Hijacking huge chunks of the internet - a new How To
It's easy. Those tubes are busted
More evidence that the intertubes are fundamentally broken has been served up by Wired.com in an article laying out a technique to surreptitiously hijack huge chunks of the internet and monitor or even modify unencrypted traffic before it reaches its intended destination.
The exploit of the routing protocol known as BGP, short for Border Gateway Protocol, is akin to the poor man's traffic intercept employed by intelligence agencies throughout the world. Like the recently discovered domain name system cache poisoning bug, the exploit is notable because it highlights weaknesses in some of the net's core underpinnings.
The man-in-the-middle attack was demonstrated earlier this month at the Defcon hacker conference in Las Vegas when researchers Anton "Tony" Kapela and Alex Pilosov redirected traffic bound for the conference network to a system they controlled in New York and then routed it back to Las Vegas.
The attack is able to arbitrarily re-direct traffic by exploiting the implicit trust placed in BGP routers. Anyone with access to a BGP router can intercept data sent to one or more target IP addresses. Attackers can simply drop the packets as Pakistan did earlier this year when it blocked worldwide access to YouTube. Or the attackers could monitor or even alter the traffic before sending it along to its intended destination.
It's fair to say that Wired.com's report has gotten the attention of security experts.
"When you can forcefully route someone's traffic through you before it reaches it targeted destination, that's really bad," Jeremiah Grossman, CTO of security firm White Hat Security, said in an online chat. "Looking at these vuln announcements, 2008 will be known as the year where we could have taken down the internet."
Other researchers, without discounting the serious conclusions raised by the research, said they weren't convinced the attacks would remain stealthy for long. While virtually anyone can join the BGP club, members typically take a keen interest in the actions of their peers. Logs of BGP routing tables date back to at least 1999, said Dan Kaminsky, who first alerted the world to the DNS bug.
"If you abuse your abilities you're going to lose your abilities," Kaminsky explained. "The BGP community is small enough and logged enough that those elements that are doing consistently nasty stuff will be dealt with."
Kaminsky also said pulling off the BGP attack would require a level of expertise that exceeded typical attacks, such as the ubiquitous SQL injection exploits or those targeting the DNS bug.
"Theres not going to be a Metaspoit module that any kid can run that can go ahead and run this attack," he said.
The research nonetheless should raise concern since it further highlights that fundamental parts of the internet - parts that were never designed to be secure - frequently act as the gatekeepers that protect our commerce and communications from a growing number of crooks and snoops. It describes a technique that could make wide-scale spying or fraud if not trivial then certainly possible for groups with just a bit of expertise and determination. And as such, it takes so-called Digital Pearl Harbor scenarios squarely in the realm of possibility.
More from Wired.com, including a detailed explanation of how the attack works and possible ways to prevent it, is here. ®
Miscreants need an AS
BGP routes to organizations, a.k.a. ASs (Autonomous System number). You'd have to setup a multi-homed company or organization, or an ISP and get your AS number. Last I checked, ARIN, RIPE et al do pretty thorough identity checks (atop the need-to-have checks).
Transits and large NOCs can already do this, sometimes it's done on purpose for non-nefarious reasons. We presume the CIA has better ways.
After careful planning and great expense, a small company could probably steal another small companies data, but if you get caught, we know who you are and where you live. There are easier ways.
I'm with the "not news" crowd.
Defcon delegates must be either seriously running out of ideas, or getting much younger and hence unable to recall discussion of this in past literature, which dates back _at least_ ten years.
Granted your average internet 'civilian' wouldn't necessarily be aware of this, but anyone who claims or considers themselves to be an internet security 'expert' or 'researcher', or even to be knowledgeable in the field and expresses surprise at this should be dismissed a s charlatan immediately.
2008 will surely be remembered as the year that Defcon became even less relevant and even more tediously uninteresting than it was to begin with.
@Based on trust
ya, your wrong. its only the poor mans traffic intercept, and traffic would just be routed else where if any telecom exchange whatever is down. fly around in a plane intercepting satalite transmissions cant shut down the net either. youd need to simultainously intercept every country