The Internet's Biggest Security Hole Revealed 330
At DEFCON, Tony Kapela and Alex Pilosov demonstrated a drastic weakness in the Internet's infrastructure that had long been rumored, but wasn't believed practical. They showed how to hijack BGP (the border gateway protocol) in order to eavesdrop on Net traffic in a way that wouldn't be simple to detect. Quoting: "'It's at least as big an issue as the DNS issue, if not bigger,' said Peiter 'Mudge' Zatko, noted computer security expert and former member of the L0pht hacking group, who testified to Congress in 1998 that he could bring down the internet in 30 minutes using a similar BGP attack, and disclosed privately to government agents how BGP could also be exploited to eavesdrop. 'I went around screaming my head about this about ten or twelve years ago... We described this to intelligence agencies and to the National Security Council, in detail.' The man-in-the-middle attack exploits BGP to fool routers into re-directing data to an eavesdropper's network." Here's the PDF of Kapela and Pilosov's presentation.
Fun fun fud (Score:2, Interesting)
Everyone loves sensationalist news headlines. *sigh*
Anyone have any insight as to how serious this ACTUALLY is?
Re:Fun fun fud (Score:5, Interesting)
Let's put it this way. Email right? It's delivered between hosts completely unencrypted. Imagine you could sniff all the email passing into, say, the white house.. would that be worth something?
Note, I've also given you the hint to prevent this bullshit from being a problem.
Re:SSL (Score:5, Interesting)
I don't think anyone thinks that self-signed certs should be blindly accepted.
What should be done is that self-signed certs should be acceptable, with the right handling. The way ssh does this is a good one; it alerts you when you initially connect, and throws up an extremely loud and nasty warning if the host's cert has changed from the last time you connect. This gives you the opportunity to verify the cert out of band if you should care to, and forces an attacker to hit you on your very first access to a given site.
Properly signed certs should be given higher priority, but a self -signed cert is still vastly better than nothing. The problem is that current browsers treat self-signed certs as being the worst of the three, when in reality they're much better than a naked HTTP connection.
I'd trust Mudge on this. (Score:4, Interesting)
The guy's been involved in many of security's moments in history.
If you have BGP peering... (Score:5, Interesting)
There is a lot of harm you can do, least for a short while. But I have to say, this seems like a lot of FUD to me.
It is not trivial to get BGP peering, or to keep it if you are doing bad things. You will need one or more peers, and they will have to do this for you manually, not automatically. And (as I can attest) the AS prepending this attack relies on is a very blunt instrument.
Here are the troubles I see
- You need to be able to offer a better path from Point A to Point B than the existing Internet topology
- Unless you are Dr. Evil and can afford infinite bandwidth, this better path had better not also apply to a large chunk of the Internet, or you will get hosed with a lot of bandwidth (and, also, instantly stick up on the screens of NOCs all over the place) and
- If you are relying on AS prepends, these affect the path from you, but not directly the path to you. They are notoriously tricky and may stop working (because of changes in other people's advertisements) at any time.
So, to me, this is a might work sometimes for some people in some places, but probably not that well on a general basis.
The DNS cache poisoning sounds a lot worse, frankly.
Re:Fun fun fud (Score:3, Interesting)
Anyone have any insight as to how serious this ACTUALLY is?
How serious? This could potentially render the entire Internet inoperable. For real. Anyone who knows anything about basic Internet protocols should be shitting themselves right about now.
What we have here is a basic weakness in one of the fundamental Internet protocols; an assumption of trust that is no longer valid. Think spam but a million times worse.
I'm not usually one to fall prey to 'Imminent Collapse Of The Internet' hyperbole, but this one has me really worried.
Re:You can bet good money... (Score:5, Interesting)
A design: X says Y=Z. (Score:5, Interesting)
I looked at this problem back in the early 1980s, when I was doing some work on TCP. I was trying to come up with a routing protocol that didn't require passing the same information around repeatedly, because backbone networks had very low bandwidth back then, and the existing routing protocols had either O(N^2) traffic or the "hop count to infinity" problem.
I came up with something called "Gateway Database Protocol", which was a scheme for passing tuples of the form "X says Y=Z" around. The idea was that any node seeing inconsistencies in "X says ..." would propagate the tuple back to X, revealing the problem to X.
