “clean path” to its destination—all of this happening in the blink of an eye."

    If the 'clean path' of the internet thinks Mallory is Bob, Mallory's theoretical egress 'Clean Path' will make the same assumption. Perhaps Alice's first hop AS was compromised? If so this is an isolated vendor network problem, not an 'internet at large' problem. Maybe Mallory's 'clean path' is a point to point to Bob? If so Bob's an idiot for signing a peering agreement with a known Hooligan.

    This was likely a misconfigured customer router connected to an irresponsible ISP that doesn't filter the routes it accepts, just like the Pakistan/Youtube Incident. The author either doesn't understand the technical impossibility of the attack they're dreaming about or does and is willing to lose credibility in exchange for ad traffic.

  2. Re:another day by Anonymous Coward · · Score: 5, Informative

    The thing with BGP is that there aren't that many sites using it

    Woosh. Do you even know what you're talking about? There are literally NO "sites" using BGP (except inasmuch as sites use routers to convey data back to users). BGP is used by ISPs and Telcos, on peering routers etc.

    On the level of one of the backbone providers.

    Yep that is exactly what they are talking about. Someone is compromising backbone providers. THAT'S WHY THIS IS NEWS.

  3. Re:another day by khasim · · Score: 5, Interesting

    There are literally NO "sites" using BGP (except inasmuch as sites use routers to convey data back to users). BGP is used by ISPs and Telcos, on peering routers etc.

    You are wrong. I've worked at sites that do use BGP because they have to manager multiple incoming lines from multiple ISP's. It's for failover.

    Yep that is exactly what they are talking about. Someone is compromising backbone providers. THAT'S WHY THIS IS NEWS.

    No. Because the ISP's and Telco's exchange BGP information between themselves. So if bad BGP info is uploaded then it will be shared and the packets will only go to the bad network. They will never get to their original destination. Because every time a packet hits a backbone router it will be routed back to the bad network.

    Unless their original destination is off of the bad network in which case why bother with this?