Risk
8/27/2008
02:51 PM
Connect Directly
LinkedIn
Twitter
Google+
RSS
E-Mail
50%
50%

The 'Poor Man's Traffic Intercept'

A weakness in the Border Gateway Protocol makes the Internet's core infrastructure look about as watertight as a screen door.

So you want to intercept Internet traffic? If the National Security Agency is too busy to help out, you could always exploit a weakness in the Border Gateway Protocol that was demonstrated at the DEFCON security conference earlier this month.

As explained by Wired's Kim Zetter, it's possible to conduct a man-in-the-middle attack that exploits the shortcomings of BGP to cause a router to redirect network traffic.

To understand the impact of such redirection, rewind to February, when Pakistan's attempt to censor YouTube caused collateral damage to Internet traffic routing that spread to PCCW, an ISP based in Hong Kong, and from there to other servers across the globe. The result was that YouTube was inaccessible around the world.

However, this kind of traffic redirection can be done without breaking anything. The technique demonstrated by Anton Kapela, data center and network director at 5Nines Data, and Alex Pilosov, CEO of Pilosoft, could be done discreetly, without creating a major outage that everyone would notice.

As Kapela explained in a message sent to the North American Network Operators Group mailing list, "In a nutshell, we demonstrated that current lack of secure filtering infrastructure not only permits [denial of service]-like attacks, but also full 'traffic monitoring' of arbitrary prefixes from essentially anywhere in the world."

In a blog post, Danny McPherson, chief research officer at Arbor Networks, wrote, "[Y]ou could liken this to a poor man's traffic intercept." Most governments and intelligence agencies, he suggested, don't need to do this because they can intercept network traffic at a lower-level network layer.

Viewed in conjunction with the DNS vulnerability that security researcher Dan Kaminsky disclosed at the Black Hat conference earlier this month, the Internet's core infrastructure looks about as watertight as a screen door.

This isn't a new problem. Government and academic networking researchers have known about this and related issues for years. Sites like the Internet Alert Registry and the Prefix Hijack Alert System represent an attempt to identify potential attempts to hijack Internet traffic. And projects like Secure Inter-Domain Routing and Resource PKI offer potential fixes.

In February, when Pakistan brought renewed attention to the issue, Steve Bellovin, a Columbia University computer science professor, posted a message to the NANOG list in which he observed that the Internet technical community has been warning about routing problems like this. He called for deployment of S-BGP, a more secure version of the routing protocol, despite deployment and operational issues that still need to be resolved.

"The question is this: when is the pain from routing incidents great enough that we're forced to act?" Bellovin wrote. "It would have been nice to have done something before this, since now all the world's script kiddies have seen what can be done."

McPherson sees information presented by Kapela and Pilosoft more as the novel expansion of a longstanding vulnerability rather than the revelation of a major hole in the Internet. But he said that renewed attention to BGP's problems "should serve as a reminder for folks that if you have any expectations of transaction privacy on the Internet, you should be employing end-end encryption (e.g., IPSEC)."

Managing risk is the top security issue facing IT professionals, according to the 2008 InformationWeek Strategic Security Survey. The survey of 2,000 IT professionals also found that IT is years behind other disciplines in adopting systematic risk management processes. You can learn more about the InformationWeek Strategic Security Survey by downloading an InformationWeek Analytics report here (registration required).

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Latest Comment: nice one good
Current Issue
E-Commerce Security: What Every Enterprise Needs to Know
The mainstream use of EMV smartcards in the US has experts predicting an increase in online fraud. Organizations will need to look at new tools and processes for building better breach detection and response capabilities.
Flash Poll
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-7445
Published: 2015-10-15
The Direct Rendering Manager (DRM) subsystem in the Linux kernel through 4.x mishandles requests for Graphics Execution Manager (GEM) objects, which allows context-dependent attackers to cause a denial of service (memory consumption) via an application that processes graphics data, as demonstrated b...

CVE-2015-4948
Published: 2015-10-15
netstat in IBM AIX 5.3, 6.1, and 7.1 and VIOS 2.2.x, when a fibre channel adapter is used, allows local users to gain privileges via unspecified vectors.

CVE-2015-5660
Published: 2015-10-15
Cross-site request forgery (CSRF) vulnerability in eXtplorer before 2.1.8 allows remote attackers to hijack the authentication of arbitrary users for requests that execute PHP code.

CVE-2015-6003
Published: 2015-10-15
Directory traversal vulnerability in QNAP QTS before 4.1.4 build 0910 and 4.2.x before 4.2.0 RC2 build 0910, when AFP is enabled, allows remote attackers to read or write to arbitrary files by leveraging access to an OS X (1) user or (2) guest account.

CVE-2015-6333
Published: 2015-10-15
Cisco Application Policy Infrastructure Controller (APIC) 1.1j allows local users to gain privileges via vectors involving addition of an SSH key, aka Bug ID CSCuw46076.

Dark Reading Radio
Archived Dark Reading Radio
Join Dark Reading community editor Marilyn Cohodas in a thought-provoking discussion about the evolving role of the CISO.