Re: Revealed: The Internet's well known BGP behavior
On 30/08/2008, at 9:58 AM, Florian Weimer wrote: * Alex Pilosov: We've demonstrated ability to monitor traffic to arbitrary prefixes. Slides for presentation can be found here: http://eng.5ninesdata.com/~tkapela/iphd-2.ppt The interesting question is whether it's acceptable to use this trick for non-malicious day-to-day traffic engineering. The technique of path stuffing ASes who you do not want to receive an announcement is called AS PATH poisoning. It's a fairly well known trick. Not exactly specifically in reply to your note, but more generally: In the old days, Usenet spammers would sometimes preload the Path: line with names of NNTP transits that they might want to avoid for various reasons (usually the home sites of Usenet spam cancellers). In most ways, avoiding offering an article back to a server because it was already listed in the Path: was merely an optimization, to avoid extra traffic on a futile offer. However, simply removing the exclusion allowed the sending site to attempt the transmission, which would then succeed if the receiving site had not seen the article (etc). For purposes of detection, then, it seems reasonable to consider that there could be some way to leverage BGP to monitor for this sort of thing. There would seem to be at least two very interesting things that you could monitor for, which would be irregularities in the ASPATH, and irregularities in your announced prefixes. Since major networks would need to be involved for significant traffic redirection events, I'm wondering if it would be reasonable to have a looking glass/route server type service that would peer with a bunch of them, based on random 32-bit ASN's assigned from a preallocated range for the purpose, one per network (think: reducing effectiveness of AS PATH stuffing). You could then provide a configurable notification service, or for sites with the technical capabilities, a realtime BGP feed of all events involving their AS or prefixes (again over a randomly assigned 32-bit ASN, and obviously to some off-net IP where they run a monitoring box, so that a prefix hijack is ineffective). Such a service would seem like it would be generally useful for other purposes as well. There's almost certainly some fatal flaw in this idea, or maybe better yet, some obvious improvements that could be made, so for the BGP gurus out there, what are they? ... JG -- Joe Greco - sol.net Network Services - Milwaukee, WI - http://www.sol.net We call it the 'one bite at the apple' rule. Give me one chance [and] then I won't contact you again. - Direct Marketing Ass'n position on e-mail spam(CNN) With 24 million small businesses in the US alone, that's way too many apples.
Re: Revealed: The Internet's well known BGP behavior
True but I can still believe in a warm and fuzzy internet if I try really hard Then my cell phone rings and back to the real world. -jim On Sat, Aug 30, 2008 at 12:01 AM, Patrick W. Gilmore [EMAIL PROTECTED] wrote: On Aug 29, 2008, at 22:41, jim deleskie [EMAIL PROTECTED] wrote: I'm afraid of the answer to that question No you are not, since you already know the answer. -- TTFN, patrick On Fri, Aug 29, 2008 at 11:25 PM, Adrian Chadd [EMAIL PROTECTED] wrote: On Fri, Aug 29, 2008, jim deleskie wrote: Announcing a smaller bit of one of you block is fine, more then that most everyone I know does it or has done and is commonly accepted. Breaking up someone else' s block and making that announcement even if its to modify traffic between 2 peered networks is typically not looked as proper. Modify your taffic good. Do it to anyone other traffic = bad. The question shouldn't really be would people do this to others' traffic; the question should be has it already happened and noone noticed. Adrian
Re: Revealed: The Internet's well known BGP behavior
The biggest issue with using a heavy hammer to effect traffic is that you don't always know why the other side is routing the way they are. Could be simple cost (peer vs transit) or a larger issue like congestion. Either way think before you route. I'm thinking Pandora's box hasn't just been opened but blown apart. -jim On Sat, Aug 30, 2008 at 2:55 AM, Florian Weimer [EMAIL PROTECTED] wrote: * jim deleskie: Announcing a smaller bit of one of you block is fine, more then that most everyone I know does it or has done and is commonly accepted. Breaking up someone else' s block and making that announcement even if its to modify traffic between 2 peered networks is typically not looked as proper. Modify your taffic good. Do it to anyone other traffic = bad. No, the idea would be to do this to your own prefixes/traffic. +--/AS 2/-/AS 3/+ | | /AS 1/ /AS 4/ | | +--/AS 5/---+ I'm AS 1, and the link to AS 2 has a bad metric from my POV. AS 4 uses local preference (or something else I can't override by prepending my own AS) to route traffic to me through AS 3 and AS 2. Now I prepend AS 4 to my announcement to AS 2, and voilĂ , the traffic flows through AS 5, as desired. No prefix hijacking has occurred (I would have received the traffic anyway, just over a different path), it's just traffic engineering. (But probably a variant that is generally frowned upon.)
