 wentlanc
You Can't Fix Dumb..
join:2003-07-30
Maineville, OH
| Old news? Hijacking routing tables is not really a new concept. Muck like ARP table poisoning, MAC spoofing, VTP, etc. Most protocols rely on some level of trust. What sets this apart is then re-forwarding the hijacked traffic back to the original destination. The best way not to get caught is to no make any noise, right? Perhaps monitoring routing tables for AS path changes would be key to picking up this kind of exploit?
cw | |
|  | 
TK Junk Mail
Go ahead, make my day
Premium
join:2002-03-03
Margate City, NJ
clubs:
 ·Comcast
| Re: Old news? said by wentlanc  : Perhaps monitoring routing tables for AS path changes would be key to picking up this kind of exploit? cw That can be done, but it is labor intensive and even then likely to not work:
A handful of academic groups collect BGP routing information from cooperating ASes to monitor BGP updates that change traffic's path. But without context, it can be difficult to distinguish a legitimate change from a malicious hijacking. There are reasons traffic that ordinarily travels one path could suddenly switch to another -- say, if companies with separate ASes merged, or if a natural disaster put one network out of commission and another AS adopted its traffic. On good days, routing paths can remain fairly static. But "when the internet has a bad hair day," Kent said, "the rate of (BGP path) updates goes up by a factor of 200 to 400."
Kapela said eavesdropping could be thwarted if ISPs aggressively filtered to allow only authorized peers to draw traffic from their routers, and only for specific IP prefixes. But filtering is labor intensive, and if just one ISP declines to participate, it "breaks it for the rest of us," he said.
"Providers can prevent our attack absolutely 100 percent," Kapela said. "They simply don't because it takes work, and to do sufficient filtering to prevent these kinds of attacks on a global scale is cost prohibitive."
--
My BLOG .. .. Internet News .. .. My Web Page
Ask yourself one question: 'Do I feel lucky?' Well, do ya punk? | |
| | 
Ignite
Premium,VIP
join:2004-03-18
UK
clubs: | Perhaps nothing more interesting than ensuring all your BGP peers are using MD5 authentication would mitigate this. | |
| | | keyboard5684
join:2001-08-01
Youngsville, PA
 ·WestPAnet Inc.
·WestPAnet Inc. CA..
 ·Verizon Online DSL
edit:
August 27th, @03:28PM
| Re: Old news? This is true, MD5 which many carriers no longer seem to care about because you can just set 1 or 2 hop BGP.
MD5 should always be setup but it is a longer call with the carrier and sometimes a pain. You usually have to email or send the password to them because you cannot read 7j8j$8e%wVG&6G6Ky6jI#8o!LMt over the phone. So it is a little pain so carriers, or more there techs, just try not to encourage it. You have to specifically request it so it is the ISP fault as well.
But these little tricks are usually just bad configuration/setup. The ISPs and carriers can set up a very secure exchange. DNS exploits too, a lot of this just goes to security, do it right the first time.
Laziness and lack of caring, just people doing there job. Tell you what, pay techs what they deserve and get the right ones in there to do the job. It has to do with undercutting by the ISPs and by the carriers.
EDIT: What about we start using a newer version of BGP? We have been stuck on 4 for a long time. Maybe we all move up to BGP6 or something? Developed yet? | |
| | | 
sporkme
drop the crantini and move it, sister
Premium,MVM
join:2000-07-01
Morristown, NJ
·Optimum Online
| said by Ignite :Perhaps nothing more interesting than ensuring all your BGP peers are using MD5 authentication would mitigate this. That would do nothing to solve this... | |
|
TK Junk Mail
Go ahead, make my day
Premium
join:2002-03-03
Margate City, NJ
clubs:
·Comcast
|  Hole can be closed; but it is costly and disruptive
Kent and BBN colleagues developed Secure BGP (SBGP), which would require BGP routers to digitally sign with a private key any prefix advertisement they propagated. An ISP would give peer routers certificates authorizing them to route its traffic; each peer on a route would sign a route advertisement and forward it to the next authorized hop.
"That means that nobody could put themselves into the chain, into the path, unless they had been authorized to do so by the preceding AS router in the path," Kent said.
The drawback to this solution is that current routers lack the memory and processing power to generate and validate signatures. And router vendors have resisted upgrading them because their clients, ISPs, haven't demanded it, due to the cost and man hours involved in swapping out routers.
