If you can read this, either the style sheet didn't load or you have an older browser that doesn't support style sheets. Try clearing your browser cache and refreshing the page.

(Wired)   Someone has been siphoning data through a massive security hole in the internet. Well that sucks   (wired.com) divider line 50
    More: Interesting, black holes, network monitoring, China Telecom, BGP, credit card numbers, Renesys, VoIP, hacker conference  
•       •       •

5049 clicks; posted to Geek » on 05 Dec 2013 at 2:42 PM (33 weeks ago)   |  Favorite    |   share:  Share on Twitter share via Email Share on Facebook   more»



50 Comments   (+0 »)
   
View Voting Results: Smartest and Funniest
 
2013-12-05 01:28:06 PM
The traffic hijack, they showed, could be done in such a way that no one would notice because the attackers could simply re-route the traffic to a router they controlled, then forward it to its intended destination once they were done with it, leaving no one the wiser about what had occurred.

Lag.  LAG!  Damnit, fragged again!
 
2013-12-05 01:48:13 PM
Interesting

I can see any nation responsible for doing that. Hell, I wouldn't put it past them Icelanders to be responsible, those farking Vikings.
 
2013-12-05 01:53:57 PM
You should assume any network connection is being monitored and encrypt accordingly.
 
2013-12-05 02:36:32 PM
The traffic hijack, they showed, could be done in such a way that no one would notice because the attackers could simply re-route the traffic to a router they controlled, then forward it to its intended destination once they were done with it, leaving no one the wiser about what had occurred.

Except for these people, who apparently noticed it ...
 
2013-12-05 02:49:44 PM
Why in God's name would you color the LAND blue on a map?
 
2013-12-05 02:50:24 PM
i44.tinypic.com

How could they have missed that? The Elders of the internet are going to be pissed.
 
2013-12-05 02:53:31 PM

DammitIForgotMyLogin: The traffic hijack, they showed, could be done in such a way that no one would notice because the attackers could simply re-route the traffic to a router they controlled, then forward it to its intended destination once they were done with it, leaving no one the wiser about what had occurred.

Except for these people, who apparently noticed it ...


Well you know technically this happens every day on billions or trillions of connections, because that's how BGP works.   Dunno if it's really a "security" hole in that if a cable is cut somewhere there in the middle the path taken MAY one day be the best path.    The only problem would be if you aren't encrypting traffic that should be encrypted using proper encryption levels.

The data you send out over networks you don't control should ALWAYS be encrypted in a way you want it to be.   And yes, "none" is perfectly acceptable for a lot of that traffic.
 
2013-12-05 02:55:46 PM

haemaker: The traffic hijack, they showed, could be done in such a way that no one would notice because the attackers could simply re-route the traffic to a router they controlled, then forward it to its intended destination once they were done with it, leaving no one the wiser about what had occurred.

Lag.  LAG!  Damnit, fragged again!


Friggin' HPW's, get off my server, this is LPB Rail-only!
 
2013-12-05 02:57:23 PM
Can we blame it on the Welsh?
 
2013-12-05 03:08:18 PM

This Looks Fun: Why in God's name would you color the LAND blue on a map?


cdn.uproxx.com
 
2013-12-05 03:17:09 PM

tricycleracer: This Looks Fun: Why in God's name would you color the LAND blue on a map?

[cdn.uproxx.com image 648x359]


It might not have been clear, but my question was rhetorical. I merely posted it as an attention seeking measure to pint out how smart and observant I am.

/Real talk.
 
2013-12-05 03:20:26 PM

This Looks Fun: tricycleracer: This Looks Fun: Why in God's name would you color the LAND blue on a map?

[cdn.uproxx.com image 648x359]

It might not have been clear, but my question was rhetorical. I merely posted it as an attention seeking measure to pint out how smart and observant I am.

/Real talk.


And I used your comment as an opportunity to post an Arrested Development reference.  Everybody wins!
 
2013-12-05 03:23:13 PM
BGP has always been vulnerable, and it's been seriously outdated for at least a decade.  It's long past time we came up with something better.

We should have tossed it after CIDR was implemented; CIDR gave us the breathing room necessary to spend a couple of years devising & testing a replacement.  But we've been limping along ever since.
 
2013-12-05 03:28:04 PM
generic "your mom" reference
 
2013-12-05 03:40:42 PM

tricycleracer: And I used your comment as an opportunity to post an Arrested Development reference.  Everybody wins!


Ah. Never seen it. I thought you were posting that to say something along the lines of "that is not the only map where land is blue ergo that is not a silly thing to do."
 
