Cloud

7/15/2015
03:40 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
100%
0%

Researchers To Offer Free BGP Security Alert Tool Via Twitter

New tool to be unveiled at Black Hat USA next month will tweet out route hijacking attacks on the Net.

Cybercriminals as well as nation-states increasingly have abused the Internet's underlying Border Gateway Protocol (BGP) traffic-routing fabric to hijack or disrupt networks for profit or political reasons. But sifting through the millions of normal and nefarious routing changes each day on the Internet is not something that most organizations have the know-how or tools to do.

BGP experts from OpenDNS at Black Hat USA next month will launch a new free BGP security alert feed via Twitter. The so-called BGP Stream tool will tweet out alerts on suspicious BGP/Autonomous System Number (ASN) updates and changes so network owners, ISPs, and hosting providers can keep abreast of malicious network changes that could hijack or otherwise disrupt their traffic.

"[There have been] three or four huge BGP attacks" in the past couple of years, says Dan Hubbard, CTO at OpenDNS. "BGP is the new black on the attacker side of things."

The latest BGP attack came to light courtesy of the data dump of the Hacking Team hack:  the controversial security firm assisted the Italian military's Special Operations Group in regaining access to a remote access tool (RAT)-infected client machine via BGP hijacking.

OpenDNS's BGPMon service this week confirmed that BGP attack, information from which was dumped by Wikileaks: "This finding further confirms the use of BGP for nefarious purposes," including other incidents by spammers, said Andree Toonk, manager of network engineering at OpenDNS and founder and lead developer of BGPMon.net, in a post. "BGP hijacks can do serious harm and rapid notification of such an event is essential," says Toonk, who with Hubbard will present BGP Stream at a Black Hat talk in Las Vegas.

OpenDNS earlier this year acquired the BGPMon service, which runs a network of probes on the Net that spot BGP routing changes and issues alerts on attacks or suspicious activity. And Cisco Systems announced late last month that it plans to purchase OpenDNS for $635 million. 

Hubbard says BGP Stream will issue alerts within minutes any routing attack takeovers and "instability" on the Net spotted by BGPMon's network of sensors. Aside from following the Twitter feed, organizations can also write to the Twitter API to pull that information internally. BGP Stream will publish information on which systems are affected by their ASN and name, for example, he says.

In a typical BGP attack, the attacker basically says, "I own that block of IP addresses" and waits to see which networks accept the phony BGP route information, according to Hubbard. Networks that accept the malicious routing update as legit then could send traffic to the hijacked IP addresses, he says."You announce an address space that's not actually yours, and make the router believe you're the best path" for data, thus hijacking it, he says.

Hubbard and Toonk also plan to announce some DNS Stream monitoring feed as part of the BGP Stream tool, according to Hubbard.

[Register now for Black Hat USA.]

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Threaded  |  Newest First  |  Oldest First
White House Cybersecurity Strategy at a Crossroads
Kelly Jackson Higgins, Executive Editor at Dark Reading,  7/17/2018
Mueller Probe Yields Hacking Indictments for 12 Russian Military Officers
Kelly Jackson Higgins, Executive Editor at Dark Reading,  7/13/2018
10 Ways to Protect Protocols That Aren't DNS
Curtis Franklin Jr., Senior Editor at Dark Reading,  7/16/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: Siri??  You're a guy?
Current Issue
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2016-10727
PUBLISHED: 2018-07-20
camel/providers/imapx/camel-imapx-server.c in the IMAPx component in GNOME evolution-data-server before 3.21.2 proceeds with cleartext data containing a password if the client wishes to use STARTTLS but the server will not use STARTTLS, which makes it easier for remote attackers to obtain sensitive ...
CVE-2018-8018
PUBLISHED: 2018-07-20
Apache Ignite 2.5 and earlier serialization mechanism does not have a list of classes allowed for serialization/deserialization, which makes it possible to run arbitrary code when 3-rd party vulnerable classes are present in Ignite classpath. The vulnerability can be exploited if the one sends a spe...
CVE-2018-14415
PUBLISHED: 2018-07-20
An issue was discovered in idreamsoft iCMS before 7.0.10. XSS exists via the fourth and fifth input elements on the admincp.php?app=prop&do=add screen.
CVE-2018-14418
PUBLISHED: 2018-07-20
In Msvod Cms v10, SQL Injection exists via an images/lists?cid= URI.
CVE-2018-14419
PUBLISHED: 2018-07-20
MetInfo 6.0.0 allows XSS via a modified name of the navigation bar on the home page.