Risk
8/27/2008
02:51 PM
Connect Directly
Google+
LinkedIn
Twitter
RSS
E-Mail
50%
50%

The 'Poor Man's Traffic Intercept'

A weakness in the Border Gateway Protocol makes the Internet's core infrastructure look about as watertight as a screen door.

So you want to intercept Internet traffic? If the National Security Agency is too busy to help out, you could always exploit a weakness in the Border Gateway Protocol that was demonstrated at the DEFCON security conference earlier this month.

As explained by Wired's Kim Zetter, it's possible to conduct a man-in-the-middle attack that exploits the shortcomings of BGP to cause a router to redirect network traffic.

To understand the impact of such redirection, rewind to February, when Pakistan's attempt to censor YouTube caused collateral damage to Internet traffic routing that spread to PCCW, an ISP based in Hong Kong, and from there to other servers across the globe. The result was that YouTube was inaccessible around the world.

However, this kind of traffic redirection can be done without breaking anything. The technique demonstrated by Anton Kapela, data center and network director at 5Nines Data, and Alex Pilosov, CEO of Pilosoft, could be done discreetly, without creating a major outage that everyone would notice.

As Kapela explained in a message sent to the North American Network Operators Group mailing list, "In a nutshell, we demonstrated that current lack of secure filtering infrastructure not only permits [denial of service]-like attacks, but also full 'traffic monitoring' of arbitrary prefixes from essentially anywhere in the world."

In a blog post, Danny McPherson, chief research officer at Arbor Networks, wrote, "[Y]ou could liken this to a poor man's traffic intercept." Most governments and intelligence agencies, he suggested, don't need to do this because they can intercept network traffic at a lower-level network layer.

Viewed in conjunction with the DNS vulnerability that security researcher Dan Kaminsky disclosed at the Black Hat conference earlier this month, the Internet's core infrastructure looks about as watertight as a screen door.

This isn't a new problem. Government and academic networking researchers have known about this and related issues for years. Sites like the Internet Alert Registry and the Prefix Hijack Alert System represent an attempt to identify potential attempts to hijack Internet traffic. And projects like Secure Inter-Domain Routing and Resource PKI offer potential fixes.

In February, when Pakistan brought renewed attention to the issue, Steve Bellovin, a Columbia University computer science professor, posted a message to the NANOG list in which he observed that the Internet technical community has been warning about routing problems like this. He called for deployment of S-BGP, a more secure version of the routing protocol, despite deployment and operational issues that still need to be resolved.

"The question is this: when is the pain from routing incidents great enough that we're forced to act?" Bellovin wrote. "It would have been nice to have done something before this, since now all the world's script kiddies have seen what can be done."

McPherson sees information presented by Kapela and Pilosoft more as the novel expansion of a longstanding vulnerability rather than the revelation of a major hole in the Internet. But he said that renewed attention to BGP's problems "should serve as a reminder for folks that if you have any expectations of transaction privacy on the Internet, you should be employing end-end encryption (e.g., IPSEC)."

Managing risk is the top security issue facing IT professionals, according to the 2008 InformationWeek Strategic Security Survey. The survey of 2,000 IT professionals also found that IT is years behind other disciplines in adopting systematic risk management processes. You can learn more about the InformationWeek Strategic Security Survey by downloading an InformationWeek Analytics report here (registration required).

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2015-1637
Published: 2015-03-06
Schannel (aka Secure Channel) in Microsoft Windows Server 2003 SP2, Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows 8.1, Windows Server 2012 Gold and R2, and Windows RT Gold and 8.1 does not properly restrict TLS state transitions, which makes it easier for r...

CVE-2014-2130
Published: 2015-03-05
Cisco Secure Access Control Server (ACS) provides an unintentional administration web interface based on Apache Tomcat, which allows remote authenticated users to modify application files and configuration files, and consequently execute arbitrary code, by leveraging administrative privileges, aka B...

CVE-2014-9688
Published: 2015-03-05
Unspecified vulnerability in the Ninja Forms plugin before 2.8.10 for WordPress has unknown impact and remote attack vectors related to admin users.

CVE-2015-0598
Published: 2015-03-05
The RADIUS implementation in Cisco IOS and IOS XE allows remote attackers to cause a denial of service (device reload) via crafted IPv6 Attributes in Access-Accept packets, aka Bug IDs CSCur84322 and CSCur27693.

CVE-2015-0607
Published: 2015-03-05
The Authentication Proxy feature in Cisco IOS does not properly handle invalid AAA return codes from RADIUS and TACACS+ servers, which allows remote attackers to bypass authentication in opportunistic circumstances via a connection attempt that triggers an invalid code, as demonstrated by a connecti...

Dark Reading Radio
Archived Dark Reading Radio
How can security professionals better engage with their peers, both in person and online? In this Dark Reading Radio show, we will talk to leaders at some of the security industry’s professional organizations about how security pros can get more involved – with their colleagues in the same industry, with their peers in other industries, and with the IT security community as a whole.