2013-12-05 04:08:33 PM
Aren't BGP advertisements authenticated, as are all interior routing protocols (if done properly)? Unless I missed it, the article didn't mention why the false advertisements were ever accepted by the legitimate routers, as the fake ones wouldn't have the password (I assume). Did these ISPs just leave their BGP traffic unauthenticated and unencrypted? /confused

The technique doesn't attack a bug or flaw in BGP, but simply takes advantage of the fact that BGP's architecture is based on trust.

A protocol architecture based on trust? Gee, that's helpful. For a second there I thought that  every security model in the world was based on trust.

If anyone can provide actual details about how this exploit actually works, I'm genuinely curious. Only looked for a minute on google, but it sounds like BGP traffic might be unauthenticated?
 
2013-12-05 04:22:06 PM

aelat: Aren't BGP advertisements authenticated, as are all interior routing protocols (if done properly)? Unless I missed it, the article didn't mention why the false advertisements were ever accepted by the legitimate routers, as the fake ones wouldn't have the password (I assume). Did these ISPs just leave their BGP traffic unauthenticated and unencrypted? /confused

The technique doesn't attack a bug or flaw in BGP, but simply takes advantage of the fact that BGP's architecture is based on trust.

A protocol architecture based on trust? Gee, that's helpful. For a second there I thought that  every security model in the world was based on trust.
hou
If anyone can provide actual details about how this exploit actually works, I'm genuinely curious. Only looked for a minute on google, but it sounds like BGP traffic might be unauthenticated?


It's a matter of propagation, improper implementation of the trust mechanism, and a fundamental flaw in the trust mechanism.

BGP ports can be open - ie, automatic trust.  This is useful for purely internal networks, since it cuts down on overhead.

Out in the wild, wild, Internet, good ISPs and backbone providers should configure their exterior routers to only trust routers from other good people.

But if there's a weak spot in the trust chain, or someone goofs when installing a new machine (or more likely, doing an upgrade), then you can inject bad routing information into one router and it will propagate willy-nilly through the whole Internet.

Someone who's smarter than me has to figure out a way to efficiently propagate routing info, across a global network with multiple operators, with an enormous number of addresses, while simultaneously sanitizing or double-checking those routing table entries.
 
2013-12-05 04:28:36 PM

aelat: Aren't BGP advertisements authenticated, as are all interior routing protocols (if done properly)? Unless I missed it, the article didn't mention why the false advertisements were ever accepted by the legitimate routers, as the fake ones wouldn't have the password (I assume). Did these ISPs just leave their BGP traffic unauthenticated and unencrypted? /confused

The technique doesn't attack a bug or flaw in BGP, but simply takes advantage of the fact that BGP's architecture is based on trust.

A protocol architecture based on trust? Gee, that's helpful. For a second there I thought that  every security model in the world was based on trust.

If anyone can provide actual details about how this exploit actually works, I'm genuinely curious. Only looked for a minute on google, but it sounds like BGP traffic might be unauthenticated?


Some more details in one of the articles linked to from this one.

The attack is called an IP hijack and, on its face, isn't new. But in the past, known IP hijacks have created outages, which, because they were so obvious, were quickly noticed and fixed.
...
Pilosov's innovation is to forward the intercepted data silently to the actual destination, so that no outage occurs. Ordinarily, this shouldn't work - the data would boomerang back to the eavesdropper. But Pilosov and Kapela use a method called AS path prepending that causes a select number of BGP routers to reject their deceptive advertisement. They then use these ASes to forward the stolen data to its rightful recipients.
"Everyone ... has assumed until now that you have to break something for a hijack to be useful," Kapela said. "But what we showed here is that you don't have to break anything. And if nothing breaks, who notices?"


Makes sense that if you think the worst case scenario is a temporary service outage, you're not going to worry much.
On the other hand, even without eavesdropping and forwarding, somebody could just hijack Facebook's IP addresses and put up a fake login page that throws an error on submit.  It'll take a while before the right people get notified that it's going on, and you'll have phished a lot of passwords during that time.
 
2013-12-05 04:48:37 PM
Google?

DNRTFA
 
2013-12-05 05:22:30 PM

aelat: Aren't BGP advertisements authenticated, as are all interior routing protocols (if done properly)? Unless I missed it, the article didn't mention why the false advertisements were ever accepted by the legitimate routers, as the fake ones wouldn't have the password (I assume). Did these ISPs just leave their BGP traffic unauthenticated and unencrypted? /confused

The technique doesn't attack a bug or flaw in BGP, but simply takes advantage of the fact that BGP's architecture is based on trust.

