Border Gateway Protocol (BGP): Internets Biggest Security Hole?

Discussion in 'other security issues & news' started by dw426, Aug 27, 2008.

Thread Status:
Not open for further replies.
  1. dw426

    dw426 Registered Member

    Joined:
    Jan 3, 2007
    Posts:
    5,543
    And this isn't even a vulnerability, it's exploitable using the natural way it works, sheesh! Anyway, from the article:

    "Two security researchers have demonstrated a new technique to stealthily intercept internet traffic on a scale previously presumed to be unavailable to anyone outside of intelligence agencies like the National Security Agency.

    The tactic exploits the internet routing protocol BGP (Border Gateway Protocol) to let an attacker surreptitiously monitor unencrypted internet traffic anywhere in the world, and even modify it before it reaches its destination."

    Also, ""We're not doing anything out of the ordinary," Kapela told Wired.com. "There's no vulnerabilities, no protocol errors, there are no software problems. The problem arises (from) the level of interconnectivity that's needed to maintain this mess, to keep it all working.".

    It goes on to say that this was not known publicly outside of intelligence agencies previously (Hmm, I seem to recall being laughed at heartily a few weeks ago when I mentioned intelligence agencies may be able to do more than we think they can), and that even though VPN and encryption methods can help against this being used against you to spy, it still is a valuable tool to see who is talking to who (I also remember being ridiculed for saying encryption is not as tight as some like to believe, gee, I'm feeling kinda cheery right about now).

    Regardless, IMHO, we can all stop wasting so much time on the newest "block this and that" behavior apps, filter this and that firewalls, and all this other mess and just take basic precautions, because over the last month or so, between the DNS thing and now this, we're finding out we're finding out the internet itself is more dangerous and flawed than the software we patch every other Tuesday and use other software to armor them up. I hate to be all "the sky is falling" here, but hell, it is looking like to me that our biggest problem isn't hackers, trojans, or any of that mess, our biggest problem is that someone built the Internet with Swiss cheese.

    Edit: Further reporting added here :http://blog.wired.com/27bstroke6/2008/08/how-to-intercep.html.
     
    Last edited: Aug 27, 2008
  2. Stijnson

    Stijnson Registered Member

    Joined:
    Nov 7, 2007
    Posts:
    533
    Location:
    Paranoia Heaven
    Re: The Internet's Biggest Security Hole

    Can home users (like myself) do something about this, or are our ISPs responsible for 'fixing' (if this is even possible) this?
     
  3. dw426

    dw426 Registered Member

    Joined:
    Jan 3, 2007
    Posts:
    5,543
    Great, I just realized I didn't post the original link when I made this post *smacks head*. As far as your question, as far as I'm aware this is something that needs to be done at ISP level, not really a doable fix by us as users.
     
  4. Stijnson

    Stijnson Registered Member

    Joined:
    Nov 7, 2007
    Posts:
    533
    Location:
    Paranoia Heaven
    Well, than we just have to wait and see what happens.
    It probably has to be a joint effort, because a single ISP can't do much I guess.
     
  5. dw426

    dw426 Registered Member

    Joined:
    Jan 3, 2007
    Posts:
    5,543

    Yes, and as I mentioned in a similar post, all it takes is an ISP or two to not play along and any attempted fix won't make a difference.
     
  6. Bensec

    Bensec Registered Member

    Joined:
    Aug 4, 2008
    Posts:
    177
    Location:
    China Changsha
    I dont understand and I find this.
    I hope it helpful.:D
    It all starts from Pakistan and Youtube :


    Some background for those of you who don't understand a word of what's going on here.

    By now, I imagine most of you have probably noticed that when you type 'www.metafilter.com' in your browser and hit enter, your computer connects to this server and displays the web page there. But have you ever wondered just exactly how that works?

    When you start a conversation with Metafilter, your computer assembles a connection-start packet, and sends it to its local gateway. Your local gateway forwards it into the Internet proper.

    At each step of the way, there's a router. For each packet, the router has to determine which of its interfaces is the 'best' direction to send it.

    So, typically, your packet flies from router to router, each tossing the packet closer and closer to MeFi, until it actually arrives. MeFi then replies, and the answer packet flies back, very possibly via a different path. The paths can change at any time, and often do. At each step, a router decides which way to send the packet, and forwards it on.

    Your machine gets the answer packet, and then sends a final connection-established packet. Once again, several routers decide which way to send it, until it reaches MeFi again. This gets both machines in agreement about the parameters of the connection. Note that we've involved a lot of routers, each forwarding three packets, before we've even sent the http request!

    At that point, your machine requests the actual data, MeFi's server answers, and many hundreds of packets start flying around -- most of them from MeFi to you. Finally, all the data has been sent, and the page is rendered. It looks like you just directly connected to MeFi, but a lot of other computers were involved. Despite how fast everything seems, there's a lot going on. For instance, there are 15 hops between this machine and www.metafilter.com, so in posting this message, all 15 hops will be making a forwarding decision on each and every packet that goes through.

