BGP Hijacking Continues, Despite the Ability To Prevent It

← Back to Stories (view on slashdot.org)

BGP Hijacking Continues, Despite the Ability To Prevent It

Posted by Soulskill on Friday December 12, 2014 @09:36AM from the won't-fix dept.

An anonymous reader writes: BGPMon reports on a recent route hijacking event by Syria. These events continue, despite the ability to detect and prevent improper route origination: Resource Public Key Infrastructure. RPKI is technology that allows an operator to validate the proper relationship between an IP prefix and an Autonomous System. That is, assuming you can collect the certificates. ARIN requires operators accept something called the Relying Party Agreement. But the provider community seems unhappy with the agreement, and is choosing not to implement it, just to avoid the RPA, leaving the the Internet as a whole less secure.

18 of 57 comments (clear)

Min score:

Reason:

Sort:

BGP? by danceswithtrees · 2014-12-12 09:41 · Score: 3, Informative

What if we agree to spell out obscure acronyms the first time? Yes, I can google/bing it to find likely candidates, but what if you make life easier for all involved and actually use Border Gateway Protocol (BGP)? Mmmmkay?
1. Re: BGP? by Anonymous Coward · 2014-12-12 09:50 · Score: 3, Funny
  
  this is a site for nerds...or at least used to be until your lazy ass showed up
2. Re:BGP? by Anonymous Coward · 2014-12-12 09:50 · Score: 2, Funny
  
  This is slashdot you insensitive clod, a site for nerds. I knew what BGP meant without looking it up.
3. Re:BGP? by Anonymous Coward · 2014-12-12 09:53 · Score: 2, Funny
  
  Guess it's "News for Plebians".
4. Re:BGP? by wonkey_monkey · 2014-12-12 10:12 · Score: 2
  
  I don't think BGP is simple enough for a non-nerd...
  Since when did "nerd" only cover people who understand BGP? I don't remember that on the entrance exam...
  Heaven forbid anyone should be allowed to come away from reading a story on Slashdot more informed. Can't be having that!
  A simple, painless expansion of an acronym would at least give every reader a fighting chance at a rough guess of what it does, or at least what it relates to.
  
  --
  systemd is Roko's Basilisk.
5. Re:BGP? by nblender · 2014-12-12 10:29 · Score: 4, Insightful
  
  I guess I disagree. I don't want to have to see "Transmission Control Protocol / Internet Protocol" the first time in every article that mentions TCP/IP... I'm surprised you also didn't mention that "ARIN" wasn't expanded, or "IP"... Probably because you know what those mean. I've been in this industry for dozens of years and there are abbreviations that come up all the time that I don't know but I just google them... It's not a big deal.
6. Re:BGP? by David_Hart · 2014-12-12 10:47 · Score: 5, Insightful
  
  I don't think BGP is simple enough for a non-nerd...
  Since when did "nerd" only cover people who understand BGP? I don't remember that on the entrance exam...
  Heaven forbid anyone should be allowed to come away from reading a story on Slashdot more informed. Can't be having that!
  A simple, painless expansion of an acronym would at least give every reader a fighting chance at a rough guess of what it does, or at least what it relates to.
  Um... given that BGP is THE core routing protocol for the Internet... Yeah... you should at least know what it is at a basic level. It fits into the same category as DNS, HTML, ISP, etc.
  It's a lot like the programmers talking on here about the Waterfall model. It's expected that if you don't know something that you will take 5 seconds to look it up. Just maybe you'll learn something new... oh horrors... (grin)
  For those who still don't know, BGP stands for Border Gateway Protocol. At a very basic level, it's a routing protocol used to advertise routes between ISPs and other Internet connected organizations. It's these routes that we use to get to Netflix, for example.
7. Re:BGP? by maybridge · 2014-12-12 10:57 · Score: 2
  
  a) Its a headline b) " for all involved " maybe you're not involved. skip over it and let the adults carry on
8. Re: BGP? by Bing+Tsher+E · 2014-12-12 11:01 · Score: 2
  
  This is a site for nerds, not IT types.
  Do you know what a LASCR is, and how and why you might use it to slave a photoflash? If not, GTFO.
9. Re:BGP? by fufufang · 2014-12-12 11:07 · Score: 2
  
  I think most people on this website knows what BGP is, hence the acronym.
10. Re: BGP? by Mashiki · 2014-12-12 12:06 · Score: 2
  
  This is a site for nerds, not IT types.
  Strange, I remember when it was a site for IT types, but that was back when CowboyNeal was still here, and the plebs hadn't really destroyed the internet.
  