This is enough to detect hijacking, but not enough to stop it. I'd worked out a scheme good enough to automatically correct erroneous data, but not one good enough to deal with the insertion of hostile data. The design goal back then was to guarantee that if the hostile site was removed from the network (perhaps forcibly), the system would then stabilize into a valid state.
That's not enough any more. But it is worthwhile considering that a routing protocol should have the property that if X's info is being faked anywhere in the network, X hears about it. BGP doesn't do that.
Re:Fun fun fud (Score:5, Interesting)
Re:If you have BGP peering... (Score:5, Interesting)
You need to be able to offer a better path from Point A to Point B than the existing Internet topology.
It has been done before. In fact for many decades during and after the Cold War the United States offerred some of the best quality data services at the highest speeds for cheap prices (subsidized by your tax dollars) merely to ensure that the majority of the international telephone and non-satellite data traffic passed through the United States somewhere along the way from Point A to Point B.
Unless you are Dr. Evil and can afford infinite bandwidth, this better path had better not also apply to a large chunk of the Internet, or you will get hosed with a lot of bandwidth.
As I mentioned above the US Government can afford a lot of bandwidth when they want to and they want to ensure that as many ISPs around the world chose our fast subsidized fiber backbones (I say backbones because last-mile service for consumers in the US still sucks hard core compared to Korea, Japan, and even Europe) to route their traffic across the globe (i.e. they lease bandwidth from US companies and the data passes through US borders). If some people don't think that US companies are complicit in this, *cough* AT&T *cough*, then the whole telecom immunity debate just went over their heads.
So, to me, this is a might work sometimes for some people in some places, but probably not that well on a general basis.
Better than none of the time so why not try and make the best of it if you can (NSA's point of view).
Re:You can bet good money... (Score:3, Interesting)
BGP is what Internet routers use to tell each other what incoming traffic should be routed where. It isn't used for actual user data transmission.
Yeah, probably it's best to avoid the internet for sensitive traffic. And they do. They have their own copper, fiber, microwave, and satellite telcom system. Yes, some of it is leased from the telcos but I doubt if the packets come anywhere near the internet routers.
But not all governments have the luxury of that sort of system and I'm sure a lot of them use the internet to communicate globally. That's why we generously helped them put in all those undersea cables...
Oh, by the way, there are "private" companies with undersea fiber that are not peered to the internet, and no one knows about them. Some things you can't trust the telco with.
The last thing you should trust is the Internet. Even with encryption, the way it works is on implied trust relationships. So does DNS, and so does the public key infrastructure. As other posters mentioned, you are relying on your upstream provider to give you clean routing tables. The advertised routes need to be the real best route to a closer hop. And somewhere there are the root servers which have the master tables.
An interesting way to maybe catch them would be to analyze the BGP tables (archive them somewhere and actually get a real list of good hosts). I know there are projects such as Route Views [routeviews.org] which attempt to archive the routing tables. This might be a start. You would need to whitelist people though, or blacklist certain subnets, and it sort of defeats the point of the Internet being open.
Re:Oh, just great! (Score:3, Interesting)
Dude, l0pht aka @stake sold out in the early 2000's. Their only claim to fame was their work on the CdC "Back Orifice" and of course "l0phtcrack", which just tricked out LM passwords from cleartext, big deal. Everyone knows about BGP!
He (Munge) turned it into a deal, and now he works for BBN [wikipedia.org]. That's where the money is (or has been). Just because someone was at Defcon once doesn't mean he's not working for the Feds. There are some benefits to working for the government.
It's nice how they've packaged this presentation but this is not news really.
Re:Fun fun fud (Score:3, Interesting)
On your list alone, how many of them are TCP, IP, and UDP? Doesn't matter if there run on top of another layer or simply encapsulated by another protocol, if someone says there's a big hole in TCP...lets not cry about the TCP monoculture. It has nothing to do with monoculture.
Sometimes, a can-skinning standard is the best way to skin the cat. Sorry if that creates a cat-skinning monoculture.
The whole monoculture thing is a stupid argument. If a CSS rendering flaw shows up in the language standard, you could hear MS go "ha ha" cause their "make my own standard" sidestepped the monoculture.