    Routing is the process of actually deciding which way to send a packet. In simple networks, most routing is done statically. That is, each router is pre-programmed with all the routes it needs to know. For instance, if you have a main office and a branch office, the IT staff would assign different net ranges to each building, and would program the routers to know where they are. If you, in office A, connect to a machine in office B, your local router knows to send those packets down the wire that goes to the other office.

    This works really well, up to a point. Past a certain level of complexity, it starts getting hard to track what net ranges are where. As offices start up and close down, or as net ranges need to expand to cope with more workers, the routes gradually get more and more complex, and there's more and more chance of error. In a complex, static-routed environment, adding a new network might require changes in 10 or 20 routers, and a typo while configuring any of them can potentially screw the whole company up.

    Further, this doesn't allow for easy failover. Many companies think it's very important that the network stay up at all times, and will run redundant circuits. But telling 10 routers that Circuit A has failed, but Circuit B is still up, is very time-consuming. This causes outages. IT staff lives in constant fear, because people only notice us when things break. So, as you can imagine, we're very happy about things that automate these processes and make failures invisible to our clients.

    Thus, routing protocols were born. Basically, these are just ways that routers tell neighboring routers what networks they know about. In that first simple example, Router B announces the network range in Office B, and Router announces Office A and the 'default route'... the internet. When Office B sends traffic, that router knows to send all of it to Router A. Router A is the core 'decider'.... on any given packet, it routes to Office B, to Office A, or to the Internet.

    In that simplest of examples, you don't gain anything over just static routing. But if you add in Office C, and then Offices D through H... each time, all the routers talk to each other and figure out what networks they know about, so the traffic goes to the right places. And if you add in redundant links, when something fails, the same protocol can immediately notify the whole network, which can then immediately start routing onto the standby circuits instead. This simplifies administration enormously.

    This scales up to the whole internet... most of the big routers in the Net run BGP, Border Gateway Protocol. Companies are assigned "AS numbers" -- AS means Autonomous System. YouTube, for instance, has an AS number. It's kind of like an ownership tag. These entities also get networks to use. They advertise those networks to their neighbors, combined with their AS number. So, with all these disparate links to all these different places, with all these routers running BGP.... all the routers run a fairly complex algorithm to try to determine the shortest path to every network they're told about.

    So, okay, phew. You've got this giant cloud of thousands of routers, handling millions of networks, and everything's good. So now (cue evil music) Pakistan decrees that YouTube Shall Be Silenced. The ISP of Pakistan adds in a BGP advertisement for YouTube's network space, which their ISP propagates (a critical error)... and within two minutes, the entire Internet knows that YouTube's IP space is in Pakistan. Almost all YouTube traffic goes there, where it's discarded, and YouTube is off the air.

    One of the rules of BGP is that the most specific route wins. YouTube normally advertises four class C networks with a single route; that is, they say that 'all the numbers between these two ranges belong to us, and should come here'. The Pakistan advertisement is for just one of their class C networks, so that's more specific, and thus Pakistan wins. (this is done so that you can say 'except'.... as in, "send traffic for this enormous network range over here, except for this tiny network, which goes here instead.")

    The first thing YouTube tries is advertising just that one class C, the same as Pakistan, but that doesn't override Pakistan's route for most of the Net... only for the routers that are very physically close to YouTube. Most routers see that the two routes are the same specificity, so then they route by distance, and Pakistan is closer for a big chunk of the world. So then YouTube subdivides their class C into TWO routes, and tries advertising those... and for those routers that accept those advertisements, it's a more specific route, and thus YouTube wins.

    But, most of the Net ignores those two little advertisements. Why? Because there are so many global routes that most of the big providers simply refuse advertisements that are smaller than a certain size. Every new route adds to the load on their routers, and all the central routers are just barely keeping up. Most of the Net ignores small advertisements. Thus, YouTube is still mostly down.

    Finally, Pakistan's ISP steps up and stops propagating Pakistan's illicit advertisement, which resolves everything about two minutes later.

    Total downtime: about two hours.

    So, what does this all mean? It means that BGP doesn't have much authentication, and even small mistakes can be spread Net-wide very quickly. If your router trusts my router, and my router trusts Evil Bad Guy's, then YOU trust Evil Bad Guy too. This is called 'transitive trust'. It's a very bad idea, and causes all kinds of computer security pain.

    The upshot is that now they're talking about going to some kind of encryption/signature mechanism for routing... but that's a problem, because the core routers are just barely keeping up, and they really don't have much extra juice to verify that people aren't lying with their advertisements. Verifying a signature takes CPU power, and those central routers are so burdened that checking 10,000 routes will be very painful, and providers are going to want to avoid that if they can.