A protocol architecture based on trust? Gee, that's helpful. For a second there I thought that  every security model in the world was based on trust.

If anyone can provide actual details about how this exploit actually works, I'm genuinely curious. Only looked for a minute on google, but it sounds like BGP traffic might be unauthenticated?


Yes, generally BGP peering relationships with ISPs are authenticated, but that's not the problem.

Say you are the head network guy for the Way Cool Corporation.  Your corporation owns network address 10.1.0.0/16 (so all the IPs from 10.1.0.1 to 10.1.255.254) (yes, I know that's a private address, it's just an example), and you advertise a route for 10.1.0.0/16 out to the Internet via your ISP.  All well and good.

Now let's say I'm the Nefarious Network Hacker in Iceland or whatever.  I have my own ISP connection (which is properly authenticated).  I start advertising 10.1.0.0/24 (10.1.0.1 to 10.1.0.254), 10.1.1.0/24, and so on.  Because those are more specific routes, they will take priority, and I'll get all that tasty traffic.  Authentication doesn't enter into it.

Now in theory an ISP shouldn't just let someone advertise anything willy-nilly.  I'm fairly certain most major ISPs will check to make sure you're the registered holder of an IP before you advertise it, but that's a labor-intensive process and it would not surprise me to find out there are shady ISPs out there that don't really nail that down.
 
2013-12-05 05:28:46 PM
This is perfectly acceptable because America.

Unless America's not doing it in which case it's a travesty and we should put a stop to it.

Because America.
 
2013-12-05 05:37:17 PM

3.bp.blogspot.com


ALL YOUR DATA ARE BELONG TO ME

 
2013-12-05 05:39:10 PM

cheer: Now in theory an ISP shouldn't just let someone advertise anything willy-nilly. I'm fairly certain most major ISPs will check to make sure you're the registered holder of an IP before you advertise it, but that's a labor-intensive process and it would not surprise me to find out there are shady ISPs out there that don't really nail that down.


If that's the case, would it only hijack traffic coming from users in those shady ISPs?  This article's making it sound like these things affect everybody.  I'm not saying Comcast isn't shady, but if things worked the way you said, Average Joe Internet User isn't going to have to worry because he uses a competent name brand ISP.
 
2013-12-05 05:51:11 PM

serial_crusher: cheer: Now in theory an ISP shouldn't just let someone advertise anything willy-nilly. I'm fairly certain most major ISPs will check to make sure you're the registered holder of an IP before you advertise it, but that's a labor-intensive process and it would not surprise me to find out there are shady ISPs out there that don't really nail that down.

If that's the case, would it only hijack traffic coming from users in those shady ISPs?  This article's making it sound like these things affect everybody.  I'm not saying Comcast isn't shady, but if things worked the way you said, Average Joe Internet User isn't going to have to worry because he uses a competent name brand ISP.


Or, is it some kind of thing where the legit ISPs mistakenly trust the shady one?  i.e. the traffic normally looks like
me: "Hello, Comcast.  I'm the legitimate owner of 10.0.0.1 and here's proof."
Comcast: "Hello, Verizon.  One of my users is the legitimate owner of 10.0.0.1"
Verizon: "Thanks, old buddy"
or
me: "Hello, Shady ISP.  I'm the legitimate owner of 123.4.5.6.  No proof needed wink wink nudge nudge"
Shady ISP: "Hello, Verizon.  One of my users is the legitimate owner of 123.4.5.6"
Verizon: "Thanks, old buddy"

If that's the case, they should rewrite the protocol to pass the proof at every step and verify it.
me: "Hello, Comcast.  I own 127.0.0.1 and here's proof."
Comcast: "Hello, Verizon.  serial_crusher said the following: 'I own 127.0.0.1 and here's proof'"
Verizon: "Yup, proof checks out.  Thanks old buddy."

Shady ISP: "Hello, Verizon.  serial_crusher said the following: 'I own 123.4.5.6.  No proof needed wink wink nudge nudge'"
Verizon: "WTF Shady ISP?  Go home, you're drunk"
 
2013-12-05 05:59:11 PM
I assume the NSA lobbied to keep this security hole from being fixed.
 
2013-12-05 05:59:37 PM

serial_crusher: cheer: Now in theory an ISP shouldn't just let someone advertise anything willy-nilly. I'm fairly certain most major ISPs will check to make sure you're the registered holder of an IP before you advertise it, but that's a labor-intensive process and it would not surprise me to find out there are shady ISPs out there that don't really nail that down.

