The Internet's Biggest Security Hole Revealed 330
At DEFCON, Tony Kapela and Alex Pilosov demonstrated a drastic weakness in the Internet's infrastructure that had long been rumored, but wasn't believed practical. They showed how to hijack BGP (the border gateway protocol) in order to eavesdrop on Net traffic in a way that wouldn't be simple to detect. Quoting: "'It's at least as big an issue as the DNS issue, if not bigger,' said Peiter 'Mudge' Zatko, noted computer security expert and former member of the L0pht hacking group, who testified to Congress in 1998 that he could bring down the internet in 30 minutes using a similar BGP attack, and disclosed privately to government agents how BGP could also be exploited to eavesdrop. 'I went around screaming my head about this about ten or twelve years ago... We described this to intelligence agencies and to the National Security Council, in detail.' The man-in-the-middle attack exploits BGP to fool routers into re-directing data to an eavesdropper's network." Here's the PDF of Kapela and Pilosov's presentation.
Scary Much? (Score:5, Informative)
Re:SSL (Score:5, Informative)
Re:Scary Much? (Score:3, Informative)
BGP is supposed to be authenticated between peers, but clearly not nearly enough. If IPSEC was enabled (it's likely to already be present) on all routers, then BGP traffic between routers would be guaranteed both encrypted AND authenticated. Or, if you prefer, there are a very very few other routing protocols for WANS - ESES probably being the one most taken seriously. (ESES is the exterior gateway version of ISIS. Both are mature protocols with a lot of hardware out there that can support them.)
Re:SSL (Score:5, Informative)
I archive the talk (Score:5, Informative)
Re:You can bet good money... (Score:5, Informative)
Yeah, but they don't need to poison BGP to read our data, since they have access by the Tier 1 providers and telcos to the actual photons on the backbone fibers. And of course legal immunity now that they passed that bill.
Nay, this would best be used against other countries, where the NSA actually works.
Latency jump (Score:4, Informative)
Re:Fun fun fud (Score:1, Informative)
wooosh!
Correction (Score:5, Informative)
Not quite.
Prepends affect your outbound announcements, and this affects inbound traffic to you. Prepends are the most effective tool for BGP manipulation because they're transitive - announcing more specifics works too, but that's not quite the same thing.
Re:SSL (Score:5, Informative)
Here's a link to information about the incident you mentioned:
http://www.microsoft.com/technet/security/Bulletin/MS01-017.mspx
Re:Scary Much? (Score:5, Informative)
BGP is authenticated, and using IPSec will not solve anything. BGP peers must configured the IPs of their neighbors, and in many cases an MD5 secret as well. This is pretty strong authentication. The point here, is that anyone can get a high-speed link from an ISP, and that ISP will talk BGP to you. Then you simply tell you ISP about your network through BGP, and also tell it about some additional network routes and the ISP passes it along.
The way to prevent this today, would be for the ISP that peers with you to know which IP blocks you own, any filter out any other routes your send over. But, this is a lot of work for the ISP so very few of them do it.
Re:Fun fun fud (Score:5, Informative)
How serious? This could potentially render the entire Internet inoperable. For real. Anyone who knows anything about basic Internet protocols should be shitting themselves right about now.
You obviously don't know the basics of Internet protocols then. Anyone who knows BGP basics knows this problem is inherent in current interdomain routing.
This is not an attack that just anyone can pull off (unlike Dan's DNS vulnerability). You need possess a BGP peering relationship with a provider who doesn't filter the prefixes listed in the NLRI of a BGP update message, as well as any further upstream providers. A _very high_ bar to say the least.
We're seen numerous accidental route leakages over the years and even some malicious hijacking of IP space for nefarious activity as noted in the presentation. Any significant hijacking for the purpose of MITM (hijacking for spam really isn't a priority for ISPs) would be tracked down instantly on the NANOG list and have severe peering repercussions for the offending ISP. Bumping the IP TTL isn't going to do squat for all the BGP anomaly detection systems continually monitoring the routing infrastructure (Renesys, PHAS, etc).
Re:Fun fun fud (Score:5, Informative)
Re:Oh, just great! (Score:4, Informative)
Oh... but it did more than just sniffing cleartext passwords. It would also decipher encrypted passwords over the net, given plenty of time. And it could be used to crack encrypted Hosts passwords.