Re: Revealed: The Internet's well known BGP behavior
everyone seems to have their saying from leting you wonder on what is the problem to making assumptions to witty technical explanations and useless question rephrased. For some reading this some are just non-technical individuals posting messages. All can be done ..we all know the BGP selection path algoritm and its extentions ...maybe a costing exercice to some that rather have interface X down for a while or reroute traffic through a different path Is the problem still occuring? Who's being affected? PS: going back to the drawing board is also an interesting approach if this is geting too complex ...:-) --- On Sat, 8/30/08, Patrick W. Gilmore [EMAIL PROTECTED] wrote: From: Patrick W. Gilmore [EMAIL PROTECTED] Subject: Re: Revealed: The Internet's well known BGP behavior To: nanog@nanog.org nanog@nanog.org Date: Saturday, August 30, 2008, 5:01 AM On Aug 29, 2008, at 22:41, jim deleskie [EMAIL PROTECTED] wrote: I'm afraid of the answer to that question No you are not, since you already know the answer. -- TTFN, patrick On Fri, Aug 29, 2008 at 11:25 PM, Adrian Chadd [EMAIL PROTECTED] wrote: On Fri, Aug 29, 2008, jim deleskie wrote: Announcing a smaller bit of one of you block is fine, more then that most everyone I know does it or has done and is commonly accepted. Breaking up someone else' s block and making that announcement even if its to modify traffic between 2 peered networks is typically not looked as proper. Modify your taffic good. Do it to anyone other traffic = bad. The question shouldn't really be would people do this to others' traffic; the question should be has it already happened and noone noticed. Adrian
Re: Revealed: The Internet's well known BGP behavior
Jon Lewis wrote: Do you utilize the IRR, have an as-set, and put all customer AS/CIDR's into the IRR? I've honestly never heard from LVL3 about our advertisements. Other providers have varied from just needing a web form, email, phone call, or those combined with faxed LOAs. The latter gets very annoying...but maybe it is the way it should be. Level3 pull information from a number of sources, including RIPE where we register our routes. One of the nice things about their setup is you can query a whois interface to check the filter generation: e.g. (to pick someone else's AS-MACRO at random) whois -h filtergen.level3.net RIPE::AS-DEMON Sam
Re: Revealed: The Internet's well known BGP behavior
Announcing a smaller bit of one of you block is fine, more then that most everyone I know does it or has done and is commonly accepted. Breaking up someone else' s block and making that announcement even if its to modify traffic between 2 peered networks is typically not looked as proper. Modify your taffic good. Do it to anyone other traffic = bad. -jim On Fri, Aug 29, 2008 at 6:58 PM, Florian Weimer [EMAIL PROTECTED] wrote: * Alex Pilosov: We've demonstrated ability to monitor traffic to arbitrary prefixes. Slides for presentation can be found here: http://eng.5ninesdata.com/~tkapela/iphd-2.ppt The interesting question is whether it's acceptable to use this trick for non-malicious day-to-day traffic engineering.
Re: Revealed: The Internet's well known BGP behavior
On Fri, Aug 29, 2008, jim deleskie wrote: Announcing a smaller bit of one of you block is fine, more then that most everyone I know does it or has done and is commonly accepted. Breaking up someone else' s block and making that announcement even if its to modify traffic between 2 peered networks is typically not looked as proper. Modify your taffic good. Do it to anyone other traffic = bad. The question shouldn't really be would people do this to others' traffic; the question should be has it already happened and noone noticed. Adrian
Re: Revealed: The Internet's well known BGP behavior
I'm afraid of the answer to that question On Fri, Aug 29, 2008 at 11:25 PM, Adrian Chadd [EMAIL PROTECTED] wrote: On Fri, Aug 29, 2008, jim deleskie wrote: Announcing a smaller bit of one of you block is fine, more then that most everyone I know does it or has done and is commonly accepted. Breaking up someone else' s block and making that announcement even if its to modify traffic between 2 peered networks is typically not looked as proper. Modify your taffic good. Do it to anyone other traffic = bad. The question shouldn't really be would people do this to others' traffic; the question should be has it already happened and noone noticed. Adrian
Re: Revealed: The Internet's well known BGP behavior
On Aug 29, 2008, at 22:41, jim deleskie [EMAIL PROTECTED] wrote: I'm afraid of the answer to that question No you are not, since you already know the answer. -- TTFN, patrick On Fri, Aug 29, 2008 at 11:25 PM, Adrian Chadd [EMAIL PROTECTED] wrote: On Fri, Aug 29, 2008, jim deleskie wrote: Announcing a smaller bit of one of you block is fine, more then that most everyone I know does it or has done and is commonly accepted. Breaking up someone else' s block and making that announcement even if its to modify traffic between 2 peered networks is typically not looked as proper. Modify your taffic good. Do it to anyone other traffic = bad. The question shouldn't really be would people do this to others' traffic; the question should be has it already happened and noone noticed. Adrian
Re: Revealed: The Internet's well known BGP behavior
On 30/08/2008, at 9:58 AM, Florian Weimer wrote: * Alex Pilosov: We've demonstrated ability to monitor traffic to arbitrary prefixes. Slides for presentation can be found here: http://eng.5ninesdata.com/~tkapela/iphd-2.ppt The interesting question is whether it's acceptable to use this trick for non-malicious day-to-day traffic engineering. The technique of path stuffing ASes who you do not want to receive an announcement is called AS PATH poisoning. It's a fairly well known trick. -- Nathan Ward
RE: Revealed: The Internet's well known BGP behavior