If that's the case, would it only hijack traffic coming from users in those shady ISPs?  This article's making it sound like these things affect everybody.  I'm not saying Comcast isn't shady, but if things worked the way you said, Average Joe Internet User isn't going to have to worry because he uses a competent name brand ISP.


No, because the next "tier" of ISP has no way of gating all the routes coming from all of their customers' customers.  So it accepts the routes and passes them on until they're everywhere.
 
2013-12-05 06:08:04 PM
serial_crusher:
me: "Hello, Shady ISP.  I'm the legitimate owner of 123.4.5.6.  No proof needed wink wink nudge nudge"
Shady ISP: "Hello, Verizon.  One of my users is the legitimate owner of 123.4.5.6"
Verizon: "Thanks, old buddy"


That's more or less how it works, yeah.

If that's the case, they should rewrite the protocol to pass the proof at every step and verify it.
me: "Hello, Comcast.  I own 127.0.0.1 and here's proof."
Comcast: "Hello, Verizon.  serial_crusher said the following: 'I own 127.0.0.1 and here's proof'"
Verizon: "Yup, proof checks out.  Thanks old buddy."

Shady ISP: "Hello, Verizon.  serial_crusher said the following: 'I own 123.4.5.6.  No proof needed wink wink nudge nudge'"
Verizon: "WTF Shady ISP?  Go home, you're drunk"


Thing is, that means that every route advertisement would have to somehow embed this proof.  And while I think that someday we really will have to get to this point, it would be a massive undertaking.  Plus, the proof itself would have to be sorted out.  I guess you could do it with certs and encrypted signatures, but now you're passing massive certs and what have you with every routing advertisement.  Since advertisements can have thousands and thousands of prefixes, the size of these advertisements would become enormous.

So you'd need to work out a bandwidth-lite way to do this.  It's got to happen, but it will take a long time.
 
2013-12-05 06:19:48 PM

cheer: I guess you could do it with certs and encrypted signatures, but now you're passing massive certs and what have you with every routing advertisement.


yeah, if you check the renesys site, you can see they're recommending a PKI-based solution for BGP.  It'd still leave you with every problem we currently have with PKI (plus the overhead you mentioned) but it's better than what we have now
 
2013-12-05 06:33:40 PM

asdfbeau: cheer: I guess you could do it with certs and encrypted signatures, but now you're passing massive certs and what have you with every routing advertisement.

yeah, if you check the renesys site, you can see they're recommending a PKI-based solution for BGP.  It'd still leave you with every problem we currently have with PKI (plus the overhead you mentioned) but it's better than what we have now


Yeah, I don't fully grok the issues with PKI (security isn't my main thing), but I agree it'd be better.
 
2013-12-05 06:44:29 PM
whoops, sorry about that

let me do a rollback...
 
2013-12-05 06:45:41 PM
I swear this whole country is just going down the tubes.
 
2013-12-05 06:47:31 PM
Why the fark was anything designed to be based on trust? I thought the internet was designed so that the US government could maintain communications after a nuclear war.
 
2013-12-05 06:52:02 PM

serial_crusher: cheer: Now in theory an ISP shouldn't just let someone advertise anything willy-nilly. I'm fairly certain most major ISPs will check to make sure you're the registered holder of an IP before you advertise it, but that's a labor-intensive process and it would not surprise me to find out there are shady ISPs out there that don't really nail that down.

If that's the case, would it only hijack traffic coming from users in those shady ISPs?  This article's making it sound like these things affect everybody.  I'm not saying Comcast isn't shady, but if things worked the way you said, Average Joe Internet User isn't going to have to worry because he uses a competent name brand ISP.


NSA: "Dear Comcast, please make sure that all inbound traffic to your network, including, just incidentally and by sheer coincidence, all US-originated inbound traffic, gets re-routed through at least one non-US country. No, you can't talk about it, no, you don't need to know why, and no, we might not even care which nodes you choose, but if you do, here are a few that should be fast enough for your needs..."
 
2013-12-05 07:06:31 PM
Low-tech solutions to high tech problems.

/seriously, the more you try to secure something, the simpler it seems to actually get to it
//ball-point pen in the bike lock-style
///can't wait until we go back to paper for "security" reasons. . . lulz
 
2013-12-05 07:06:46 PM

omnibus_necanda_sunt: Why the fark was anything designed to be based on trust? I thought the internet was designed so that the US government could maintain communications after a nuclear war.


Yes.  And all the routers would have been owned & operated by said US government.

After we let more universities & corporations play with it in the early/mid 1980s, we realized it would be a good thing to let mostly everyone have it.  And we let it free.

