Route-Injection Attacks Detouring Internet Traffic 85
msm1267 writes "Attackers are using route injection attacks against BGP-speaking routers to insert additional hops in the traffic stream, redirecting traffic to third-party locations where it can be inspected before it's sent to its destination. Internet intelligence company Renesys has detected close to 1,500 IP address blocks that have been hijacked on more than 60 days this year, a disturbing trend that indicates attackers could finally have an increased interest in weaknesses inherent in core Internet infrastructure."
Lost (Score:1)
Oh no did this get re-routed? Damn them.
Re:Lost (Score:4, Funny)
No, not at all.
What that's over there?
-Friendly NSA Spook
another day (Score:3)
Re:another day (Score:5, Interesting)
Maybe yes, but probably not.
The thing with BGP is that there aren't that many sites using it and in order to pull off the attack as described you'd need a LOT of network resources. On the level of one of the backbone providers.
In the past there have been problems where bad BGP info resulted in traffic going where it should not have gone. But that appears more like a black hole. Because there is no route back out.
In order to exploit it the bad network would have to be able to stop the good networks from exchanging routing info. And in order to do that you'd have to be at their level and between them. At which point you already have the access.
Re: (Score:2)
The thing with BGP is that there aren't that many sites using it
Hahahaha. What?
Re:another day (Score:5, Informative)
The thing with BGP is that there aren't that many sites using it
Woosh. Do you even know what you're talking about? There are literally NO "sites" using BGP (except inasmuch as sites use routers to convey data back to users). BGP is used by ISPs and Telcos, on peering routers etc.
On the level of one of the backbone providers.
Yep that is exactly what they are talking about. Someone is compromising backbone providers. THAT'S WHY THIS IS NEWS.
Re:another day (Score:5, Interesting)
You are wrong. I've worked at sites that do use BGP because they have to manager multiple incoming lines from multiple ISP's. It's for failover.
No. Because the ISP's and Telco's exchange BGP information between themselves. So if bad BGP info is uploaded then it will be shared and the packets will only go to the bad network. They will never get to their original destination. Because every time a packet hits a backbone router it will be routed back to the bad network.
Unless their original destination is off of the bad network in which case why bother with this?
Re: (Score:2)
You've demonstrated you have no idea how these attacks work, why they're important, or even how BGP [wikipedia.org] itself works.
Re: (Score:2)
You know, I'm pretty sure that the guy with the 4uid might have a better clue about what they're talking about...just maybe.
Re: (Score:2)
Your assumption would be incorrect. Someone existing for a set period of time on this planet is not a reliable indicator of knowledge. That's one of the hardest things I've had to learn in fifteen years of systems work.
Re: (Score:1)
I'll expand upon my last comment a bit: if I had a dollar for every time I've heard the expression "I'm an expert at [insert thing here]" from someone who has the benefits of age and allegedly tons of experience with [insert thing here], and I subsequently have to fix whatever busted server/network/software config was put in place by the "expert," I'd be a wealthy man. Instead, at 32 I've learned that assumptions about competence should never be made based on things like UIDs. You can hope someone who has b
Re: (Score:2)
And I would propose, that the length of time someone is in a field alone is not a good indicator of real expertise, however, length of time coupled with a remaining desire for the field usually DOES. Since he's on a "news for nerds" site, at least when it was still one, I would have to give him the benefit of the doubt even if I didn't understand the technology, which I do, and he is correct.
Re: (Score:2)
Ugh, I wish I could take that back. His first answer was correct, but his second wasn't. I guess I should have read the whole thing. Now I have egg on my face, and while it is breakfast time, I prefer it on my plate.
Re: (Score:2)
Re: (Score:2)
Roger that (pun intended, if my guess is correct). Thanks for the backup; it's a bit unsettling how many people are taken seriously on topics like these when they don't actually know what they're talking about. Oh well, I suppose we get what we get.
Re: (Score:2)
what if target has few IPs? or ipv6?
Re: (Score:2)
or you hijack small portion of victims network and secure VPN beachhead in another part. You send return traffic over VPN and dump it inside victims network = no BGP involved
Re:another day (Score:4, Informative)
Re: (Score:1)
That was modded "informative?" Jesus wept. (Score:1)
We use BGP internally here and we're connected to several other enterprises that have large BGP-routed internal networks. We're not a telco or an ISP.
Re: (Score:2)
You objective is to get traffic to cross boundaries so that it fits into your authority to monitor. Then the traffic is subject to one your existing keyword searches or is eligible to be stamped "authorized" by a Foreign Intelligence Court.
