Slashdot Mirror

← Back to Stories (view on slashdot.org)

BGP Hijacking Continues, Despite the Ability To Prevent It

Posted by Soulskill on from the won't-fix dept.

An anonymous reader writes: BGPMon reports on a recent route hijacking event by Syria. These events continue, despite the ability to detect and prevent improper route origination: Resource Public Key Infrastructure. RPKI is technology that allows an operator to validate the proper relationship between an IP prefix and an Autonomous System. That is, assuming you can collect the certificates. ARIN requires operators accept something called the Relying Party Agreement. But the provider community seems unhappy with the agreement, and is choosing not to implement it, just to avoid the RPA, leaving the the Internet as a whole less secure.

57 comments

  1. BGP? by danceswithtrees · · Score: 3, Informative

    What if we agree to spell out obscure acronyms the first time? Yes, I can google/bing it to find likely candidates, but what if you make life easier for all involved and actually use Border Gateway Protocol (BGP)? Mmmmkay?

    1. Re: BGP? by Anonymous Coward · · Score: 3, Funny

      this is a site for nerds...or at least used to be until your lazy ass showed up

    2. Re:BGP? by Anonymous Coward · · Score: 2, Funny

      This is slashdot you insensitive clod, a site for nerds. I knew what BGP meant without looking it up.

    3. Re:BGP? by Anonymous Coward · · Score: 2, Funny

      Guess it's "News for Plebians".

    4. Re:BGP? by behrooz0az · · Score: 1

      I don't think BGP is simple enough for a non-nerd like you to understand in less than an hour, If you don't know what it means just pass.

      --
      Moderating "-1, Disagree" is simple censorship. Have the guts to post your opinion. -- Spazmania (174582)
    5. Re:BGP? by uCallHimDrJ0NES · · Score: 1

      I see Fry narrowing his eyes.

      --
      Cloudiot: A person who does not see offsite storage as a way to lose control over access to his or her own data.
    6. Re:BGP? by AaronLS · · Score: 1

      I think both sides of the argument are pretty mute anyhow. I don't think much is gained or lost either way you go.

      I know what BGP is but I never memorized what the letters stand for. Even if we spelled it out, that barely scratches the surface of what it is and doesn't make the article anymore informative for someone not versed in what BGP is.

      Yes, it is usually standard practice in any formal writing. Slashdot is hardly formal though, when Bennet gets to spout his half formed ramblings every week.

    7. Re:BGP? by wonkey_monkey · · Score: 2

      I don't think BGP is simple enough for a non-nerd...

      Since when did "nerd" only cover people who understand BGP? I don't remember that on the entrance exam...

      Heaven forbid anyone should be allowed to come away from reading a story on Slashdot more informed. Can't be having that!

      A simple, painless expansion of an acronym would at least give every reader a fighting chance at a rough guess of what it does, or at least what it relates to.

      --
      systemd is Roko's Basilisk.
    8. Re:BGP? by mythosaz · · Score: 1

      I think both sides of the argument are pretty mute anyhow.

      frysquint.jpg

    9. Re:BGP? by mythosaz · · Score: 1

      Concur. I happen to know what BGP is, but there's plenty of nerds for whom this site provides news that could have probably used a link - especially if they wanted to understand it better before reading the article. [...but after first posting.]

    10. Re:BGP? by nblender · · Score: 4, Insightful

      I guess I disagree. I don't want to have to see "Transmission Control Protocol / Internet Protocol" the first time in every article that mentions TCP/IP... I'm surprised you also didn't mention that "ARIN" wasn't expanded, or "IP"... Probably because you know what those mean. I've been in this industry for dozens of years and there are abbreviations that come up all the time that I don't know but I just google them... It's not a big deal.

    11. Re:BGP? by David_Hart · · Score: 5, Insightful

      I don't think BGP is simple enough for a non-nerd...

      Since when did "nerd" only cover people who understand BGP? I don't remember that on the entrance exam...

      Heaven forbid anyone should be allowed to come away from reading a story on Slashdot more informed. Can't be having that!

      A simple, painless expansion of an acronym would at least give every reader a fighting chance at a rough guess of what it does, or at least what it relates to.

      Um... given that BGP is THE core routing protocol for the Internet... Yeah... you should at least know what it is at a basic level. It fits into the same category as DNS, HTML, ISP, etc.