    So, this is a moderately sticky problem, and there will be some wailing and gnashing-of-teeth in conference rooms eveywhere. You can be quietly amused as the highly-paid network jocks have to earn their keep this year.
    :)

    edit: here is the link http://www.metafilter.com/69544/Pakistan-vs-YouTube-BGP-loses
     
  7. Searching_ _ _

    Searching_ _ _ Registered Member

    Joined:
    Jan 2, 2008
    Posts:
    1,988
    Location:
    iAnywhere
    Browser vulnerability that affects all browsers.

    http://sirdarckcat.blogspot.com/2008/05/browsers-ghost-busters.html
    http://talkback.zdnet.com/5208-12691-0.html?forumID=1&threadID=47358&messageID=882431&start=0

    Manuel stated in his interview with Katie that all browsers exhibit the same issue, that the issue is not browser specific because all browsers handle this function exactly the same.

    It's a horribly serious issue that affects all browsers and is currently not fixed on any of them I believe. So Manuel has been asked by the vendors to not release details at this time.

    The BGP vulnerability issue.

    http://blog.wired.com/27bstroke6/2008/08/revealed-the-in.html
    http://www.zdnet.com.au/news/security/soa/Flaw-in-BGP-net-protocol/0,130061744,339291643,00.htm

    In their presentation, Pilosov and Kapela demonstrated how a user's BGP traffic could be hijacked and redirected, allowing supposedly secure communications to be intercepted.

    The DNS Flaw

    Dns flaw in the wild, Metasploit.

    http://blog.wired.com/27bstroke6/2008/07/dns-exploit-in.html#previouspost


    All of this points to the fact that everything we do on the internet is corruptible at all avenues.
    The BGP and DNS issues make it possible for big businesses to wage war on competitors and the little guy for market share of internet traffic business. You wouldn't have to deflect the traffic, you could insert malicious code on the return, making it appear that company A is compromised. This would result in consumer confidence lowering in company B, some switching to company A.
    And What about online stock investing. You could redirect to invalid or bogus information that would cause investers to make unknowingly bad descisions

    All of this adds up to AAAAAAAAAHHHHHHHHHHHHHHHH!

    Don't give up on your security software just yet. Wait a minute, they could redirect my updates too...AAAAAAAAAAAAAAAAAAAAAAAHHHHHHHHHHHHHHHHHHHHHHHHHHH!
     
  8. dw426

    dw426 Registered Member

    Joined:
    Jan 3, 2007
    Posts:
    5,543
    If this is too far off-topic, I understand deletion. But if it is not, I have the following thoughts:

    Well, what exactly were we expecting when we decided to tie virtually our entire lives to the internet? No, I am not proposing we go back to the pre-internet days...simply because the truth is, no one would be able to handle it. Our younger generation especially would very likely not be able to function without computers. No math, no research, nothing, kids would be lost. Technology is a great thing, but when it replaces human thought and interaction, you're bound to run into problems.

    As far as security is concerned, the internet, and I've said this quite a bit, is a massive information database, completely open to everyone on the planet that has internet access. NO security measure is infallible, and it is absolutely essential that we never forget this while turning over our most intimate financial and personal information to retailers, banks, places of work, forums, wherever. No matter what you do, from buying a house to buying a soft drink at your local store, if you use anything other than cold hard cash to pay, your information is floating around the internet, protected from misuse only from security measures that are only as good as the amount of time and money put into them.

    We love to talk about our dear HIPS, LUA, SRP, anti-this and anti-that. They can help TREMENDOUSLY....but only to protect that information which we personally have control of on our own systems. None of these programs do any good on our systems against breaches of your credit card company, hospital, bank, stock services, online forums, name it. Whenever these sorts of vulnerabilities come up, we hear from very intelligent posters who possess much common sense "This isn't anything to lose sleep over", "It's feasible, but such and such prevents this and that". Well, it may very well NOT affect us personally on our own systems, or at least have minimal threat. But again, we ourselves are not in charge of other companies that may have our personal information, and we cannot sensibly expect that they too are not vulnerable to these threats.

    My long-winded message here boils down to this: Technology is imperfect, and nothing will ever change that fact. So please, the next time word of these vulnerabilities leaks out, think NOT of your situation at home and how vulnerable YOU are alone, but of the situation at and how vulnerable the hundreds of thousands of companies that control the majority of our personal information are. Your favorite security vendor may consist of very smart people, but for every incredibly bright person on the right side of the law, there is someone just as bright or brighter on the wrong side.
     
  9. Huupi

    Huupi Registered Member

    Joined:
    Sep 2, 2006
    Posts:
    2,024
    I concur,I have very limited knowledge concerning these matters but sure as hell know that as long as man is dominated by GREED,the battle goes on indefinitely. :oops:
     
Loading...
Thread Status:
Not open for further replies.