Re: (Score:2)
No, you just have to advertise a shorter and/or more specific route to the destination. The other routers will accept that. The tricky part is making sure you don't create a routing loop that would prevent you from getting the re-routed traffic to the original destination. Because of that, you are unlikely to ever be able to grab all of the traffic, but you can grab portions of it.
Re: (Score:1)
You would have got first post, but the NSA routed your connection through their server's in Afghanistan.
traceroute (Score:2)
Will the dark side be able to disturb the course of this story?
traceroute -m 100 216.81.59.173
Re:traceroute (Score:4, Informative)
Re: (Score:2)
Pointless (Score:1, Insightful)
Posting a worthwhile comment on this site is like reading Robert Frost to pigs. All you end up with is a book soaked in pigshit.
Re:Pointless (Score:5, Insightful)
You'll be surprised. There are diamonds in the shit. Many knowledgeable people frequent this site, but many are repulsed from making a new thread. They jump on a good ones though.
So this is what stories are: Early threads of jokes by people that don't read the article or summary; Followed by people that read the summary then read relevant Wikipedia article; Finally by people that read the article. Somewhere in the last two categories, insightful or interesting thread will be made and the worthwhile comments will come.
Of course that won't happen if the good posters take up your attitude and just give up. So if you know something about the subject in the article, don't be shy and make a thread explaining the matter in your own words or make examples. Worst case scenario is that you get joke/grammar nazi responses or get down modded. The former doesn't matter as time goes on you will get insightful resposes after a while. As for the latter: Don't get discouraged. There are lots of us that read at -1.
As the case here :-)
Re: (Score:2)
If we know they are looking... (Score:3)
Who are they looking at? - That will tell us who is doing the looking.
Encrypt all the things (Score:4, Insightful)
Really, I think it's time for this.
The IETF commited themselves to do so, here are the talks (among the speakers: Bruce Schneier) and discussions:
http://www.youtube.com/watch?v=oV71hhEpQ20#t=23m02s [youtube.com]
Here is the voting part:
http://www.youtube.com/watch?v=oV71hhEpQ20#t=2h28m20s [youtube.com]
Yes, I think we need some DNSSEC with that too. Not for encryption, but to verify the data (when you route hijack you can easily change some DNS-packets).
The number of attackers that can get attack to the root and tld keys are limited. Yes, it might include NSA and CIA that can get access to the root*, but that probably means it won't be China or Russia.
* Although I don't see a way they can get access to the root signing key and stay undetected, that should deter them. Maybe they can get access to the zone signing keys though, they are valid for a couple of months. As VeriSign and ICANN are both organisations in the US. So they would need get access to those keys at least periodically though.
Re: (Score:1)
One attacker which is part of the problem is too many.
No. We're taking the root away, too. A Nation State Adversary cannot possibly hold the root namespace key, it's a fundamental conflict of interest. And we have the revocation keys. We made sure of that from the beginning.
You didn't see that vote, because we still have to reach consensus on what replaces it. (And we'd better come up with something good, or as Schneier said in the talk, it'll be the ITU, and that's worse. A new IANA.INT, perhaps.)
Re: (Score:1)
Let me paraphrase the original article for clarity:
The NSA has been rerouting traffic at the backbone level in order to obtain traffic patterns that fit the agency's approved search criteria.
Much prefer Invisible Internet (I2P) for that role (Score:4, Interesting)
Conventionally encrypted links naively tell listeners the who, where and when of the communications.
Schneier makes good points in your first link: He asserts metadata=data, and makes special mention of the NSA's hatred for Tor. This is very apt, IMO... Tor is there early in his speech as an NSA bugaboo because anonymization networks are uniquely suited to hiding the metadata. Onion routing provides resistance to traffic analysis, and traffic analysis easily provides the who, where and when details of simplistic crypto links.
To get past the metadata surveillance problem, our encrypted communications will have to become both decentralized and structured. And the structure that current information technology can provide essentially boils down to a marriage of P2P and onion routing.
Now, if you want verification along with your onion routing, that is simpler than you may think because addresses on these networks also happen to be cryptographic keys that can be used to verify identity. If your systems remain secure, then no one else can reasonably impersonate you or the parties you're communicating with... as long as you stick to using .onion and .i2p addresses. This use of encrypted onion routing is known as 'darknet'.
So... To get past the surveillance problem and facilitate mutual trust, our communications will have to shift toward darknets. Online privacy requires the tools of anonymity every bit as much as it needs the principles of open source.