But never fret.  The DoD operates a secure version of the Internet that only Army, Navy, AF, etc can connect to.
 
2013-12-05 07:10:29 PM

omnibus_necanda_sunt: Why the fark was anything designed to be based on trust? I thought the internet was designed so that the US government could maintain communications after a nuclear war.


Which has nothing whatsoever to do with the topic at hand.  The Internet is designed to be redundant, and it absolutely is.  You can take out multiple links and traffic will re-route quite nicely.

It was designed to be based on trust because it wasn't built in the last five years.  Version 4 of BGP (the current one) has been in use on the Internet for almost 20 years.  Adding a PKI layer to routing would be a CPU/memory/bandwidth issue NOW, let alone in 1994.
 
2013-12-05 07:27:11 PM

Peki: ///can't wait until we go back to paper for "security" reasons. . . lulz


Like the Russians?

http://slashdot.org/story/13/07/11/1337236/russian-federal-guard-ser vi ce-upgrades-to-electric-typewriters
 
2013-12-05 07:50:25 PM
'Bout time we got a bigger bag... err, bad... guy.
 
2013-12-05 08:45:02 PM

gfid: Peki: ///can't wait until we go back to paper for "security" reasons. . . lulz

Like the Russians?

http://slashdot.org/story/13/07/11/1337236/russian-federal-guard-ser vi ce-upgrades-to-electric-typewriters


Yup. I'd heard about that.

/and then we'll be back to WW2-style crypto. . .
//hey at least the Navajos will have work again. . .
 
2013-12-05 08:50:05 PM

rolladuck: I swear this whole country is just going down the tubes.


A series of tubes or a collection of individual tubes?
 
2013-12-05 09:31:45 PM
A whole series of tubes, ... and our only hope is that if someone sends us an internet, it might get stuck by all the other stuff in those series of tubes
 
2013-12-05 10:31:38 PM

This Looks Fun: Why in God's name would you color the LAND blue on a map?


images.amcnetworks.com
 
2013-12-05 10:33:59 PM
I see I already missed the opportunity for AD references. Damn! If my internet weren't so laggy I'd have seen it!
 
2013-12-06 02:42:00 AM

cman: Interesting

I can see any nation responsible for doing that. Hell, I wouldn't put it past them Icelanders to be responsible, those farking Vikings.


I could do it with the routers I manage at work.  BGP is pretty broken from a security standpoint.  Of course it wasn't designed with any security in mind.
 
2013-12-06 02:47:07 AM

aelat: Aren't BGP advertisements authenticated, as are all interior routing protocols (if done properly)? Unless I missed it, the article didn't mention why the false advertisements were ever accepted by the legitimate routers, as the fake ones wouldn't have the password (I assume). Did these ISPs just leave their BGP traffic unauthenticated and unencrypted? /confused

The technique doesn't attack a bug or flaw in BGP, but simply takes advantage of the fact that BGP's architecture is based on trust.

A protocol architecture based on trust? Gee, that's helpful. For a second there I thought that  every security model in the world was based on trust.

If anyone can provide actual details about how this exploit actually works, I'm genuinely curious. Only looked for a minute on google, but it sounds like BGP traffic might be unauthenticated?


I manage around 6 BGP links to different ISP's.  Only one of those ISPs by default uses MD5 authentication on the BGP neighbor configuration.    Besides that only protects the routers from a bgp neighbor attack. I could still tell the BGP router I'm attached to at ISP A that I announce this subnet.  Will some ISPs do you prefix list filters and Routing Databases not all of them do and the trust relationships for that are pretty flimsy.
 
2013-12-06 03:24:25 AM

The Beatings Will Continue Until Morale Improves: I assume the NSA lobbied

blackmailed Congressmen and regulator with their porn-surfing histories to keep this security hole from being fixed.

FTFY
 
2013-12-06 08:48:29 AM

rolladuck: I swear this whole country is just going down the tubes.


                                           doblelol.com
 
2013-12-06 09:23:29 AM

Abe Vigoda's Ghost: [i44.tinypic.com image 500x375]

How could they have missed that? The Elders of the internet are going to be pissed.


It's been known for years.  Bolting on security to global routing is a huge political issue, not just technical.
 
2013-12-06 09:58:17 AM
Iceland, eh? I knew you couldn't trust those EVE players.
 
2013-12-06 02:27:28 PM

Tyrone Slothrop: Iceland, eh? I knew you couldn't trust those EVE players.


I lol'd.

/haven't played in years
 
Displayed 50 of 50 comments

View Voting Results: Smartest and Funniest


This thread is closed to new comments.

Continue Farking
Submit a Link »






Report