I always wondered why they did not follow it up.
Re:Fun fun fud (Score:5, Informative)
Eh, I was trying to make a reference to the big email scandal of a while ago, where it turned out that important stuff was being sent (illegally) from email accounts at gwb32.com or georgewbush.com instead of whitehouse.gov. Slashdot coverage [slashdot.org].
Re:Fun fun fud (Score:5, Informative)
Information transmitted from government installations is compartmentalized according to its classification level. Unclassified systems don't reside on the same networks as those intended for classified purposes.
I'm a Navy communications nerd; this is kinda what I do for a living.
Re:If you have BGP peering... (Score:3, Informative)
I haven't come across a good technical description of the attack, but I expect that the AS path prepending is just to stop the transit AS that you are using to reinject the traffic from sending the traffic straight back at you.
ie. if you know AS666 is a transit for AS69 (that you are hijacking the traffic from), then you prepend AS666 in the path you advertise to the rest of the internet and bgp loop detection on the routers in AS666 will drop the bogus path and send your traffic to the real target AS69 instead.
Re:Fun fun fud (Score:4, Informative)
redirection attacks (Score:1, Informative)
Re:SSL (Score:5, Informative)
They gave away Microsoft's private keys to someone who called them
Not quite. Microsoft's private key wasn't compromised; their identity was stolen. The attacker convinced VeriSign to sign his certificate claiming to be "Microsoft Corporation." The whole point of PKI is to never transmit your private key, even to an authority like VeriSign. As usual, the technology is secure; it's the people running it who aren't.
Re:Fun fun fud (Score:5, Informative)
It's a picture of Bill O'Reilly [goatse.cx] for some reason.
I... think that's an improvement...?
Re:Fun fun fud (Score:4, Informative)
Just stuff the AS numbers of the BGP anomaly detection systems into the path you're using to hijack and voila! They'll never see it.
The attack uses spoofed AS paths which include the AS numbers of the ASes in the -return path- of your hijacked traffic. It works because the default eBGP behaviour is to drop routes w/ an AS in the path that matches theirs (loop detection!)
Its not fool-proof, but you -can- reasonably selectively remove ASes from receiving the announcements.
Furthermore, if you know the topology near the network you're hijacking, you could figure out all the exit (transit) ASes, spoof those so the announcement never makes it out to the general internet and hijack the traffic near them. Dense peering relationships at multiple places around the internet == your friend in this method.
Re:Fun fun fud (Score:3, Informative)
No such network exists, white house email all travels through the regular Internet. The pentagon has some network capability of its own but that is mostly leased lines. Very few parts are actually pentagon controlled fiber. I have been in countless meetings where the pentagon has proposed building its own independent network.
Some White house email is encrypted. The pentagon has a massive email security project. But that only handles a portion of the traffic.
And the Bush administration have in any case been routing their communications through gwbush43.com which is run by an outside contractor and which must have been penetrated by the Russians, Iranians, Israelis and every other self respecting intel service.
Re:The man in the middle (Score:1, Informative)
Slashdot, the only site in internet where a post titled The Internet Biggest Security Hole can result on a vagina talk.
Correcting myself is the site with the fastest convergence rate to that topic.
Re:Fun fun fud (Score:5, Informative)
Anyone who knows anything about basic Internet protocols should be shitting themselves right about now.
And those of us who actually do this stuff for a living (who already knew at least most of this) are neither surprised, nor any more paranoid about it. As a matter of fact, this might be the sauce needed to get more providers to properly filter announcements, and possibly more. So making this more public might actually be a good thing.
The ability to hijack space is already very well known to anyone in a position to do it, and most of us have accidentally done so at some point in our careers. I know I haxxored 192.168.0.0 by accident once by announcing it to an upstream. Yeah....it happens. And it never should. TO this day, you'll more often than not see RFC1918 space being announced if you get a full routing table.
BGP routing table entry for 192.168.0.0/16, version 3564
Paths: (1 available, best #1, table Default-IP-Routing-Table)
Advertised to non per-group peers:
202.10.0.201 202.10.0.202
Local
192.0.2.1 from 0.0.0.0 (192.189.54.221)
Origin incomplete, metric 0, localpref 101, weight 32768, valid, sourced, best
Community: 2764:20