  --
  Om, nomnomnom...
11. Re: BGP? by dbIII · 2014-12-12 15:57 · Score: 3, Funny
  
  Do you know what a LASCR is
  An Indian sailor.
  
  and how and why you might use it to slave a photoflash
  Slavery is wrong.
More importantly by Anonymous Coward · 2014-12-12 10:06 · Score: 4, Interesting

Why do we continue to allow peers that have proven to be problematic in the BGP backbone? simply do not share routes with these ASs any more and fuck their shit hole countries until they stop dicking with the core of the internet.
its not like any old admin can be like "Ok i'm going to broadcast bad routes that will be observed and respected by all the core routers of the internet"
no these people have special agreements with the neighbours they route with, its not like BGP packets just fly around the internet from some random workstation belonging to a hacker magically find their way onto the private vlans the cores use for bgp traffic.
even if it wasnt technically preventable it should simply be resolved by refusing peering after an incident.
Re:Required -- Except When It Isn't by suutar · 2014-12-12 10:17 · Score: 3, Informative

It's required if you want to use ARIN's data. Those who choose not to agree are simply not using that data, with the consequence that they are less effective at validating route origin identity.
Shoplifting occurs despite the ability to prevent by mysidia · 2014-12-12 10:23 · Score: 3, Informative

These events continue, despite the ability to detect and prevent improper route origination
Locked cases with hardened glass are a technology that allow a store to protect products for sale from surreptitious pilfering. That is, assuming you can fit the products in the case. Lock manufacturers for the cases require stores to accept something called a "key security agreement", but the shop owner community seems unhappy with the inconvenience posed to customers, and is choosing not to implement it, just to avoid the KSA, leaving the goods on store shelves worldwide as a whole less secure.
Re:Great in theory, better for tyrants in practice by 8-Track · 2014-12-12 11:39 · Score: 2

That's a bit dramatic. It's a data set with statements about routing, it doesnt affect BGP directly, that's up to the operator who uses the data. The signatures are there so the user of the data can validate intergrity. If it turns out the system is being abused, operators will simply stop using RPKI data and fall back on whatever they use now (e.g. route objects in the IRR).
Prefix This by TheRealHocusLocus · 2014-12-12 13:04 · Score: 5, Funny

Just flipped down the thread:
AAAAASSSS????ASSSA?FFbFbb??bBM
Key:
A = messages complaining about use of acronym, explaining it
S = messages questioning relevance of BGP to 'Nerd', answers
? = WTF responses (Fry, Bennet)
F = political views (fuck ARIN, fuck legalese, fuck de Man)
b = relevant but misinformed (filtering not quicky-solve, RPKI not Kill Switch)
B = relevant, thoughtful response to a 'b'
M = this, meta message about thread.
If the rest of the Internet was like this, no actual routes would ever be advertised.
My life is light, waiting for the death wind,
Like a feather on the back of my hand.
Dust in sunlight and memory in corners
Wait for the wind that chills towards the dead land.
~T.S. Eliot

--
<blink>down the rabbit hole</blink>
Or people could, you know, do their damn jobs... by TaliesinWI · 2014-12-12 15:14 · Score: 2

As the article points out, the only reason this was able to work was because one of the upstreams didn't filter announcements correctly. So instead of one provider doing something simple, the "fix" is for the rest of the world to do something complex?
Back in the day if a provider dicked around with BGP enough (either through incompetence or malice) they would find that eventually no one would accept any prefixes originating from their network. Kind of hard to have customers when the rest of the internet won't accept your traffic, isn't it?
BGP4 was new and exciting in 1994, and people are still doing it incorrectly. Film at 11.