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -- Hank Nussbacher [EMAIL PROTECTED] wrote: At 11:32 PM 27-08-08 -0500, John Lee wrote: Thanks guys, going back to my Comer one more time. My issue, question was whether the organization doing the hijacking controlled all of the routers in the new modified path or only some of them? John (ISDN) Lee They didn't have control of any routers other than their own. What they had to find is a single clueless upstream ISP that would allow them to announce prefixes that didn't belong to them. *bing* Trust is the major exploit here. That has never been new. - - ferg -BEGIN PGP SIGNATURE- Version: PGP Desktop 9.6.3 (Build 3017) wj8DBQFItkFQq1pz9mNUZTMRAgqHAJ4ogryvjftxw5CQTWhf0c7VyBBXyQCfUo9w qdK2kEWHY/B1AU/rGNikOlg= =d/L7 -END PGP SIGNATURE- -- Fergie, a.k.a. Paul Ferguson Engineering Architecture for the Internet fergdawg(at)netzero.net ferg's tech blog: http://fergdawg.blogspot.com/
Re: Revealed: The Internet's well known BGP behavior
Jon Lewis wrote: At 11:32 PM 27-08-08 -0500, John Lee wrote: They didn't have control of any routers other than their own. What they had to find is a single clueless upstream ISP that would allow them to announce prefixes that didn't belong to them. Clueless or big and inattentive? AFAIK, Level3 will accept anything from me...as long as I put it in one of the IRRs the day before I plan to announce it. Working for a company that has been steadily growing through acquisition, we have actually run into this problem a couple times before. I'm not sure if we hit the lottery, but our upstream providers (including LVL3) have definitely intervened when we've moved netblocks from a company that doesn't match our name into our facilities to be advertised under our ASNs. I'm not sure how diligent or widespread the validation checks are, but at least on occasion they do occur. -Eric
Re: Revealed: The Internet's well known BGP behavior
On Wed, 27 Aug 2008, Patrick W. Gilmore wrote: On Aug 27, 2008, at 11:07 PM, John Lee wrote: 1. The technique is not new it is well known BGP behavior and not stealthy to people who route for a living. Using existing technology in novel ways is still novel. Plus it makes the technique more accessible. (Perhaps that is not a good thing?) People (especially spammers) have been hijacking networks for a while now, maybe now that we have a presentation to whore around, operators can pressure vendors and bosses. Gadi. 2. When your networks use VPNs, MPLS, IPsec, SSL et al you can control what packets are going where. No, you cannot. You can only ensure your end points are the end points you think they are. In no way, shape, or form do things like IPsec, SSL, etc. verify or control the intermediate hops. 3. When you are running some number of trace routes per hour to see how and where your packets are going you spot the additional hops. The presentation specifically shows hiding the hops by re-writing TTLs. Perhaps you do not understand this attack as well as you thought? 4. If you do cold potatoe routing and know where you peering points are and what the acls and peering policies are it is more difficult to hijack. Would that network operators were so diligent. And finally you use high speed optical paths or broad band ISDN (ATM) why route when you can deterministically switch. Because people want to be able to reach the entire planet with a single port and without deterministically creating paths to every single end point. Why use ISDN (ATM) when you can do something useful? -- TTFN, patrick
Re: Revealed: The Internet's well known BGP behavior
Most of the spammer acquired /16s have been 1. pre arin 2. caused by buying up assets of long defunct companies .. assets that just happen to include a /16 nobody knew about Not exactly hijacks this lot .. just like those barely legal teen mags. srs On Thu, Aug 28, 2008 at 2:28 PM, Gadi Evron [EMAIL PROTECTED] wrote: People (especially spammers) have been hijacking networks for a while now, maybe now that we have a presentation to whore around, operators can pressure vendors and bosses.
RE: Revealed: The Internet's well known BGP behavior
Lastly, can you show me a single inter-AS MPLS deployment? When you can, then you can use that as a method to avoid this h4x0r. Just some quick googling found this http://www.xchangemag.com/hotnews/64h27164418.html from back in 2006. Sprint has expanded its global MPLS network capabilities with network-to-network interface (NNI) partnerships and has introduced the industry's first standard end-to-end MPLS VPN SLA as part of its global network.
RE: Revealed: The Internet's well known BGP behavior
I stand by my assertion that most people do not run traceroutes all day and watch for it to change. That some people are diligent does not change the fact the overwhelming majority of people are not. Or the fact that with the right placement of equipment (read luck) and cooperation of networks involved (read laziness), even a traceroute won't show any change besides additional latency. Bingo! Latency is the magic word and that *IS* measured by a lot more people than do traceroutes. Unless the attackers are lucky enough or smart enough to do their dirty work from a server that is reasonably closely colocated to the router that they exploit, you *WILL* see latency changes. It would be wise to change the process for investigating latency increases to include examining routers for this BGP rerouting exploit. --Michael Dillon
Re: Revealed: The Internet's well known BGP behavior
On Aug 28, 2008, at 6:25 AM, Suresh Ramasubramanian wrote: Most of the spammer acquired /16s have been 1. pre arin 2. caused by buying up assets of long defunct companies .. assets that just happen to include a /16 nobody knew about Not exactly hijacks this lot .. just like those barely legal teen mags. There have been tons of spam runs I have seen from hijacked blocks were simply announcing an unused block or a de-agg of a used block, sending spam for a few minutes / hours / days, and stopping the announcement. This does not require special techniques, just an upstream willing to accept propagate your announcement. Alex Anthony's preso is about intercepting legit traffic, not sending illegitimate traffic. -- TTFN, patrick On Thu, Aug 28, 2008 at 2:28 PM, Gadi Evron [EMAIL PROTECTED] wrote: People (especially spammers) have been hijacking networks for a while now, maybe now that we have a presentation to whore around, operators can pressure vendors and bosses.
