Risk
8/27/2008
02:51 PM
Connect Directly
Google+
LinkedIn
Twitter
RSS
E-Mail
50%
50%

The 'Poor Man's Traffic Intercept'

A weakness in the Border Gateway Protocol makes the Internet's core infrastructure look about as watertight as a screen door.

So you want to intercept Internet traffic? If the National Security Agency is too busy to help out, you could always exploit a weakness in the Border Gateway Protocol that was demonstrated at the DEFCON security conference earlier this month.

As explained by Wired's Kim Zetter, it's possible to conduct a man-in-the-middle attack that exploits the shortcomings of BGP to cause a router to redirect network traffic.

To understand the impact of such redirection, rewind to February, when Pakistan's attempt to censor YouTube caused collateral damage to Internet traffic routing that spread to PCCW, an ISP based in Hong Kong, and from there to other servers across the globe. The result was that YouTube was inaccessible around the world.

However, this kind of traffic redirection can be done without breaking anything. The technique demonstrated by Anton Kapela, data center and network director at 5Nines Data, and Alex Pilosov, CEO of Pilosoft, could be done discreetly, without creating a major outage that everyone would notice.

As Kapela explained in a message sent to the North American Network Operators Group mailing list, "In a nutshell, we demonstrated that current lack of secure filtering infrastructure not only permits [denial of service]-like attacks, but also full 'traffic monitoring' of arbitrary prefixes from essentially anywhere in the world."

In a blog post, Danny McPherson, chief research officer at Arbor Networks, wrote, "[Y]ou could liken this to a poor man's traffic intercept." Most governments and intelligence agencies, he suggested, don't need to do this because they can intercept network traffic at a lower-level network layer.

Viewed in conjunction with the DNS vulnerability that security researcher Dan Kaminsky disclosed at the Black Hat conference earlier this month, the Internet's core infrastructure looks about as watertight as a screen door.

This isn't a new problem. Government and academic networking researchers have known about this and related issues for years. Sites like the Internet Alert Registry and the Prefix Hijack Alert System represent an attempt to identify potential attempts to hijack Internet traffic. And projects like Secure Inter-Domain Routing and Resource PKI offer potential fixes.

In February, when Pakistan brought renewed attention to the issue, Steve Bellovin, a Columbia University computer science professor, posted a message to the NANOG list in which he observed that the Internet technical community has been warning about routing problems like this. He called for deployment of S-BGP, a more secure version of the routing protocol, despite deployment and operational issues that still need to be resolved.

"The question is this: when is the pain from routing incidents great enough that we're forced to act?" Bellovin wrote. "It would have been nice to have done something before this, since now all the world's script kiddies have seen what can be done."

McPherson sees information presented by Kapela and Pilosoft more as the novel expansion of a longstanding vulnerability rather than the revelation of a major hole in the Internet. But he said that renewed attention to BGP's problems "should serve as a reminder for folks that if you have any expectations of transaction privacy on the Internet, you should be employing end-end encryption (e.g., IPSEC)."

Managing risk is the top security issue facing IT professionals, according to the 2008 InformationWeek Strategic Security Survey. The survey of 2,000 IT professionals also found that IT is years behind other disciplines in adopting systematic risk management processes. You can learn more about the InformationWeek Strategic Security Survey by downloading an InformationWeek Analytics report here (registration required).

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading December Tech Digest
Experts weigh in on the pros and cons of end-user security training.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-7830
Published: 2014-11-24
Cross-site scripting (XSS) vulnerability in mod/feedback/mapcourse.php in the Feedback module in Moodle through 2.4.11, 2.5.x before 2.5.9, 2.6.x before 2.6.6, and 2.7.x before 2.7.3 allows remote authenticated users to inject arbitrary web script or HTML by leveraging the mod/feedback:mapcourse cap...

CVE-2014-7831
Published: 2014-11-24
lib/classes/grades_external.php in Moodle 2.7.x before 2.7.3 does not consider the moodle/grade:viewhidden capability before displaying hidden grades, which allows remote authenticated users to obtain sensitive information by leveraging the student role to access the get_grades web service.

CVE-2014-7832
Published: 2014-11-24
mod/lti/launch.php in the LTI module in Moodle through 2.4.11, 2.5.x before 2.5.9, 2.6.x before 2.6.6, and 2.7.x before 2.7.3 performs access control at the course level rather than at the activity level, which allows remote authenticated users to bypass the mod/lti:view capability requirement by vi...

CVE-2014-7833
Published: 2014-11-24
mod/data/edit.php in Moodle through 2.4.11, 2.5.x before 2.5.9, 2.6.x before 2.6.6, and 2.7.x before 2.7.3 sets a certain group ID to zero upon a database-entry change, which allows remote authenticated users to obtain sensitive information by accessing the database after an edit by a teacher.

CVE-2014-7834
Published: 2014-11-24
mod/forum/externallib.php in Moodle 2.6.x before 2.6.6 and 2.7.x before 2.7.3 does not verify group permissions, which allows remote authenticated users to access a forum via the forum_get_discussions web service.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Now that the holiday season is about to begin both online and in stores, will this be yet another season of nonstop gifting to cybercriminals?