I'd actually recommend I2P - not Tor - as a model for a privacy- and trust-hardened Internet, because ubiquitous end-to-end encryption means no more need for "exit nodes", and also because I2P is intended to be general purpose, less centralized and more scalable... and the topology more closely mirrors a physical mesh network. They even have a server-less email system based on DHT running.
I2P is almost as old as Tor, and has increased its rate of growth considerably over the past few years. To me, the only real question about how appropriate the I2P concept is for a hardened Internet is just how many nodes it can really scale.
Schneier's bullet list: How I2P stacks up (Score:3)
BTW, you may recognize many of the qualities touted by the Diaspora project in the responses below:
'Ubiquitous encryption' (on backbone, because that's where NSA taps are)
I2P goal is ubiquitous encryption between all routers and clients (which are essentially the same thing to it). Also, its general purpose so its possible ubiquitous among applications.
'Target dispersal'
If each person or organization routes traffic and mints their own crypto-based addresses, then
Re: (Score:2)
While I agree with you.
The real problem is: how do we get all of the public to adopt something like this.
Re: (Score:2)
While I agree with you.
The real problem is: how do we get all of the public to adopt something like this.
One way is to say, "You can reach me at this address using I2P...". If enough people started using it for their interpersonal communications, it could become a standard of sorts that eventually gets adopted by business. People use Facebook, Skype and Twitter for business communications these days and the latter two had scarcely any marketing to speak of and spread through informal, personal use.
It's only competition (Score:1)
Looks like the NSA has competition
Re: (Score:1)
Why wasn't this done before? (Score:2)
Perhaps some network guru can explain: Why wasn't this exploited long ago?
Re: (Score:2)
Perhaps some network guru can explain: Why wasn't this exploited long ago?
This was exploited a decade ago already. The only difference with today is that it was done by one anti-spammer (MAPS) versus another anti-spammer (ORBS) to fight out a war.
Re: (Score:2)
Router poisoning is an old attack, used many times. Sometimes deliberately, sometimes when a router goes bad.
BGP supports encryption, via certificates or shared secrets. People were supposed to have made the switch years ago, but I have posted time and again that this hasn't happened in practice.
misleading & likely incorrect (Score:5, Interesting)
This whole article smacks of some CISSP pouring over BGP looking glass router logs and having a sophomore Eureka moment. BGP MITM is not practically possible because of the return path problem: the last router that dumped you the traffic believes you are the legitimate endpoint for that traffic and therefore is not going to forward it to the ACTUAL target once you're done doing nefarious things to it. The article tries to explain this away with the following:
"The traffic was likely examined and then returned on a “clean path” to its destination—all of this happening in the blink of an eye."
If the 'clean path' of the internet thinks Mallory is Bob, Mallory's theoretical egress 'Clean Path' will make the same assumption. Perhaps Alice's first hop AS was compromised? If so this is an isolated vendor network problem, not an 'internet at large' problem. Maybe Mallory's 'clean path' is a point to point to Bob? If so Bob's an idiot for signing a peering agreement with a known Hooligan.
This was likely a misconfigured customer router connected to an irresponsible ISP that doesn't filter the routes it accepts, just like the Pakistan/Youtube Incident. The author either doesn't understand the technical impossibility of the attack they're dreaming about or does and is willing to lose credibility in exchange for ad traffic.
Re:misleading & likely incorrect (Score:4, Insightful)
If so Bob's an idiot for signing a peering agreement with a known Hooligan.
Unless that hooligan delivers the agreement attached to a National Security letter.
From TFA:
Renesys provided two examples of redirection attacks. The first took place every day in February with a new set of victims in the U.S., South Korea, Germany, the Czech Republic, Lithuania, Libya and Iran, being redirected daily to an ISP in Belarus.
Makes sense. This is exactly the sort of partner I'd expect the NSA to work with. If packets were diverted through Langley, VA or somewhere in Utah, we'd all figure out who was behind this pretty quickly.
Re: (Score:1)
Couldn't help noticing that Ashburn, Virginia is on the list of legitimate hops; it appears to be the last legitimate hop before detour.
The original UUNET headquarters, now Verizon's Network Operations Center.
Fortunately it is in a remote area far from the meddling hands of federal agencies and their contractors, the sleepy Dulles corridor.
Re: (Score:2)
Makes sense. This is exactly the sort of partner I'd expect the NSA to work with. If packets were diverted through Langley, VA or somewhere in Utah, we'd all figure out who was behind this pretty quickly.