      It's a lot like the programmers talking on here about the Waterfall model. It's expected that if you don't know something that you will take 5 seconds to look it up. Just maybe you'll learn something new... oh horrors... (grin)

      For those who still don't know, BGP stands for Border Gateway Protocol. At a very basic level, it's a routing protocol used to advertise routes between ISPs and other Internet connected organizations. It's these routes that we use to get to Netflix, for example.

    12. Re:BGP? by maybridge · · Score: 2

      a) Its a headline b) " for all involved " maybe you're not involved. skip over it and let the adults carry on

    13. Re: BGP? by Bing+Tsher+E · · Score: 2

      This is a site for nerds, not IT types.

      Do you know what a LASCR is, and how and why you might use it to slave a photoflash? If not, GTFO.

    14. Re:BGP? by Anonymous Coward · · Score: 1

      If everything in nerdland should be obvious, that means nerds only know obvious things.

    15. Re:BGP? by fufufang · · Score: 2

      I think most people on this website knows what BGP is, hence the acronym.

    16. Re:BGP? by sconeu · · Score: 1

      Based on this thread, I doubt they're mute, given that people are expressing opinions on both sides...

      On the other hand, both sides might be moot....

      --
      General Relativity: Space-time tells matter where to go; Matter tells space-time what shape to be.
    17. Re: BGP? by Mashiki · · Score: 2

      This is a site for nerds, not IT types.

      Strange, I remember when it was a site for IT types, but that was back when CowboyNeal was still here, and the plebs hadn't really destroyed the internet.

      --
      Om, nomnomnom...
    18. Re: BGP? by dbIII · · Score: 3, Funny

      Do you know what a LASCR is

      An Indian sailor.

      and how and why you might use it to slave a photoflash

      Slavery is wrong.

    19. Re:BGP? by Gravis+Zero · · Score: 1

      What if we agree to spell out obscure acronyms the first time?

      I guess I disagree. I don't want to have to see "Transmission Control Protocol / Internet Protocol" the first time in every article that mentions TCP/IP

      good news everyone! using time travel, i have added a html tag specifically for abbreviations. go ahead and try it, it's the <abbr> tag.

      --
      Anons need not reply. Questions end with a question mark.
    20. Re: BGP? by Anonymous Coward · · Score: 0

      This is not only a site for IT types, but for sysadmin IT types.

      Do you even know what /. (Slashdot) means? If not, GTFO.

    21. Re: BGP? by Anonymous Coward · · Score: 0

      The SCR solution is out of date because there are too many false trips from other cameras. They are also incomparable with Red Eye Reduction as they trip on the first flash. I built and used them about 30 years ago, but had to add a dividing resistor and cap to it as most I could find at the time were only 200V and my flash was just over 300. Use one of the radio link versions for immunity from the jerk with the pocket camera at your event.

    22. Re:BGP? by epyT-R · · Score: 1

      if you don't know what some acronym means, look it up or go whine about it on your tumblr.

    23. Re:BGP? by epyT-R · · Score: 1

      or they could've spent two seconds typing 'bgp' into a search engine. I bet the wiki link would be on top.

    24. Re: BGP? by Anonymous Coward · · Score: 0

      I just googled it, now I do.

      What are you even doing here ;^) ?

    25. Re: BGP? by Anonymous Coward · · Score: 0

      Do you have any idea where slashdot name comes from?

    26. Re:BGP? by behrooz0az · · Score: 1

      Both Parent and GP are right in some sense.
      My point was you have to know the authentication algorithm, the path choosing algorithm, what a peer group or a router id is and which ones are relevant or irrelevant to a BGP hijacking to be able to actually understand what this is all about.
      BGP is not your everyday routing protocol, it's not RIP, that was my point.

      --
      Moderating "-1, Disagree" is simple censorship. Have the guts to post your opinion. -- Spazmania (174582)
  2. philosophical exemption or survival instinct? by Anonymous Coward · · Score: 0

    more grey area....? https://www.youtube.com/result...

  3. Required -- Except When It Isn't by rudy_wayne · · Score: 1

    ARIN requires operators accept something called the Relying Party Agreement.

    But the provider community . . . is choosing not to implement it

    So ARIN apparently has no ability to enforce the 'requirement', making the 'requirement' meaningless.