--
My BLOG .. .. Internet News .. .. My Web Page
Ask yourself one question: 'Do I feel lucky?' Well, do ya punk? | |
| | 
asdfdfdfdfdfdf
@Level3.net
| Re: Hole can be closed; but it is costly and disruptive I think you are right. What annoys me though, is when I read things like:
quote:
who testified to Congress in 1998 that he could bring down the internet in 30 minutes using a similar BGP attack, and disclosed privately to government agents how BGP could also be exploited to eavesdrop. "I went around screaming my head about this about ten or twelve years ago.... We described this to intelligence agencies and to the National Security Council, in detail."
quote:
Stephen Kent, chief scientist for information security at BBN Technologies, who has been working on solutions to fix the issue, said he demonstrated a similar BGP interception privately for the Departments of Defense and Homeland Security a few years ago.
Our government insists that they need backdoors and broad powers to monitor anyone's communications without fussy things like warrants and they talk of dire scenarios like terrorists bringing down our communications infrastructure and plunging us into chaos and and yet this same government can't be bothered to light fires under some asses to make sure resources are devoted to getting this sort of thing fixed.
Should make us wonder whether they believe their own breathless rhetoric. | |
| | | 
cork1958
Cork
join:2000-02-26
Fruitport, MI
·Charter Pipeline
| Re: Hole can be closed; but it is costly and disruptive said by asdfdfdfdfdfdf :I think you are right. What annoys me though, is when I read things like: quote:
who testified to Congress in 1998 that he could bring down the internet in 30 minutes using a similar BGP attack, and disclosed privately to government agents how BGP could also be exploited to eavesdrop. "I went around screaming my head about this about ten or twelve years ago.... We described this to intelligence agencies and to the National Security Council, in detail."
quote:
Stephen Kent, chief scientist for information security at BBN Technologies, who has been working on solutions to fix the issue, said he demonstrated a similar BGP interception privately for the Departments of Defense and Homeland Security a few years ago.
Our government insists that they need backdoors and broad powers to monitor anyone's communications without fussy things like warrants and they talk of dire scenarios like terrorists bringing down our communications infrastructure and plunging us into chaos and and yet this same government can't be bothered to light fires under some asses to make sure resources are devoted to getting this sort of thing fixed. Should make us wonder whether they believe their own breathless rhetoric. Does ANYBODY believe their breathless rhetoric?
--
The Firefox alternative.
»www.mozilla.org/projects/seamonkey/ | |
| 
fcisler
Premium
join:2004-06-14
Riverhead, NY
| Trusted Networks Wouldn't you have to be somewhere INSIDE a DC? More specifically, within a trusted route/network? I'd find it an extremely bad practice to accept any BGP routes that I didn't trust....
Don't most ISP's filter BGP before it reaches a client's subnet? Unless they are accepting BGP routes from a client, why not block them? seems rather simple....
This seems like it could be a bigger hole - but unlike DNS, I would venture to say that 75% of most hosts wouldn't have the connectivity to do this. | |
| | 
insomniac84
join:2002-01-03
Schererville, IN | Re: Trusted Networks Of course governments will. Granted, in America it's easier just to ask. | |
| 
MoeDumb
I already have a Messiah.
Premium
join:2002-09-23 | All together now (1... 2... 3... "So? If we're not doing anything wrong, what have we got to hide?"
/sarcasm | |
| 
Morac
join:2001-08-30
Riverside, NJ
·Comcast
edit:
August 27th, @02:51PM
| So encrypt your traffic Isn't the assumption that if your traffic in not encrypted than pretty much anyone can read it?
Granted in this case, that someone can be anywhere in the world instead of locally to you, but still....
So today's lesson is if you don't want people to read your data, encrypt it.
--
The Comcast Disney Avatar has been retired. | |
| | 
TamaraB
Question The Current Paradigm
Premium
join:2000-11-08
Brooklyn NYC
·Verizon Online DSL
| Re: So encrypt your traffic said by Morac : ... you don't want people to read your data, encrypt it. Indeed! Why is https NOT the standard for browsing? Why is encrypted email not the standard?
Powerful tools currently exist to protect our privacy, and are available to EVERYONE, why are they not used? Why are they NOT the default?
Bob
--
Motor Vessel - Tamara B.
