Risk
8/27/2008
02:51 PM
Connect Directly
Google+
LinkedIn
Twitter
RSS
E-Mail
50%
50%

The 'Poor Man's Traffic Intercept'

A weakness in the Border Gateway Protocol makes the Internet's core infrastructure look about as watertight as a screen door.

So you want to intercept Internet traffic? If the National Security Agency is too busy to help out, you could always exploit a weakness in the Border Gateway Protocol that was demonstrated at the DEFCON security conference earlier this month.

As explained by Wired's Kim Zetter, it's possible to conduct a man-in-the-middle attack that exploits the shortcomings of BGP to cause a router to redirect network traffic.

To understand the impact of such redirection, rewind to February, when Pakistan's attempt to censor YouTube caused collateral damage to Internet traffic routing that spread to PCCW, an ISP based in Hong Kong, and from there to other servers across the globe. The result was that YouTube was inaccessible around the world.

However, this kind of traffic redirection can be done without breaking anything. The technique demonstrated by Anton Kapela, data center and network director at 5Nines Data, and Alex Pilosov, CEO of Pilosoft, could be done discreetly, without creating a major outage that everyone would notice.

As Kapela explained in a message sent to the North American Network Operators Group mailing list, "In a nutshell, we demonstrated that current lack of secure filtering infrastructure not only permits [denial of service]-like attacks, but also full 'traffic monitoring' of arbitrary prefixes from essentially anywhere in the world."

In a blog post, Danny McPherson, chief research officer at Arbor Networks, wrote, "[Y]ou could liken this to a poor man's traffic intercept." Most governments and intelligence agencies, he suggested, don't need to do this because they can intercept network traffic at a lower-level network layer.

Viewed in conjunction with the DNS vulnerability that security researcher Dan Kaminsky disclosed at the Black Hat conference earlier this month, the Internet's core infrastructure looks about as watertight as a screen door.

This isn't a new problem. Government and academic networking researchers have known about this and related issues for years. Sites like the Internet Alert Registry and the Prefix Hijack Alert System represent an attempt to identify potential attempts to hijack Internet traffic. And projects like Secure Inter-Domain Routing and Resource PKI offer potential fixes.

In February, when Pakistan brought renewed attention to the issue, Steve Bellovin, a Columbia University computer science professor, posted a message to the NANOG list in which he observed that the Internet technical community has been warning about routing problems like this. He called for deployment of S-BGP, a more secure version of the routing protocol, despite deployment and operational issues that still need to be resolved.

"The question is this: when is the pain from routing incidents great enough that we're forced to act?" Bellovin wrote. "It would have been nice to have done something before this, since now all the world's script kiddies have seen what can be done."

McPherson sees information presented by Kapela and Pilosoft more as the novel expansion of a longstanding vulnerability rather than the revelation of a major hole in the Internet. But he said that renewed attention to BGP's problems "should serve as a reminder for folks that if you have any expectations of transaction privacy on the Internet, you should be employing end-end encryption (e.g., IPSEC)."

Managing risk is the top security issue facing IT professionals, according to the 2008 InformationWeek Strategic Security Survey. The survey of 2,000 IT professionals also found that IT is years behind other disciplines in adopting systematic risk management processes. You can learn more about the InformationWeek Strategic Security Survey by downloading an InformationWeek Analytics report here (registration required).

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading, September 16, 2014
Malicious software is morphing to be more targeted, stealthy, and destructive. Are you prepared to stop it?
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-2886
Published: 2014-09-18
GKSu 2.0.2, when sudo-mode is not enabled, uses " (double quote) characters in a gksu-run-helper argument, which allows attackers to execute arbitrary commands in certain situations involving an untrusted substring within this argument, as demonstrated by an untrusted filename encountered during ins...

CVE-2014-4352
Published: 2014-09-18
Address Book in Apple iOS before 8 relies on the hardware UID for its encryption key, which makes it easier for physically proximate attackers to obtain sensitive information by obtaining this UID.

CVE-2014-4353
Published: 2014-09-18
Race condition in iMessage in Apple iOS before 8 allows attackers to obtain sensitive information by leveraging the presence of an attachment after the deletion of its parent (1) iMessage or (2) MMS.

CVE-2014-4354
Published: 2014-09-18
Apple iOS before 8 enables Bluetooth during all upgrade actions, which makes it easier for remote attackers to bypass intended access restrictions via a Bluetooth session.

CVE-2014-4356
Published: 2014-09-18
Apple iOS before 8 does not follow the intended configuration setting for text-message preview on the lock screen, which allows physically proximate attackers to obtain sensitive information by reading this screen.

Best of the Web
Dark Reading Radio