    1. Re:Required -- Except When It Isn't by suutar · · Score: 3, Informative

      It's required if you want to use ARIN's data. Those who choose not to agree are simply not using that data, with the consequence that they are less effective at validating route origin identity.

    2. Re:Required -- Except When It Isn't by Cramer · · Score: 1

      It's an ARIN requirement when using ARIN's RPKI services.

      The base issue with all this "route hijacking" has fuck all to do with RPKI. It's a simple matter of ISPs being a bunch of lazy asses who cannot be bothered to filter what gets announced to them. Sure, that becomes more work the larger you are, but that's the price of doing this kind of business!

    3. Re:Required -- Except When It Isn't by marka63 · · Score: 1

      And how do you know what to filter?

      RPKI is about providing a trustworthy database that can be used to decide what to filter and what to permit.

    4. Re:Required -- Except When It Isn't by silas_moeckel · · Score: 1

      RADB for one. RPKI is pretty ugly and untill everybody uses it it's not that useful. RADB is here now and you can require that everybody registers as a condition of peering/transit.

      --
      No sir I dont like it.
    5. Re:Required -- Except When It Isn't by Anonymous Coward · · Score: 0

      RADB for one. RPKI is pretty ugly and untill everybody uses it it's not that useful. RADB is here now and you can require that everybody registers as a condition of peering/transit.

      RADB has shortcomings of its own.
      The problem at its heart is that even ARIN doesn't have any way to know who should actually be announcing which scopes. All they can tell you is which AS has ownership, that AS sets up relationships with one or more other AS's. But anything which isn't coming directly from the originating AS can't be easily verified.

      You don't have to actually announce that you're the BGP source AS to hijack traffic, you just need to announce you have a better route than everyone else (or most everyone).

  4. More importantly by Anonymous Coward · · Score: 4, Interesting

    Why do we continue to allow peers that have proven to be problematic in the BGP backbone? simply do not share routes with these ASs any more and fuck their shit hole countries until they stop dicking with the core of the internet.

    its not like any old admin can be like "Ok i'm going to broadcast bad routes that will be observed and respected by all the core routers of the internet"

    no these people have special agreements with the neighbours they route with, its not like BGP packets just fly around the internet from some random workstation belonging to a hacker magically find their way onto the private vlans the cores use for bgp traffic.

    even if it wasnt technically preventable it should simply be resolved by refusing peering after an incident.

    1. Re:More importantly by Anonymous Coward · · Score: 0

      yeah when a carrier misbehaves you just say "I'm sorry no internet for you because your either malicious or way to inept to be part of the internet back bone good bye now"

    2. Re:More importantly by Anonymous Coward · · Score: 0

      Why do we continue to allow peers that have proven to be problematic in the BGP backbone

      1. Money.
      2. Bad BGP actors have been around since very very soon BGP came off Yakov Rekhter's napkins.

  5. Shoplifting occurs despite the ability to prevent by mysidia · · Score: 3, Informative

    These events continue, despite the ability to detect and prevent improper route origination

    Locked cases with hardened glass are a technology that allow a store to protect products for sale from surreptitious pilfering. That is, assuming you can fit the products in the case. Lock manufacturers for the cases require stores to accept something called a "key security agreement", but the shop owner community seems unhappy with the inconvenience posed to customers, and is choosing not to implement it, just to avoid the KSA, leaving the goods on store shelves worldwide as a whole less secure.

  6. Great in theory, better for tyrants in practice. by Anonymous Coward · · Score: 0

    "Internet as a whole less secure" ?

    Really? The flip side of RPKI is related to who owns the keys, because who owns the keys controls the Internet.

    Think "Internet Off Switch".

  7. Re:Shoplifting occurs despite the ability to preve by maybridge · · Score: 1

    So, we should never do anything to improve security because it isn't 100% effective. Got it.

  8. Re:Great in theory, better for tyrants in practice by 8-Track · · Score: 2

    That's a bit dramatic. It's a data set with statements about routing, it doesnt affect BGP directly, that's up to the operator who uses the data. The signatures are there so the user of the data can validate intergrity. If it turns out the system is being abused, operators will simply stop using RPKI data and fall back on whatever they use now (e.g. route objects in the IRR).

  9. Re:Shoplifting occurs despite the ability to preve by Wintermute__ · · Score: 1

    So, we should never do anything to improve security because it isn't 100% effective.

    Got it.