Re: Revealed: The Internet's well known BGP behavior
I thought I'd toss in a few comments, considering it's my fault that few people are understanding this thing yet. On Thu, Aug 28, 2008 at 2:28 PM, Gadi Evron [EMAIL PROTECTED] wrote: People (especially spammers) have been hijacking networks for a while I'd like to 'clear the air' here. Clearly, I failed at Defcon, WIRED, AFP, and Forbes. We all know sub-prefix hijacking is not news. What is news? Using as-path loop detection to selectively blackhole the hijacked route - which creates a transport path _back to_ the target. That's all it is, nothing more. All but the WIRED follow-up article missed this point *completely.* They over-represented the 'hijacking' aspects, while only making mention of the 'interception' potential. Lets end this thread with the point I had intended two weeks ago: we've presented a method by which all the theory spewed by academics can be actualized in a real network (the big-I internet) to effect interception of data between (nearly) arbitrary endpoints from (nearly) any edge or stub AS. That, I think, is interesting. -Tk
RE: Revealed: The Internet's well known BGP behavior
We've encountered the same diligence with LVL3, especially after acquisitions where records haven't been updated yet. Although a little annoying it's quite refreshing. -Original Message- From: Eric Spaeth [mailto:[EMAIL PROTECTED] Sent: Thursday, August 28, 2008 1:41 AM To: Jon Lewis; [EMAIL PROTECTED] Subject: Re: Revealed: The Internet's well known BGP behavior Jon Lewis wrote: At 11:32 PM 27-08-08 -0500, John Lee wrote: They didn't have control of any routers other than their own. What they had to find is a single clueless upstream ISP that would allow them to announce prefixes that didn't belong to them. Clueless or big and inattentive? AFAIK, Level3 will accept anything from me...as long as I put it in one of the IRRs the day before I plan to announce it. Working for a company that has been steadily growing through acquisition, we have actually run into this problem a couple times before. I'm not sure if we hit the lottery, but our upstream providers (including LVL3) have definitely intervened when we've moved netblocks from a company that doesn't match our name into our facilities to be advertised under our ASNs. I'm not sure how diligent or widespread the validation checks are, but at least on occasion they do occur. -Eric *** The information contained in this message, including attachments, may contain privileged or confidential information that is intended to be delivered only to the person identified above. If you are not the intended recipient, or the person responsible for delivering this message to the intended recipient, Windstream requests that you immediately notify the sender and asks that you do not read the message or its attachments, and that you delete them without copying or sending them to anyone else.
Re: Revealed: The Internet's well known BGP behavior
On Thu, 28 Aug 2008 10:16:16 -0500 Anton Kapela [EMAIL PROTECTED] wrote: I thought I'd toss in a few comments, considering it's my fault that few people are understanding this thing yet. On Thu, Aug 28, 2008 at 2:28 PM, Gadi Evron [EMAIL PROTECTED] wrote: People (especially spammers) have been hijacking networks for a while I'd like to 'clear the air' here. Clearly, I failed at Defcon, WIRED, AFP, and Forbes. We all know sub-prefix hijacking is not news. What is news? Using as-path loop detection to selectively blackhole the hijacked route - which creates a transport path _back to_ the target. That's all it is, nothing more. All but the WIRED follow-up article missed this point *completely.* They over-represented the 'hijacking' aspects, while only making mention of the 'interception' potential. Lets end this thread with the point I had intended two weeks ago: we've presented a method by which all the theory spewed by academics can be actualized in a real network (the big-I internet) to effect interception of data between (nearly) arbitrary endpoints from (nearly) any edge or stub AS. That, I think, is interesting. Indeed, and I thank you for it. As noted, I and others have been warning about the problem for a long time. You've shown that it isn't just an ivory tower exercise; maybe people will now get serious about deploying a solution. To quote Bruce Schneier quoting an NSA maxim, attacks only get better; they never get worse. We now have running code of one way to do this. I think most NANOG readers can see many more ways to do it. A real solution will take years to deploy, but it will never happen if we don't start. And we want to have the solution out there *before* we see serious attacks on BGP. Again, thank you -- it was really nice work. --Steve Bellovin, http://www.cs.columbia.edu/~smb
Re: Revealed: The Internet's well known BGP behavior
Steven M. Bellovin wrote: On Thu, 28 Aug 2008 10:16:16 -0500 Anton Kapela [EMAIL PROTECTED] wrote: I thought I'd toss in a few comments, considering it's my fault that few people are understanding this thing yet. On Thu, Aug 28, 2008 at 2:28 PM, Gadi Evron [EMAIL PROTECTED] wrote: People (especially spammers) have been hijacking networks for a while I'd like to 'clear the air' here. Clearly, I failed at Defcon, WIRED, AFP, and Forbes. We all know sub-prefix hijacking is not news. What is news? Using as-path loop detection to selectively blackhole the hijacked route - which creates a transport path _back to_ the target. That's all it is, nothing more. All but the WIRED follow-up article missed this point *completely.* They over-represented the 'hijacking' aspects, while only making mention of the 'interception' potential. Lets end this thread with the point I had intended two weeks ago: we've presented a method by which all the theory spewed by academics can be actualized in a real network (the big-I internet) to effect interception of data between (nearly) arbitrary endpoints from (nearly) any edge or stub AS. That, I think, is interesting. Indeed, and I thank you for it. As noted, I and others have been warning about the problem for a long time. You've shown that it isn't just an ivory tower exercise; maybe people will now get serious about deploying a solution. To quote Bruce Schneier quoting an NSA maxim, attacks only get better; they never get worse. We now have running code of one way to do this. I think most NANOG readers can see many more ways to do it. A real solution will take years to deploy, but it will never happen if we don't start. And we want to have the solution out there *before* we see serious attacks on BGP. Again, thank you -- it was really nice work. aol
