arstechnica.com — Dan Kaminsky revealed his discovery of a DNS flaw that could be exploited to direct unwitting users to malicious web addresses,Now, practically on the heels of that announcement, a hacker team that presented at DEFCON has demonstrated how a fundamental design error in the Internet's border gateway protocol can be used to invisibly eavesdrop.
Aug 28, 2008 View in Crawl 4
Closed AccountAug 29, 2008
This is not really a new flaw. Internal gateway protocols like RIP, IGRP and OSPF have already added security to combat this threat years ago. But since their usage lies on a much smaller scale than any border gateway protocol it's been much easier to overcome. Like the article points out, solutions are already available -- and have been for some time -- but implementation could take years, maybe even a decade, due to the sheer amount of ground there's left to cover.This is one of those "we saw it coming" scenarios.
hoopy22Aug 29, 2008
Yes, BGP peers, if managed correctly, perform authentication verification between each other. I really don't see this as a "gaping hole" at all. All the major ISP's and backbone providers are using BGP in a very secure fashion. The Internet sky.... is not falling.
ssukAug 29, 2008
46 75 63 6b 20 42 69 6e 61 72 79 2e
Closed AccountAug 29, 2008
but even SSL with a free tool and a MITM attack in place can be compromised quite easily. but this BGP attack is very unlikely, there are security measures in place (read the wall of text below).
amanojAug 29, 2008
Lame choice for an image.... Lets use something a little bit more relevant.Hackers = Horrible movie, Fun to Poke with a Stick!!!.... Oh yea, and Angelina Jolie's knockers!
amanojAug 29, 2008
Props for the Spinal Tap reference!
2oonhedAug 29, 2008
So, If I am on the west coast, and when I do a trace route, no matter what page I call up it always hops through .gov servers in Quantico VA, does that mean somthing?
drewblesSep 2, 2008
Two words for you. "Filter Lists". I used to work for AT&T managing their IP network. We never had this issue. If you use RADB's and proper router filters, this simply does not happen. Bung in MD5 auth, and you really have a non-event. This is not so much a flaw in design, it's a flaw in the way people may deploy it. Like any security, it's multi-layered.