digg

Facebook Connect Join Digg About
See the original image at arstechnica.com

Gaping hole opened in Internet's trust-based BGP protocol

arstechnica.com Dan Kaminsky revealed his discovery of a DNS flaw that could be exploited to direct unwitting users to malicious web addresses,Now, practically on the heels of that announcement, a hacker team that presented at DEFCON has demonstrated how a fundamental design error in the Internet's border gateway protocol can be used to invisibly eavesdrop.

Who dugg this? Made popular Aug 29, 2008

Digg DudeWhat is Digg?

Digg is a place for people to discover and share content from anywhere on the web. Digg surfaces the best stuff as submitted and voted on by the community. Take the Tour to learn more.

53 Comments

show profanity settings
expand all
  • judicar, on 08/28/2008, -4/+41You had me at "gaping hole".
  • omenmedia, on 08/29/2008, -2/+12GOATSE protocol?
  • redisant, on 08/29/2008, -1/+10BGP protocol
    NIC card
    Department of Redundancy Department.
  • mantzdapantz, on 08/29/2008, -0/+8if only New Orleans had IPv6
  • cavitator, on 08/29/2008, -0/+7This has been known about for a long time, and should be fixed. But, the only way to exploit this would be to be a BGP peer. If thats the case, the kind of people who can take advantage of this are large companies, ISPs, countries, etc. Its not like script kiddies are going to be exploiting this on their DSL connection.
  • ElbertF, on 08/29/2008, -0/+7goatse://
  • ebob9, on 08/29/2008, -0/+6Almost every ISP out there who provides BGP connections to downstream customers filter routes received from their peers. This is a lot harder to do than the article makes it seem.
  • inactive, on 08/29/2008, -0/+5I feel that should be added as an ISO standard immediately.
  • pandaro, on 08/29/2008, -0/+5I'm not sure the title is accurate - the hole wasn't just "opened", it was always there.
  • ciphex, on 08/29/2008, -1/+401110011 01101000 01101001 01110100
  • fhernand, on 08/29/2008, -3/+6I would guess he discovered goatse
  • inactive, on 08/29/2008, -0/+3Come on dude, really?
  • jjmckay, on 08/29/2008, -1/+4With regards to security issues like this.. It just gets solved.. I'll refer to the great wise Spinal Tap script on this issue:

    Ian: ...you start screaming like a bunch of pansy hairdressers.
    I mean it's just a problem you know. It get's solved...
    Jeanine: It doesn't.
    Ian: ...you can't...you can't live in a bubble.
    Jeanine: If it got solved, that would be alright, but it doesn't get
    solved. I mean what do you think happend out there? What got
    solved tonight?
    Ian: For one thing that goes wrong...one...one single thing that
    goes wrong, a hundred things go right. Do you know what I spend
    my time doing? I sleep two or three hours a night. There's no sex
    and drugs for Ian, David. Do you know what I do? I find lost
    luggage. I locate mandolin strings in the middle of Austin!
  • tweedius, on 08/29/2008, -1/+4It's very interesting that two huge holes in internet security have been found recently. There's what 5 potential hurricanes coming right now too? When it rains it pours. IPv6 is the answer.
  • MikeFromAmerica, on 08/29/2008, -0/+3Does IPv6 not use BGP too?
  • AnubisAscended, on 08/29/2008, -1/+4Design error, or "undocumented feature"? (for the NSA to exploit, that is)
  • Drizzit, on 08/29/2008, -0/+3Actually this is a huge problem. I work for a large ISP with over 80 million customers and we've had several cases where "Misconfigurations" would blackhole a few hundred thousand ip's. One small ISP was once advertising an entire /16 prefix of ours and began blaming everyone but himself about the problem, it took several calls to sort it out and eventually it took threats from our legal team to get his teir 2's to shut him out completely.

    The only way to "Invisibly" look at traffic is to either hijack a /32 or even a /24 for a short period so things get tied up in the support channels. Nobody is going to hijack something bigger unless they have the bandwidth to spare.
  • inactive, on 08/29/2008, -0/+3This is not really a new flaw. Internal gateway protocols like RIP, IGRP and OSPF have already added security to combat this threat years ago. But since their usage lies on a much smaller scale than any border gateway protocol it's been much easier to overcome. Like the article points out, solutions are already available -- and have been for some time -- but implementation could take years, maybe even a decade, due to the sheer amount of ground there's left to cover.