Re: Revealed: The Internet's well known BGP behavior
*) Filtering your customers using IRR is a requirement, however, it is not a solution - in fact, in the demonstration, we registered the /24 prefix we hijacked in IRR. RIRs need to integrate the allocation data with their IRR data. further clarification... [if this is obvious, just skip over the message]. IRR filters helps prevent *accidental* hijacking and *accidental* route spillage. In that, they seem to do their job. I don't know why people think that would help prevent a deliberate hijacking job. I don't think there is enough trust in the IP allocation system from the RIRs yet (trust anchors being the word of the week) to even contemplate non-repudiation in advertisements yet. We can go into lots of reasons why the Internet runs this way. I think we can all agree 1) Its amazing it runs as well as it does, and 2) No one has clearly articulated a financial reason for any large organizations to significantly change their interconnection methodologies over the current BCP [that exceeds the costs of doing so]. Until either of those assertions change, the status quo will essentially remain. Alex et al, I apologize if you already covered this in your preso... One way to help mitigate the effects of this [as a user] is to keep all of your conversation end points on the same network -- especially if you run a VPN or similar -- and [rather than scan your traceroutes daily as someone suggested] scan the IRRs daily to make sure no changes have been entered for prefixes you care about. Just some thoughts, Deepak Jain
Re: Revealed: The Internet's well known BGP behavior
On Aug 28, 2008, at 3:47 PM, Deepak Jain wrote: We can go into lots of reasons why the Internet runs this way. I think we can all agree 1) Its amazing it runs as well as it does, and 2) No one has clearly articulated a financial reason for any large organizations to significantly change their interconnection methodologies over the current BCP [that exceeds the costs of doing so]. Until either of those assertions change, the status quo will essentially remain. Well, there's also been a bit of a chicken and egg problem here - as no formally verifiable authoritative source for who is authorized to originate what IP address space has ever existed, and until that happens, you can't secure the routing system. Fortunately, the RPKI work will address this, and some of the RIRs are working on RPKI implementations now. If there are ways the IRRs can be populated using this information and non-RPKI derived updates can be considered less preferable (whatever that means), then we can get to a better place with the IRRs as a stop gap until a secure routing protocol can actually be deployed. However, without that as a stepping stone, it's an awfully large leap from RPKI directly into a secure inter-domain routing protocol. -danny
RE: Revealed: The Internet's well known BGP behavior
1. The technique is not new it is well known BGP behavior and not stealthy to people who route for a living. 2. When your networks use VPNs, MPLS, IPsec, SSL et al you can control what packets are going where. 3. When you are running some number of trace routes per hour to see how and where your packets are going you spot the additional hops. 4. If you do cold potatoe routing and know where you peering points are and what the acls and peering policies are it is more difficult to hijack. And finally you use high speed optical paths or broad band ISDN (ATM) why route when you can deterministically switch. John (ISDN) Lee :) From: Frank [EMAIL PROTECTED] Sent: Wednesday, August 27, 2008 8:47 PM To: NANOG list Subject: Revealed: The Internet's Biggest Security Hole http://blog.wired.com/27bstroke6/2008/08/revealed-the-in.html Two security researchers have demonstrated a new technique to stealthily intercept internet traffic on a scale previously presumed to be unavailable to anyone outside of intelligence agencies like the National Security Agency. The tactic exploits the internet routing protocol BGP (Border Gateway Protocol) to let an attacker surreptitiously monitor unencrypted internet traffic anywhere in the world, and even modify it before it reaches its destination. The demonstration is only the latest attack to highlight fundamental security weaknesses in some of the internet's core protocols. Those protocols were largely developed in the 1970s with the assumption that every node on the then-nascent network would be trustworthy. The world was reminded of the quaintness of that assumption in July, when researcher Dan Kaminsky disclosedhttp://blog.wired.com/27bstroke6/2008/07/details-of-dns.htmla serious vulnerability in the DNS system. Experts say the new demonstration targets a potentially larger weakness. It's a huge issue. It's at least as big an issue as the DNS issue, if not bigger, said Peiter Mudge Zatko, noted computer security expert and former member of the L0pht hacking group, who testified to Congress in 1998 that he could bring down the internet