And you left out Infinite Monkey Protocol Suite, which could be run over PPPoE.
Re:Oh, just great! (Score:3, Interesting)
Yeah, I was exaggerating. Mudge was pretty good. But to say that he sold out the Internet to the Feds is pretty false. I mean, they built it, and the dudes at the NSA have long known about the intrinsic properties of BGP. BBN built a lot of it, actually, which is sort of ironic.
It is weird though that you saw them drop off the map (along with a lot of other high profile people) after 2001 and now a lot of them work for the Feds. But like I said, that's where the money is (or was).
Re:US Government can't be trusted (Score:2, Interesting)
s/The US Government is/governments are/
There, fixed that for ya.
Do you really think government anywhere is trustworthy, or that only the US government would use this technique?
This technique isn't even hard. I used to work at an ISP in Japan that once spent the best part of the day off the Internet because an incompetent router admin in the ROK was announcing our IP space. We finally managed to get the guy on the phone, only to find that his ability to either speak or comprehend English was negligible and that he spoke no Japanese at all. By then, he seemed to have some clue that he'd screwed up and said he was working on it (I wouldn't be surprised if he announced routes for other ASes than ours). When my jaw really hit the floor was when he managed to explain that he had done this before. He obviously didn't get reamed by his boss enough the first time he screwed up like that.
As soon as I started reading TFA, I thought "I bet I know how they did it" - and I'm no CCIE level network engineer - and it turned out I was spot on. The technique is simple enough that I'm sure L0pht Heavy Industries 10 years ago were nowhere near the first group to come up with an attack like this. Heck, they probably didn't tell the NSA anything they didn't already know. Any CCIE could devise an attack like that, and so could quite a few people who aren't CCIEs.
Spying on a large group of Internet users would require tremendous bandwidth and hardware, however - what you might call a rather conspicuous amount of both. It's also not something that would go unnoticed for a really long time by the network engineers at large networks. It might start with a customer complaint of long ping times into their network, or it might start with a neteng looking over the BGP table for something unrelated and thinking, "That's funny" - but it would certainly be noticed. Routing all the traffic for a large AS in, say, the UK through, say, New York, would not go unnoticed for very long.
The best way to conceal an attack like this would be very near the target network. For example, if you were trying to pick off all traffic bound for a regional ISP, you put your sniffing setup in the same colo facility where they are located.
If the target is a national ISP in a large country - the kind that is likely to have multiple ingress points to their network - the attack becomes more complicated. You have to either be in all their colo locations if you want optimum concealment (and if they are large, they probably own the colo, making it trickier to hide what you're doing), or you need to pull all their traffic through your single location, which is more likely to be noticed.
Another good technique for concealing this kind of attack is to not use it all the time. For example, if you know that there are users on Network A on whom you'd like to spy, and that they are communicating with users on Network B, on whom you'd also like to spy, you have a couple of options. One is to randomly announce routes for Network A (and maybe network B at the same time) for some fairly short period of time and at random intervals long enough to let the BGP state go back to normal, and hope you catch something. Another approach is to use some other intelligence sources to figure out the time of day when the communication usually happens and do your intercepts at that time, then turn them off.
If I can think this up - and I've even been out of the neteng business for over 5 years now - the people who do things like that for a living have not only known about it for many years, they were probably thinking "It took L0pht until *1998* to come up with that, and anyone else another 10 years to come up with a usable exploit?!"
Re:Fun fun fud (Score:3, Interesting)
Do they do autoconf or dhcpv6, or is it dual-stack? I'm curious how you get DNS resolver addresses...
Re:Fun fun fud (Score:2, Interesting)
End-to-end encryption would only solve one part of the problem, keeping a third party from reading your traffic. But it would do nothing to prevent your traffic from simply disappearing, which could be even more disastrous. What if someone targeted Amazon's networks and dumped all traffic in or out into /dev/null? How much would Amazon lose before the problem got fixed (and what would that be worth to Barnes and Noble)? What if someone targeted Wall Street, and cut off the thousands of broker-dealers who submit their orders electronically? It could spell doom for our entire financial system.
There's a lot more at stake here than your emails to your college buddies about the next fishing trip.