    This is one of those "we saw it coming" scenarios.
  • hoopy22, on 08/29/2008, -0/+3Yes, BGP peers, if managed correctly, perform authentication verification between each other. I really don't see this as a "gaping hole" at all. All the major ISP's and backbone providers are using BGP in a very secure fashion. The Internet sky.... is not falling.
  • graemee, on 08/29/2008, -0/+2The size of a hallway.
  • psytek, on 08/29/2008, -1/+3The Internet is broken. Please fix it.
  • ciscogeek, on 08/29/2008, -0/+2Finding a router or system vulnerable to this type of attack is highly unlikely. Furthermore, due to the hierarchy implicit in the Internet, routing policy is easily and tightly controlled. It is highly unlikely that anyone is going to accept a prefix from you which you do not actually own. Any properly built routing policy is going to filter spoofed packets at its edges and have MD5 PSK authentication running between its BGP speakers.

    So to even attempt this attack you would have to be inside the target AS, know the MD5 key required for authentication.
    All of this requires inside information and direct physical access, if you had such information and access it would be quite a bit easier/less obvious to just capture the traffic using port mirroring into box running packet capture. In addition, If I had physical access to the DCs, I would be attacking the servers where the data is stored, most likely unencrypted. I would not be looking at the network where the data traversing is likely encrypted or so fragmented it would not be useful.

    This attack is impractical from a throughput standpoint as well. You would need enough bandwidth to actually service the traffic you intend to consume transparently. For example, if you were able to somehow announce a financial Internet property's IP prefixes(you would not be able to announce a prefix smaller than a /24) into your local AS from your broadband, the amount of traffic being shoved down your broadband connection would result in so many dropped packets that you would essentially only have a few seconds of valuable, yet likely encrypted(SSL), packets before the flow turned in to nothing but TCP SYNs due to dropped sessions and exponential pent-up demand.

    So is it possible that this is a valid vulnerability in rare some cases? Yes. Is it a practical hack? Absolutely not.
  • amanoj, on 08/29/2008, -0/+2Props for the Spinal Tap reference!
  • analogkid01, on 08/29/2008, -0/+2I think the problem with the article is that it equates the BGP "vulnerability" with spyware and viruses. This vulnerability isn't one that a home-based hacker would employ for personal gain or the thrill of doing it - it's more a matter of, as you say, misconfigurations. The problem here is that MD5-based neighbor configurations won't protect an ISP against an authorized network engineer making an ill-advised change on a router. I've read over the s-BGP proposals, and it looks like it'll go a long way in preventing this problem.
  • turk24, on 08/29/2008, -0/+1but even SSL with a free tool and a MITM attack in place can be compromised quite easily. but this BGP attack is very unlikely, there are security measures in place (read the wall of text below).
  • inactive, on 08/29/2008, -0/+1Exactly. ISPs aren't going to let customers feed BGP packets into their network. In fact it's one of the surest ways to get your account revoked.
  • inactive, on 08/29/2008, -1/+2It would've been much easier to identify the dead.
  • judicar, on 08/30/2008, -0/+1163 150 151 164
  • NOD32user, on 08/29/2008, -0/+1Yep, it stinks but I don't know if it will gain support as an alternative to the alphabet..
  • SSUK, on 08/29/2008, -0/+146 75 63 6b 20 42 69 6e 61 72 79 2e
  • drewbles, on 09/02/2008, -0/+1Two words for you. "Filter Lists". I used to work for AT&T managing their IP network. We never had this issue. If you use RADB's and proper router filters, this simply does not happen. Bung in MD5 auth, and you really have a non-event.