in 30 minutes using a similar BGP attack, and disclosed privately to government agents how BGP could also be exploited to eavesdrop. I went around screaming my head about this about ten or twelve years ago We described this to intelligence agencies and to the National Security Council, in detail. The man-in-the-middle attack exploits BGP to fool routers into re-directing data to an eavesdropper's network. Anyone with a BGP router (ISPs, large corporations or anyone with space at a carrier hotelhttp://www.fubra.com/blog/2007/10/mac-mini-bgp-routers-part-2.html) could intercept data headed to a target IP address or group of addresses. The attack intercepts only traffic headed *to* target addresses, not from them, and it can't always vacuum in traffic within a network -- say, from one ATT customer to another. The method conceivably could be used for corporate espionage, nation-state spying or even by intelligence agencies looking to mine internet data without needing the cooperation of ISPs. BGP eavesdropping has long been a theoretical weakness, but no one is known to have publicly demonstrated it until Anton Tony Kapela, data center and network director at 5Nines Data http://www.5ninesdata.com/, and Alex Pilosov, CEO of Pilosoft http://www.pilosoft.com/, showed their technique at the recent DefCon hacker conference. The pair successfully intercepted traffic bound for the conference network and redirected it to a system they controlled in New York before routing it back to DefCon in Las Vegas. The technique, devised by Pilosov, doesn't exploit a bug or flaw in BGP. It simply exploits the natural way BGP works. We're not doing anything out of the ordinary, Kapela told Wired.com. There's no vulnerabilities, no protocol errors, there are no software problems. The problem arises (from) the level of interconnectivity that's needed to maintain this mess, to keep it all working. The issue exists because BGP's architecture is based on trust. To make it easy, say, for e-mail from Sprint customers in California to reach Telefonica customers in Spain, networks for these companies and others communicate through BGP routers to indicate when they're the quickest, most efficient route for the data to reach its destination. But BGP assumes that when a router says it's the best path, it's telling the truth. That gullibility makes it easy for eavesdroppers to fool routers into sending them traffic. Here's how it works. When a user types a website name into his browser or clicks send to launch an e-mail, a Domain Name System server produces an IP address for the destination. A router belonging to the user's ISP then consults a BGP table for the best route. That table is built from announcements, or advertisements, issued by ISPs and other networks -- also known as Autonomous Systems, or ASes --
Re: Revealed: The Internet's well known BGP behavior
On Aug 27, 2008, at 11:07 PM, John Lee wrote: 1. The technique is not new it is well known BGP behavior and not stealthy to people who route for a living. Using existing technology in novel ways is still novel. Plus it makes the technique more accessible. (Perhaps that is not a good thing?) 2. When your networks use VPNs, MPLS, IPsec, SSL et al you can control what packets are going where. No, you cannot. You can only ensure your end points are the end points you think they are. In no way, shape, or form do things like IPsec, SSL, etc. verify or control the intermediate hops. 3. When you are running some number of trace routes per hour to see how and where your packets are going you spot the additional hops. The presentation specifically shows hiding the hops by re-writing TTLs. Perhaps you do not understand this attack as well as you thought? 4. If you do cold potatoe routing and know where you peering points are and what the acls and peering policies are it is more difficult to hijack. Would that network operators were so diligent. And finally you use high speed optical paths or broad band ISDN (ATM) why route when you can deterministically switch. Because people want to be able to reach the entire planet with a single port and without deterministically creating paths to every single end point. Why use ISDN (ATM) when you can do something useful? -- TTFN, patrick
Re: Revealed: The Internet's well known BGP behavior
what do mpls, ipsec tunnels, ssl have anything to do with someone announcing your address space and hijacking youre prefixes?? i think we all know this is not new.. and these guys didnt claim it to be.. they're not presenting this to a 'xNOG' crowd, defcon has a different type of audience..im not saying they dont know about this kind of insecurity, but it is nice to see this material being presented, and exposing it to different 'groups' especially with a live demo... christian On Wed, Aug 27, 2008 at 11:07 PM, John Lee [EMAIL PROTECTED] wrote: 1. The technique is not new it is well known BGP behavior and not stealthy to people who route for a living. 2. When your networks use VPNs, MPLS, IPsec, SSL et al you can control what packets are going where. 