    And 100% as convenient, too, don't forget. Wouldn't want to incur any costs or have to lift a finger for that security.

  10. Prefix This by TheRealHocusLocus · · Score: 5, Funny

    Just flipped down the thread:

    AAAAASSSS????ASSSA?FFbFbb??bBM

    Key:
    A = messages complaining about use of acronym, explaining it
    S = messages questioning relevance of BGP to 'Nerd', answers
    ? = WTF responses (Fry, Bennet)
    F = political views (fuck ARIN, fuck legalese, fuck de Man)
    b = relevant but misinformed (filtering not quicky-solve, RPKI not Kill Switch)
    B = relevant, thoughtful response to a 'b'
    M = this, meta message about thread.

    If the rest of the Internet was like this, no actual routes would ever be advertised.

    My life is light, waiting for the death wind,
    Like a feather on the back of my hand.
    Dust in sunlight and memory in corners
    Wait for the wind that chills towards the dead land.
    ~T.S. Eliot

    --
    <blink>down the rabbit hole</blink>
    1. Re:Prefix This by Anonymous Coward · · Score: 0

      ...but the internet *is* like this...

    2. Re:Prefix This by TheRealHocusLocus · · Score: 1

      (feeling karma-guilty now) Some of my previous BGP bookmarks,

      The RFC6480 I'm sure you'll want to read this first, every bit of it. Others may wish to skip on to the next chapter which is a good bit and has Marvin the Robot in it.

      Introduction to BGP and How BGP best path (by default!)
      [2014] spammers squatting on unassigned IP address ranges
        [2014] Using BGP advertisements to gather Bitcoin mining traffic (doing digital money with unsecured protocols, kewl!)
      [2012] Packet Pushers #93: Lies and Routing in the Internet great interview with Geoff Huston. Look for the show notes links too.
      [2012] Packet Pushers #105: BGP Origin Validation with Resource Public Key Infrastructure (RPKI) with Alex Brand from RIPE. Discussion of attack profiles, resistance and real-world challenges to its implementation.
      [2012] Previous Slashdot: Engineers Ponder Easier Fix To Internet Problem
      [2013] Denver pings Denver --- via Iceland! Someone's Been Routing Internet Data Through The Great Chefs Of Europe

      Here's some confusing BGP routing diagrams to print out and tape to the walls to impress everybody.

      --
      <blink>down the rabbit hole</blink>
  11. Re:Shoplifting occurs despite the ability to preve by Anonymous Coward · · Score: 1

    And signing a mass of unenforceable rent-seeker written security theater legalese is actually better than what we have now, which amounts infrequent and temporary disruption of marginal, poorly run systems? PKI systems get compromised as well, you know.

    I'd rather risk the vulnerabilities than stop the rapid growth of the Internet, or have it bifurcate into the signatories and the non-signatories, which is the more likely outcome. The fact that a third-world civil war hellhole like Syria even has any Internet to be compromised is a f-ing miracle and a direct result of this libertine nature. Locking out operators in such places because the rest of the world can't get a legally enforceable signature out of someone is a bad idea.

    Operators don't want this. I don't know what your prerogatives are, but for me that trumps ARINs lawyers. The Internet is supposed to have an end-to-end model where one authenticates peers when necessary, so at worst a compromised router should amount to a DOS; quickly noticed and remedied.

  12. BGP by Anonymous Coward · · Score: 0

    Yes, probably BGP will be the reason the day the internet "goes down" one day. However its like saying the power gird will go down because there was no power. BGP has to exist. But all the outages caused by BGP so far have been mistakes, even when we sent all internet traffic in the world to China.

  13. Re:Shoplifting occurs despite the ability to preve by mysidia · · Score: 1

    That's not the message. The message is: that some security problems can be solved technically, but the solution is so problematic, that the solution can't reasonably be accepted.

    The major problem with RPKI is the legalese, and the fact that operators have some reasons not to trust the RIRs to administer it.

    We see some of the matters of policy as self-serving. We recognize that RIRs are not infallible, and we're concerned about giving a single organization too much power over the community-operated internet.

    Yes, ARIN and other RIRs are in control of WHOIS and the official record, which are only of value due to the consensus recognizing them, but us operators remain effective control of the operational internet.

    If ARIN craziness results in an IP address allocation being revoked for insane reasons, such as registrant forgot to pay a bill, well, their network just keeps working --- since the RIR has no power to stop a working network.