Instead, everyone just assumes the NSA are behind it, even if it's actually... whatever the KGB mutated into after the Soviet Union collapsed. Or are they still the KGB these days?
Re: (Score:2)
I don't think Belarusians are that great allies of Russia thanks to the treatment they suffered under Stalin and later Soviet leaders.
Re: (Score:2)
College Kids, screwin around.. [southparkstudios.com]
Re: (Score:3)
It;s hard but not impossible as long as you are well connected (in the network topology sense) and accept that you can only hijack a portion of the traffic at once.
For example, lets say you are directly connected at MAE East and MAE West. Announce your bogus route to some site on the east coast at MAE West. Make sure your announced cost is just short enough to look like the best route to a router in the western half of the U.S. Then tunnel the traffic to your own location for logging and whatever nefarious
Re: (Score:1)
And the attacker can't learn where the original router was going to deliver the packet, and simply deliver the packet to that IP?
Only if the attacker is directy connected(*) to the netwok that has that IP. You can't "deliver a packet", you pass it to someone who passes it to someone who...
(*) or as sjames says enough, more closely connected than the place you stole the packet..
Re: (Score:1)
Presumably someone intercepting has more than one route to the victim AS. one to perform the intercept and another to pass on the traffic with to it ends up delivered to the victims AS. so they shunt the traffic inside some MPLS tunnel across their own network (via their inspection device/system).
Now if you are talking about asymmetric routing issues that is a different matter. Since the victim AS won't automatically send the other half of the data stream via your hijacking networking (unless of course y
Re: (Score:1)
This was likely a misconfigured customer router connected to an irresponsible ISP that doesn't filter the routes it accepts,
The "irresponsible ISP" is most (all?) of them.
which 1500 blocks (Score:2)
specifically? is there a reason renesis does not appear to supply this information, or am i missing it?
Weakness in core Internet infrastructure .. (Score:2)
Like how, if a router is hackable then the weakness resides in the router, not the core Internet infrastructure, the internet is doing what it was designed for, routing packets
Really? Again? (Score:2)
*sigh*
Another day, another announcement of an old hack which any serious network admin would have filtered by now. The fact this is happening at ISP/carrier level is extremely disheartening.
Re:Really? Again? (Score:5, Insightful)
As a "serious network admin", most groups have little control over the critically necessary BGP handling of their upstream nework provider. Ones is't left your building, it takes considerable extra steps to track and verify the packets to ascertain the packets are being routed outside your upstream venror, or their colleague's, control. By the time you can get the evidence passed along to any party in any of those companies that can actually do anything about the problem, the attack is often already over, if not simply better concealed.
Unfortunately, BGP has been a necessary evil to _balance_ traffic in a dynamic network. It's also unfortunate that it is often deliberately manipulated, as a matter of corporate strategy, to avoid expensive but faster routes, or to manipulate competitor's traffic reports. The amount of business based manipulation of what was designed as a metric based feedback and tuning system means that it will not ever be used for "honest" routing. I'm afraid that any plan to sanitize the BGP tables will run afoul of business needs and wind up rejected.
Re: Really? Again? (Score:2)
My point exactly.
I filter the routes I accept from upstream and downstream. I have gone blue with a provider about the fact they were accepting private network advertisements from customers. Needless to say, we're not with that provider anymore. I do monitor odd advertisements from networks we're not directly peered with. Any ISP not monitoring routes is either overworked or slack
MITM? (Score:1)
The NSA does it, was this the NSA?
Is Schneier wrong to call for a "safe" Internet (Score:2)
...which sounds like an oxymoron. I thought the Internet was to be considered a hostile environment, at all times. And if servers generally make this assumption, then everyone should.
Its PCs that need to be made safer, more trustworthy. And the requirements on his list [youtube.com] seem to suggest that. For instance, target dispersal. How do you disperse responsibility for net traffic? Create more ISPs? Break them up? No class of corporate aristocrats and their politicos will stand for that. Its laughable! The establish
attackers? (Score:4, Interesting)
Attackers have wised up? rotfl.
We've known BGP is insecure for 15 years, pretty much since someone first thought of thinking "security" and "BGP" in the same sentence.
But the Telco industry is horrible at security. I should know, I've been the IT security dude for a major ISP.
I would be surprised if active attacks on BGP were younger than 5 years. It's more likely that someone has finally taken a look.
Back to RIP (Score:3)
Screw BGP! let's go back to RIP! RIP is good! Static routes better!
DECNet Phase 3 here we come!