3. When you are running some number of trace routes per hour to see how and where your packets are going you spot the additional hops. 4. If you do cold potatoe routing and know where you peering points are and what the acls and peering policies are it is more difficult to hijack. And finally you use high speed optical paths or broad band ISDN (ATM) why route when you can deterministically switch. John (ISDN) Lee :) From: Frank [EMAIL PROTECTED] Sent: Wednesday, August 27, 2008 8:47 PM To: NANOG list Subject: Revealed: The Internet's Biggest Security Hole http://blog.wired.com/27bstroke6/2008/08/revealed-the-in.html Two security researchers have demonstrated a new technique to stealthily intercept internet traffic on a scale previously presumed to be unavailable to anyone outside of intelligence agencies like the National Security Agency. The tactic exploits the internet routing protocol BGP (Border Gateway Protocol) to let an attacker surreptitiously monitor unencrypted internet traffic anywhere in the world, and even modify it before it reaches its destination. The demonstration is only the latest attack to highlight fundamental security weaknesses in some of the internet's core protocols. Those protocols were largely developed in the 1970s with the assumption that every node on the then-nascent network would be trustworthy. The world was reminded of the quaintness of that assumption in July, when researcher Dan Kaminsky disclosedhttp://blog.wired.com/27bstroke6/2008/07/details-of-dns.htmla serious vulnerability in the DNS system. Experts say the new demonstration targets a potentially larger weakness. It's a huge issue. It's at least as big an issue as the DNS issue, if not bigger, said Peiter Mudge Zatko, noted computer security expert and former member of the L0pht hacking group, who testified to Congress in 1998 that he could bring down the internet in 30 minutes using a similar BGP attack, and disclosed privately to government agents how BGP could also be exploited to eavesdrop. I went around screaming my head about this about ten or twelve years ago We described this to intelligence agencies and to the National Security Council, in detail. The man-in-the-middle attack exploits BGP to fool routers into re-directing data to an eavesdropper's network. Anyone with a BGP router (ISPs, large corporations or anyone with space at a carrier hotelhttp://www.fubra.com/blog/2007/10/mac-mini-bgp-routers-part-2.html) could intercept data headed to a target IP address or group of addresses. The attack intercepts only traffic headed *to* target addresses, not from them, and it can't always vacuum in traffic within a network -- say, from one ATT customer to another. The method conceivably could be used for corporate espionage, nation-state spying or even by intelligence agencies looking to mine internet data without needing the cooperation of ISPs. BGP eavesdropping has long been a theoretical weakness, but no one is known to have publicly demonstrated it until Anton Tony Kapela, data center and network director at 5Nines Data http://www.5ninesdata.com/, and Alex Pilosov, CEO of Pilosoft http://www.pilosoft.com/, showed their technique at the recent DefCon hacker conference. The pair successfully intercepted traffic bound for the conference network and redirected it to a system they controlled in New York before routing it back to DefCon in Las Vegas. The technique, devised by Pilosov, doesn't exploit a bug or flaw in BGP. It simply exploits the natural way BGP works. We're not doing anything out of the ordinary, Kapela told Wired.com. There's no vulnerabilities, no protocol errors, there are no software problems. The problem arises (from) the level of interconnectivity that's needed to maintain this mess, to keep it all working. The issue exists because BGP's architecture is based on trust. To make it easy, say, for e-mail from Sprint customers in California to reach Telefonica customers in Spain, networks for these companies and others communicate through BGP routers to indicate when they're the quickest, most
RE: Revealed: The Internet's well known BGP behavior
Patrick, VPN's and MPLS control intermediate hops and IPsec and SSL do not allow the info to be seen. Rewriting the TTL only hides the number of hop count, trace route will still show the hops the packet has transited. John (ISDN) Lee From: Patrick W. Gilmore [EMAIL PROTECTED] Sent: Wednesday, August 27, 2008 11:18 PM To: NANOG list Subject: Re: Revealed: The Internet's well known BGP behavior On Aug 27, 2008, at 11:07 PM, John Lee wrote: 1. The technique is not new it is well known BGP behavior and not stealthy to people who route for a living. Using existing technology in novel ways is still novel. Plus it makes the technique more accessible. (Perhaps that is not a good thing?) 2. When your networks use VPNs, MPLS, IPsec, SSL et al you can control what packets are going where. No, you cannot. You can only ensure your end points are the end points you think they are. In no way, shape, or form do things like IPsec, SSL, etc. verify or control the intermediate hops. 3. When you are running some number of trace routes per hour to see how and where your packets are going you spot the additional hops. The presentation specifically shows hiding the hops by re-writing TTLs. Perhaps you do not understand this attack as well as you thought? 4. If you do cold potatoe routing and know where you peering points are and what the acls and peering policies are it is more difficult to hijack. Would that network operators were so diligent. And finally you use high speed optical paths or broad band ISDN (ATM) why route when you can deterministically switch. Because people want to be able to reach the entire planet with a single port and without deterministically creating paths to every single end point. Why use ISDN (ATM) when you can do something useful? -- TTFN, patrick
Re: Revealed: The Internet's well known BGP behavior
On Wed, Aug 27, 2008, John Lee wrote: Patrick, VPN's and MPLS control intermediate hops and IPsec and SSL do not allow the info to be seen. Rewriting the TTL only hides the number of hop count, trace route will still show the hops the packet has transited. No, traceroute shows the hops which returned time to live exceeded. This only maps to the hops the packet has transited if the TTL is setup and decremented correctly. Adrian
RE: Revealed: The Internet's well known BGP behavior
