Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Cloud

7/15/2015
03:40 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
100%
0%

Researchers To Offer Free BGP Security Alert Tool Via Twitter

New tool to be unveiled at Black Hat USA next month will tweet out route hijacking attacks on the Net.

Cybercriminals as well as nation-states increasingly have abused the Internet's underlying Border Gateway Protocol (BGP) traffic-routing fabric to hijack or disrupt networks for profit or political reasons. But sifting through the millions of normal and nefarious routing changes each day on the Internet is not something that most organizations have the know-how or tools to do.

BGP experts from OpenDNS at Black Hat USA next month will launch a new free BGP security alert feed via Twitter. The so-called BGP Stream tool will tweet out alerts on suspicious BGP/Autonomous System Number (ASN) updates and changes so network owners, ISPs, and hosting providers can keep abreast of malicious network changes that could hijack or otherwise disrupt their traffic.

"[There have been] three or four huge BGP attacks" in the past couple of years, says Dan Hubbard, CTO at OpenDNS. "BGP is the new black on the attacker side of things."

The latest BGP attack came to light courtesy of the data dump of the Hacking Team hack:  the controversial security firm assisted the Italian military's Special Operations Group in regaining access to a remote access tool (RAT)-infected client machine via BGP hijacking.

OpenDNS's BGPMon service this week confirmed that BGP attack, information from which was dumped by Wikileaks: "This finding further confirms the use of BGP for nefarious purposes," including other incidents by spammers, said Andree Toonk, manager of network engineering at OpenDNS and founder and lead developer of BGPMon.net, in a post. "BGP hijacks can do serious harm and rapid notification of such an event is essential," says Toonk, who with Hubbard will present BGP Stream at a Black Hat talk in Las Vegas.

OpenDNS earlier this year acquired the BGPMon service, which runs a network of probes on the Net that spot BGP routing changes and issues alerts on attacks or suspicious activity. And Cisco Systems announced late last month that it plans to purchase OpenDNS for $635 million. 

Hubbard says BGP Stream will issue alerts within minutes any routing attack takeovers and "instability" on the Net spotted by BGPMon's network of sensors. Aside from following the Twitter feed, organizations can also write to the Twitter API to pull that information internally. BGP Stream will publish information on which systems are affected by their ASN and name, for example, he says.

In a typical BGP attack, the attacker basically says, "I own that block of IP addresses" and waits to see which networks accept the phony BGP route information, according to Hubbard. Networks that accept the malicious routing update as legit then could send traffic to the hijacked IP addresses, he says."You announce an address space that's not actually yours, and make the router believe you're the best path" for data, thus hijacking it, he says.

Hubbard and Toonk also plan to announce some DNS Stream monitoring feed as part of the BGP Stream tool, according to Hubbard.

[Register now for Black Hat USA.]

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Data Privacy Protections for the Most Vulnerable -- Children
Dimitri Sirota, Founder & CEO of BigID,  10/17/2019
Sodinokibi Ransomware: Where Attackers' Money Goes
Kelly Sheridan, Staff Editor, Dark Reading,  10/15/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
2019 Online Malware and Threats
2019 Online Malware and Threats
As cyberattacks become more frequent and more sophisticated, enterprise security teams are under unprecedented pressure to respond. Is your organization ready?
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-18202
PUBLISHED: 2019-10-19
Information Disclosure is possible on WAGO Series PFC100 and PFC200 devices before FW12 due to improper access control. A remote attacker can check for the existence of paths and file names via crafted HTTP requests.
CVE-2019-18209
PUBLISHED: 2019-10-19
templates/pad.html in Etherpad-Lite 1.7.5 has XSS when the browser does not encode the path of the URL, as demonstrated by Internet Explorer.
CVE-2019-18198
PUBLISHED: 2019-10-18
In the Linux kernel before 5.3.4, a reference count usage error in the fib6_rule_suppress() function in the fib6 suppression feature of net/ipv6/fib6_rules.c, when handling the FIB_LOOKUP_NOREF flag, can be exploited by a local attacker to corrupt memory, aka CID-ca7a03c41753.
CVE-2019-18197
PUBLISHED: 2019-10-18
In xsltCopyText in transform.c in libxslt 1.1.33, a pointer variable isn't reset under certain circumstances. If the relevant memory area happened to be freed and reused in a certain way, a bounds check could fail and memory outside a buffer could be written to, or uninitialized data could be disclo...
CVE-2019-4409
PUBLISHED: 2019-10-18
HCL Traveler versions 9.x and earlier are susceptible to cross-site scripting attacks. On the Problem Report page of the Traveler servlet pages, there is a field to specify a file attachment to provide additional problem details. An invalid file name returns an error message that includes the entere...