    This is not so much a flaw in design, it's a flaw in the way people may deploy it. Like any security, it's multi-layered.
  • mysticalone, on 08/29/2008, -0/+1Seriously, "Gaping hole" ? You want to remind us of goatse?
  • uu2b, on 08/29/2008, -0/+1::1
  • 2oonhed, on 08/29/2008, -0/+1So, If I am on the west coast, and when I do a trace route, no matter what page I call up it always hops through .gov servers in Quantico VA, does that mean somthing?
  • ciscogeek, on 08/29/2008, -0/+1Yes, v6 is almost exclusively routed between ISPs/NAPs using multiprotocol BGP. Of course, I am painting with a broad brush and there are probably a few instances where this is not the case, but this is definitely the direction for routing v6 on the Internet.
  • inactive, on 08/29/2008, -0/+1This is not a security hole, but rather a design and trust issue. If your BGP peer injects something bad, then ya there will be problems. This isn't a problem however, as these peering relationships are not set up on a whim. These are business relationships that would be destroyed and a company would go out of business quickly if it became a problem. Just as one of many examples, UUNet back in 2001 had fat fingered a BGP command and took out half the internet in the U.S. because at the time, they were indeed half of the internet in the United States. They were under heavy scrutiny after that moment and since then there have been very few related incidents. There are many more ISPs on the internet now and as such, the impact of a BGP mistake (or attack) would be much smaller. As for injecting more specific routes, it is noticed right away and there are several sites that will publish this information quickly. The biggest pain in the butt is when a company goes out of business but doesn't give back the address space it was allocated. It is then easier for attackers to take over those networks. Some of them are listed at spamhaus for example. If someone were to take over a network that was still in use, it would be noticed quickly and companies would fail their traffic to another location or shut down via DNS to protect themselves. Bigger companies wouldn't even be impacted if using GSLB as their standby sites would take over.

    Recently I have been seeing a lot more articles attempting to find "gaping holes" in the design of the internet. I can only assume this is a social engineering or political posturing attack in attempt to justify to businesses that the internet needs to be redesigned. I know that some are climaxing at the idea of rebuilding in order to gain more control and improve monitoring internet usage. Perhaps this string of articles is related, or not... Either way, it won't happen. Knock it off. Businesses will not be willing to take the hit to their revenue. BGP is fine the way it is and will not be a big problem.
  • ElectricKetchup, on 08/29/2008, -0/+1Both the DNS and BGP issue have been known about for several years.... possible decades. There's also other ways to do MITM attacks, and that's why we should always use secure protocols such as SSL/TLS transports and certificate or kerberos based authentication methods (HMAC is good too, but I like to have mutual authentication, so x.509 certs signed by trusted CAs for the servers)
  • amanoj, on 08/29/2008, -0/+1Lame choice for an image.... Lets use something a little bit more relevant.

    Hackers = Horrible movie, Fun to Poke with a Stick!!!

    .... Oh yea, and Angelina Jolie's knockers!
  • flarn2006, on 08/29/2008, -0/+1Here's a picture of it: http://www.goatse.cz/
  • kebinusan, on 08/29/2008, -0/+0Exactly, most ISPs manually configure the IP addresses of BGP Peers, how many hops away those peers are is normally controlled as well for sending updates, and what interface the peer is located on. What routes you accept from your peers is also typically configured. So this issue is really a nonstarter for me.
  • ciscogeek, on 08/29/2008, -0/+0It should be impossible for any ISP to announce networks to his upstream provider, even his free peers, which he does not own. So while I will concede that the moron should have never announced the /16, I would also have called his upstream ISPs/NAPs and inquired as to why their peering policy ever accepted the prefix.
  • brianpass, on 08/29/2008, -1/+1this news is old hat
  • Luv5, on 08/29/2008, -2/+2Do you think that this is a patchable hole or will take time based on the vendor's capabilities?
  • frositay, on 08/29/2008, -3/+3Dugg for gaping hole.
  • MichaelKthx, on 08/29/2008, -0/+0I like where Pakistan pisses the world off by censoring a web site (youtube) for everyone. I hope they got their asses DDoS'd good. I just wish they blacklisted moar sites to guarantee a crash. Fags.

    Back on topic:
    I don't get why Requests for devices go around the world to go... down the street?
  • gbates31, on 08/29/2008, -5/+1If this hole can be used to redirect and eavesdrop, is it also possible to find out who is eavesdropping when it's happening? Considering how hostile the Bush administration is towards privacy, this question is more than relevant, especially when the article explains how the internet was the brainchild of DARPA! They probably knew the flaw existed and wanted to use it to their advantage!
  • Fetching more discussions...
    Show 51 - 53 of 53 discussions

  • Add a Comment

    Login or register to comment!
    Or, sign-in super fast with your Facebook account ...

© Digg Inc. 2009 — Content created and posted by Digg users is dedicated to the public domain | Terms of Use Updated | Privacy Policy
DIGG, DIGG IT, DUGG, DIGG THIS, Digg graphics, logos, designs, page headers, button icons, scripts, and other service names are the trademarks of Digg Inc.