Adrian, The traceroute utility that I used gave me a list of hops that the packet I was interested in transited and a time when it transited the hop. When the TTL was reached it would terminate the listing. When ever I had performance issues on my networks or with my networks links it would indicate if the standard route was being taken or another one. When certain links went down several additional hops would be added to the list. John (ISDN) Lee From: Adrian Chadd [EMAIL PROTECTED] Sent: Wednesday, August 27, 2008 11:32 PM To: John Lee Cc: Patrick W. Gilmore; NANOG list Subject: Re: Revealed: The Internet's well known BGP behavior On Wed, Aug 27, 2008, John Lee wrote: Patrick, VPN's and MPLS control intermediate hops and IPsec and SSL do not allow the info to be seen. Rewriting the TTL only hides the number of hop count, trace route will still show the hops the packet has transited. No, traceroute shows the hops which returned time to live exceeded. This only maps to the hops the packet has transited if the TTL is setup and decremented correctly. Adrian
Re: Revealed: The Internet's well known BGP behavior
On Aug 27, 2008, at 11:47 PM, John Lee wrote: The traceroute utility that I used gave me a list of hops that the packet I was interested in transited and a time when it transited the hop. When the TTL was reached it would terminate the listing. You are very confused how traceroute works. Being confused is fine. Lots of people are confused ignorant. In fact, everyone is ignorant about more things than they are educated about. However, when people like Adrian, who are clearly more versed in the technology than you are, try to educate you, ignoring his kind help and repeating your confusion to 10s of 1000s of your not-so-close friends is not fine. Please read Adrian's post again, read about traceroute, and try not to post until you have understood them. (To be clear, if you come to the conclusion you are right and Adrian is wrong it means you have _not_ understood them.) When ever I had performance issues on my networks or with my networks links it would indicate if the standard route was being taken or another one. When certain links went down several additional hops would be added to the list. The fact you do not understand how traceroute works makes it obvious why you misunderstand how to diagnosis something from that lack of understanding. VPN's and MPLS control intermediate hops and IPsec and SSL do not allow the info to be seen. VPNs do no such thing. To prove this to yourself, realize that IPsec and SSL are both types of VPNs. Encrypting the data is very useful. Hell, Anthony Alex say so themselves. But that wasn't the point of the presentation. (And we'll ignore the fact that the size, speed, and even existence of a data stream - encrypted or not - might be useful information to a miscreant.) Lastly, can you show me a single inter-AS MPLS deployment? When you can, then you can use that as a method to avoid this h4x0r. -- TTFN, patrick
Re: Revealed: The Internet's well known BGP behavior
John Lee wrote: Adrian, The traceroute utility that I used gave me a list of hops that the packet I was interested in transited and a time when it transited the hop. When the TTL was reached it would terminate the listing. But if I can control your traffic I could change everything, couldn't I? I mean, with the ability to inject whatever I wanted, I could spoof traceroute, yes? I could filter for that traffic and return whatever I wanted. I could manufacture a series of packets showing that NYC and London were only 10ms apart in such a case. --Patrick
RE: Revealed: The Internet's well known BGP behavior
At 11:32 PM 27-08-08 -0500, John Lee wrote: Thanks guys, going back to my Comer one more time. My issue, question was whether the organization doing the hijacking controlled all of the routers in the new modified path or only some of them? John (ISDN) Lee They didn't have control of any routers other than their own. What they had to find is a single clueless upstream ISP that would allow them to announce prefixes that didn't belong to them. -Hank
RE: Revealed: The Internet's well known BGP behavior
On Thu, 28 Aug 2008, Hank Nussbacher wrote: At 11:32 PM 27-08-08 -0500, John Lee wrote: Thanks guys, going back to my Comer one more time. My issue, question was whether the organization doing the hijacking controlled all of the routers in the new modified path or only some of them? John (ISDN) Lee They didn't have control of any routers other than their own. What they had to find is a single clueless upstream ISP that would allow them to announce prefixes that didn't belong to them. Clueless or big and inattentive? AFAIK, Level3 will accept anything from me...as long as I put it in one of the IRRs the day before I plan to announce it. -- Jon Lewis | I route Senior Network Engineer | therefore you are Atlantic Net| _ http://www.lewis.org/~jlewis/pgp for PGP public key_
Re: Revealed: The Internet's well known BGP behavior
On Aug 28, 2008, at 1:40 AM, Jim Popovitch wrote: On Thu, Aug 28, 2008 at 1:22 AM, Patrick W. Gilmore [EMAIL PROTECTED] wrote: Assuming it is in the wrong place, you may be able to detect the intrusion. But most people do not run traceroutes all day and watch for it to change. If you run the traceroute after the attack starts, well, how are you to know that br01-pos07-$FOO-$BAR is wrong and br03-10GE02- $BLAH-$BAR is right? Uhhh... network monitoring with traceroute and topology tools. There are several off-the-shelf varieties to choose from, and I know of several providers that use them. I stand by my assertion that most people do not run traceroutes all day and watch for it to change. That some people are diligent does not change the fact the overwhelming majority of people are not. Or the fact that with the right placement of equipment (read luck) and cooperation of networks involved (read laziness), even a traceroute won't show any change besides additional latency. -- TTFN, patrick