43' Long-Range Trawler
Cape Elizebeth ME.
See her Here. | |
| | | cornelius785
join:2006-10-26
Worcester, MA
| Re: So encrypt your traffic I'm guessing a couple reasons may be server load, connections load (i think more packets have to sent back and forth to establish a ssl connection), and maybe bandwidth. encryption and decryption is fairly computational intense operation. i suppose for email, you'd need a client that everyone has that is capable of handling encryption and make it SEAMLESS to the end user when operating (think of going to https site) maybe a someone more knowledgeable in computer/network/internet security could comment what i've stated. | |
| | | | deepblackmag
join:2004-12-27
00000 | Re: So encrypt your traffic These days with ssl offload and crypto accel cards, theres no excuse for claiming its not done because of a performance issue. I run it everywhere on my equipment. | |
| | | | | keyboard5684
join:2001-08-01
Youngsville, PA
·WestPAnet Inc.
·WestPAnet Inc. CA..
·Verizon Online DSL
| Re: So encrypt your traffic When you made this post, was it encrypted the whole way?
You cannot encrypt everything unless everyone else wants to and agrees with your method. DSLReports would have horrible server load trying to run SSL between them and the readers.
It is an excuse. Just because you can have a crypto card in a cisco router, or whatever, for maybe $500 doing it in a "real" server situation is different. You are the client, not the server.
Costs is the excuse, not the fact the technology does not exists. | |
| | keyboard5684
join:2001-08-01
Youngsville, PA | Well, re-routing traffic is the problem. The traffic needs to go through something like a transparent device somewhere meaning a long route. I like my traffic to go the quickest route. | |
| | 
Dryvlyne
Far Beyond Driven
Premium
join:2004-08-30
Newark, OH
| I think your missing an important point...
quote:
The tactic, which one hacker claims is bigger than the recent DNS exploit, lets an attacker monitor unencrypted internet traffic anywhere in the world, and even modify it before it reaches its destination.
This would undoubtedly inspire all sorts of new phishing scams and attempted malware "drive-bys".
The real problem with the Internet, in general, is that it was built upon the presumed trust between 2 or more machines. I just don't understand how the "fathers" of the Internet couldn't have predicted that it would somehow be abused and that proper precautions should have been instituted in the first place! | |
| | |
Morac
join:2001-08-30
Riverside, NJ
·Comcast
edit:
August 27th, @06:00PM
| Re: So encrypt your traffic said by Dryvlyne :I think your missing an important point... quote:
The tactic, which one hacker claims is bigger than the recent DNS exploit, lets an attacker monitor unencrypted internet traffic anywhere in the world, and even modify it before it reaches its destination.
You emphasized the wrong part of that sentence. I fixed it for you.
said by Dryvlyne :The real problem with the Internet, in general, is that it was built upon the presumed trust between 2 or more machines. I just don't understand how the "fathers" of the Internet couldn't have predicted that it would somehow be abused and that proper precautions should have been instituted in the first place! You do realize that the Internet was invented before most people even had a home computer. Back then there was only a handful of computers connected and all were controlled by either Government entities or Colleges. Security wasn't really an issue back then.
--
The Comcast Disney Avatar has been retired. | |
| | | | keyboard5684
join:2001-08-01
Youngsville, PA
·WestPAnet Inc.
·WestPAnet Inc. CA..
·Verizon Online DSL
| Re: So encrypt your traffic Exactly, it was "turned over" and basically bloomed from that. The government turns over a lot of technology and it is up to those that use it to do what they wish with it.
In this case, the internet, there is not a central "advisor" on this, nor should there be. The fathers of the internet have nothing to do with this problem, people do. Stop using the internet, your fu%$ing it up.
Really, the reason behind projects like Internet2 and others is to build a new "internet". A new set of standards everyone will agree to work with. Very hard to do since we cannot agree on anything (and we being everyone, every country, the world, cannot agree). BGP is easy to fix, that really is no concern.