    RPKI changes this.

    Also, since IPv6 makes RIRs such as ARIN a lot less relevant, we are concerned about their "rent seeking" behavior from operators, not just today, but in the future, and possible exorbitant price increases to discourage IPv4 usage and promote "outreach programs" and conferences and parties and other excess spending of questionable relevance to resource holders.

    No ARIN-administered RPKI keeps the power more in balance --- today the network operators have a "check" on ARIN's power, by simply ignoring resource revokations and refusing to disrupt network(s) ARIN says to disrupt.

  14. Or people could, you know, do their damn jobs... by TaliesinWI · · Score: 2

    As the article points out, the only reason this was able to work was because one of the upstreams didn't filter announcements correctly. So instead of one provider doing something simple, the "fix" is for the rest of the world to do something complex?

    Back in the day if a provider dicked around with BGP enough (either through incompetence or malice) they would find that eventually no one would accept any prefixes originating from their network. Kind of hard to have customers when the rest of the internet won't accept your traffic, isn't it?

    BGP4 was new and exciting in 1994, and people are still doing it incorrectly. Film at 11.

  15. Re:Or people could, you know, do their damn jobs.. by silas_moeckel · · Score: 1

    Teirs of providers screwed up, Telecom Italia should have never accepted the routes. Considering that the whole AS has 84 ipv4 prefixes that could/should be summarized it's a pretty static list. They have one "client" bgp session to their own second AS. Telecom Italia is big enough where it looks like bigger fish dropped the ball filtering it's nearly 40k routes (possibly also hardware issues 40k long prefix lists can make routers unhappy).

    --
    No sir I dont like it.
  16. Re:Or people could, you know, do their damn jobs.. by TubeSteak · · Score: 1

    As the article points out, the only reason this was able to work was because one of the upstreams didn't filter announcements correctly. So instead of one provider doing something simple, the "fix" is for the rest of the world to do something complex?

    Yes.

    If the entire BGP system is reliant on any 1 participant to properly implement security, then you can be assured there will be at least 1 participant who does not properly implement security.

    We should assume the entire network is hostile and full of bad actors, then "fix" accordingly.
    That's how you build robust networks.

    For example: assuming everyone will play nicely is why the NSA got to tap datacenter-to-datacenter x-fers for the major internet companies. Once this came to light, each and every company did something complex, instead of the "simple" solution of the NSA not spying on them.

    --
    [Fuck Beta]
    o0t!
  17. Re:Shoplifting occurs despite the ability to preve by 8-Track · · Score: 1

    A revoked certificate or a mess up by the RIR will *not* result in an unreachable network. It's possibly the biggest misconception about RPKI. http://mailman.nanog.org/piper...

  18. Re:Or people could, you know, do their damn jobs.. by ledow · · Score: 1

    Agreed. It's like saying SSL is secure when it relies on every CA to operate in the same secure way. Oops.

    Or email is reliant on one particular server not relaying out spam to others and faking return addresses, etc.

    Lots of big tech relies on "honesty". The only way to fix it is to enforce a protocol that ensures compliance (or punsihes non-compliance with relegation).

    If you don't play ball in DNSSEC, for example, then people know you're not playing ball. You either participate properly or not at all.

    If we made all the protocols like this, and revoke trust / power / reputation from those who mess up, people might start to manage these system for the benefit of others instead of just themselves.

  19. Re:Good by Anonymous Coward · · Score: 0

    Just to clarify - We sign route in the RIPE region with RPKI. Its all covered in the fees we're paying anyway and just need to click the "Validate Route" button if you let them manage the PKI portion.

    This isnt the SSL monopoloy you're used to selling large primes. Little bit of understanding might be worth while before you go off ranting next time.

  20. Re:Shoplifting occurs despite the ability to preve by Anonymous Coward · · Score: 0

    These events continue, despite the ability to detect and prevent improper route origination

    Locked cases with hardened glass are a technology that allow a store to protect products for sale from surreptitious pilfering.
    That is, assuming you can fit the products in the case. Lock manufacturers for the cases require stores to accept something called a "key security agreement", but the shop owner community seems unhappy with the inconvenience posed to customers, and is choosing not to implement it, just to avoid the KSA, leaving the goods on store shelves worldwide as a whole less secure.

    It's like, slippy sloppy through analogy?