Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Network Security

6/20/2019
12:30 PM
Larry Loeb
Larry Loeb
Larry Loeb
50%
50%

Defense Discovered for Defending Against BGP Hijacking & Off-Path DNS Attacks

Certificate Authorities are continually getting requests from threat actors who want certificates that they aren't entitled to so that their criminal schemes may be furthered.

Certificate Authorities (CAs) are continually getting requests from threat actors who want certificates that they aren't entitled to so that their criminal schemes may be furthered.

Researchers from Princeton outlined last year how one specific kind of attack on the CA using Border Gateway Protocol can be performed. They found that such an attack would fool the Let's Encrypt, Comodo, Symantec, GoDaddy and GlobalSign CAs.

When a CA is asked to sign a certificate, the CA must establish that the client requesting the certificate is the legitimate owner of the domain name in question. The domain control validation (DCV) process is how it makes that call.

The usual DCV process may include a specific DNS resource record, uploading a specific tagged document to the server linked to the domain, or by proving ownership of the domain's administrative email account.

The previous research showed that by rerouting the DCV messages, threat actors could fool the CA into granting a certificate that never should have been issued.

Cloudflare thinks it has a solution. They announced that, "We're excited to announce that Cloudflare provides CAs a free API to leverage our global network to perform DCV from multiple vantage points around the world. This API bolsters the DCV process against BGP hijacking and off-path DNS attacks."

They went on to say, "Given that Cloudflare runs 175+ datacenters around the world, we are in a unique position to perform DCV from multiple vantage points. Each datacenter has a unique path to DNS nameservers or HTTP endpoints, which means that successful hijacking of a BGP route can only affect a subset of DCV requests, further hampering BGP hijacks. And since we use RPKI, we actually sign and verify BGP routes."

The multipath DCV checker consists of two services. First are DCV agents that are responsible for performing DCV out of a specific datacenter, and a DCV orchestrator that handles multipath DCV requests from CAs and dispatches them to a subset of DCV agents. Prateek Mittal, coauthor of the "Bamboozling Certificate Authorities with BGP" paper, wrote to Cloudflare that:

"Our analysis shows that domain validation from multiple vantage points significantly mitigates the impact of localized BGP attacks. We recommend that all certificate authorities adopt this approach to enhance web security."

Probably the best recommendation that Cloudflare has for this approach is that they dog food ("eat their own dog food") with it. They are using the DCV agents for their own internal activities. Cloudflare has set up an address for DCV queries from those who may want to use it, and those interested are urged to email [email protected]

— Larry Loeb has written for many of the last century's major "dead tree" computer magazines, having been, among other things, a consulting editor for BYTE magazine and senior editor for the launch of WebWeek.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 7/2/2020
Ripple20 Threatens Increasingly Connected Medical Devices
Kelly Sheridan, Staff Editor, Dark Reading,  6/30/2020
DDoS Attacks Jump 542% from Q4 2019 to Q1 2020
Dark Reading Staff 6/30/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
How Cybersecurity Incident Response Programs Work (and Why Some Don't)
This Tech Digest takes a look at the vital role cybersecurity incident response (IR) plays in managing cyber-risk within organizations. Download the Tech Digest today to find out how well-planned IR programs can detect intrusions, contain breaches, and help an organization restore normal operations.
Flash Poll
The Threat from the Internetand What Your Organization Can Do About It
The Threat from the Internetand What Your Organization Can Do About It
This report describes some of the latest attacks and threats emanating from the Internet, as well as advice and tips on how your organization can mitigate those threats before they affect your business. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-9498
PUBLISHED: 2020-07-02
Apache Guacamole 1.1.0 and older may mishandle pointers involved inprocessing data received via RDP static virtual channels. If a userconnects to a malicious or compromised RDP server, a series ofspecially-crafted PDUs could result in memory corruption, possiblyallowing arbitrary code to be executed...
CVE-2020-3282
PUBLISHED: 2020-07-02
A vulnerability in the web-based management interface of Cisco Unified Communications Manager, Cisco Unified Communications Manager Session Management Edition, Cisco Unified Communications Manager IM & Presence Service, and Cisco Unity Connection could allow an unauthenticated, remote attack...
CVE-2020-5909
PUBLISHED: 2020-07-02
In versions 3.0.0-3.5.0, 2.0.0-2.9.0, and 1.0.1, when users run the command displayed in NGINX Controller user interface (UI) to fetch the agent installer, the server TLS certificate is not verified.
CVE-2020-5910
PUBLISHED: 2020-07-02
In versions 3.0.0-3.5.0, 2.0.0-2.9.0, and 1.0.1, the Neural Autonomic Transport System (NATS) messaging services in use by the NGINX Controller do not require any form of authentication, so any successful connection would be authorized.
CVE-2020-5911
PUBLISHED: 2020-07-02
In versions 3.0.0-3.5.0, 2.0.0-2.9.0, and 1.0.1, the NGINX Controller installer starts the download of Kubernetes packages from an HTTP URL On Debian/Ubuntu system.