The "fathers", if I remember correctly, did realize it would be abused. When they let the technology "go", basically made it public, it was not up to them to secure it. BGP was a protocol that came way after the "internet was invented", it was a dynamic protocol to allow efficient routing and link control. It works great. The people to "blame" if it must be are carriers and the people using BGP, they are not using it correctly. I do not even know who came up with BGP, I think Cisco but I may be wrong (at least BGP 3, 4 who ?) | |
| 
espaeth
Misanthrope
Premium
join:2001-04-21
Minneapolis, MN
 ·voip.ms
·Callcentric
·VoiceStick
·ViaTalk
·Comcast
·Embarq
| The DNS exploit is bigger... in that any kid with a script can trigger it, and the investment cost to pull off the scam is essentially $0. To pull this off you need a lot of access, and you need a considerable investment in infrastructure to be in a position to pull it off. (you need the routing hardware, and to get a carrier circuit with BGP to start you need to prove you own a netblock ($$ to ARIN), you need to prove you own an ASN ($$ to ARIN), and you're going to need to sign contracts for connectivity with a hefty up-front install fee)
1) You need to be able to source a more specific route from a network you don't own through your upstream provider. Many backbone providers strictly enforce which routes you can originat, so you'd have to find one that will play ball.
2) Even if you get the taffic to successfully come to you, you need to overcome the blackhole effect that you create to forward the traffic on to the final destination. (ie, you can't just send it back upstream or the destination traffic will just come right back to you)
The limited exposure would be spoof a network on Carrier A by relaying a more specific route into Carrier C but setting community tags so that it would not be redistributed to its peers. You can then get the customers of Carrier C to forward the traffic to you, and you can dump the traffic out onto Carrier A where it will reach its final destination. | |
| |
sporkme
drop the crantini and move it, sister
Premium,MVM
join:2000-07-01
Morristown, NJ
·Optimum Online
| Re: The DNS exploit is bigger... said by espaeth :To pull this off you need a lot of access Define "access".
said by espaeth : and you need a considerable investment in infrastructure PC hardware and OpenBGP/Zebra/Quagga
said by espaeth :and to get a carrier circuit with BGP "carrier circuit"? No, when you place your order, note that you'll be running BGP. It's not even an extra charge.
said by espaeth : to start you need to prove you own a netblock ($$ to ARIN) Or that you want to announce your block from another ISP
said by espaeth : you need to prove you own an ASN ($$ to ARIN) I have never needed to prove this. Do you consider Level3 a "major" carrier?
said by espaeth : and you're going to need to sign contracts for connectivity with a hefty up-front install fee One-page MSA, $750 NRC, less if you "commit" to more than one year.
said by espaeth :1) You need to be able to source a more specific route from a network you don't own through your upstream provider. Many backbone providers strictly enforce which routes you can originat, so you'd have to find one that will play ball. The ones that take money from customers will "play ball".
said by espaeth :2) Even if you get the taffic to successfully come to you, you need to overcome the blackhole effect that you create to forward the traffic on to the final destination. (ie, you can't just send it back upstream or the destination traffic will just come right back to you) I can ask Alex "pretty please" to explain on the mailing list...  | |
| | |
espaeth
Misanthrope
Premium
join:2001-04-21
Minneapolis, MN
·voip.ms
·Callcentric
·VoiceStick
·ViaTalk
·Comcast
·Embarq
edit:
August 28th, @02:15AM
| Re: The DNS exploit is bigger... My point about access is you're not going to pull this off at an office or residence without forking over a ridiculous amount of capital for a tail circuit.
If you do this in a colo space, you're still going to have a space commit if you're leasing a rack, plus up-front cross-connect fees to patch yourself over to another carrier. Most places don't let you bring in equipment and start requesting cross connects unless you are going to agree to some sort of term.
I work for a company that has grown through acquisition, and we've had Verizon, Level(3), Qwest, ATT, and Sprint all stop accepting one of our netblock advertisements at one point or another because we rolled an acquired company's netblock advertisement under one of our main AS advertisements and they got concerned that the netblock owner didn't match our company name. The company I work for isn't small, we control 3 /16s + a few scraps of public address space and have Internet points of presence in 16 countries.
In any case, my point is that the DNS exploit is essentially free and has high payout potential. This requires a fair amount of start-up capital, some reasonable fake identities if you want to get out of your contract obligations, and your window of success is still limited. The risk:reward ratio is substantially lower here. | |
| | | |
isp eh
@comcast.net | Re: The DNS exploit is bigger... totally agree.
anyway, a company can easily re-route your data by advertising itself (typically a typo) as the owner of a more specific ip block than you are advertising. | |
| | | |
|
|
Huge Internet Security Hole Demonstrated