Hacking internet backbones - it's easier than you think
'Disastrous havoc' made easy
Network backbone technologies used to route traffic over large corporate networks are vulnerable to large-scale hijacking attacks, according to two researchers who released freely available software on Thursday to prove their point.
The tools, demonstrated at the Black Hat security conference in Amsterdam, are intended to show that attacks once believed to be only theoretical are very much practical, said Enno Rey, one of the creators of the software. He developed the tools along with researcher Daniel Mende.
"We think the trust models of some technologies that are widely deployed in some networks are outdated," Rey told The Register. "This is to make people aware that the technologies they use in their daily life are not as secure as they might seem.
Some of the new tools attack a network data-forwarding technology known as MPLS, or multiprotocol label switching. Carriers such as Verizon, AT&T and Sprint use it to segregate one corporate customer's traffic from another's as it's shuttled from one geographic region to another. The tools make it trivial for anyone with access to the carrier's network to redirect that traffic or alter data on it.
The software works because MPLS has no mechanism for protecting the integrity of the headers that determine where a data packet should be delivered.
"There is no way of detecting modification of labels," Rey said. "If somebody gets access to this network, it's quite easy to cause disastrous havoc."
Other tools attack a separate network technology known as BGP, or border gateway protocol. Among other things, they crack the MD5 cryptographic keys used to prevent tampering. They also make it easy to inject unauthorized routes in BGP tables, allowing an attacker to hijack huge swaths of internet traffic.
Other tools exploit similar weaknesses in the ethernet protocol.
Of course, the lack of security in MPLS, BGP and ethernet is well documented. At last year's Defcon hacker conference, for example, researchers Anton "Tony" Kapela and Alex Pilosov demonstrated an attack on BGP that allowed them to redirect traffic bound for the conference network in Las Vegas to a system they controlled in New York. Other internet underpinnings, including the DNS, or domain name system, and SNMP or Simple Network Management Protocol have also been shown to be vulnerable to tampering.
Rey said he and Mende are well aware of this research. But up to now, the assumption has been that the attacks are technically difficult to carry out. The goal of the tools is to make corporate security professionals aware that the only thing preventing the hijacking of entire corporate networks is the steps carriers take to secure their infrastructure.
"Try to understand if your carrier is trustworthy," he recommended. "If there are any doubts, it might be a good idea to encrypt the traffic. We just want people to be able to make informed decisions." ®
@jake - re: access to hardware
Both BGP and MPLS messages are transmitted over the same public network backbone that internet packets are. Ergo: forge those control messages=control IP routing.
BGP is more exposed because it runs over TCP, while MPLS is reputedly a "layer 2.5" protocol. However, if you are able to tap into the fiber, you essentially have access down to the physical (layer 1) layer.
Here in Silly Valley, we were reminded a few days ago about just how exposed a carrier's infrastructure often is when someone severed 2 separate fiber rings in the San Jose area (one ATT, one Sprint), bringing down all sorts of communications for about 12 hours.
After reading one of the referenced papers, 2 points stand out. A) They are discussing MPLS *VPNs* - which actually are running over layer 3. This implies that *physical* network access is not required, only access to the data stream. (various ways of achieving that)
B) The authors state certain background assumptions, including "Assumes attacker has access to traffic path (in core)". I note that this does not necessarily imply "access to physical hardware", only access to the "traffic path". Once again, there are ways to achieve this that do not require access to a physical router/etc.
Note that many of the vulnerabilities revolve around the use of MD5 for authentication (for BGP, over which some of these MPLS packets are traveling), which of course is now known to be crackable.
@ Chris Miller
That's an interesting read of what you write, though, are you not missing the point that is written into the article that the two researchers released freely available SOFTWARE, and demonstrated that it was possible at the Black Hat security conference in Amsterdam? Therefore, I doubt very much that this is fear mongering as you put it, but more of a reality.
"If a third party can gain physical access to your or your carrier's backbone, it's pretty much game over."
In the old days it was fairly easy. Pull the lid on a telco repeater site (conveniently spaced roughly a mile apart, clear across the country), plug into the test/monitor port on the repeater, and there's your SF or ESF framed signal. As it was pulled out of the repeater portion of the circuitry (duplicated, not watched in transit), it wouldn't even send a blue alarm to either end of the circuit, because the circuit was never broken. Piece o'cake. The only hard part was figuring out which of many twisted pairs contained the signal you wanted.
These days, with long-haul fiber, you have to either have physical access to the terminating equipment, or have access to some rather esoteric gear that is capable of reading fiber without breaking it, or physically break into the fiber to install your own monitorable repeater ... All of these three are going to raise some serious security flags in a hurry.
And of course, as the article pointed out, if it's even faintly proprietary, encrypt it.
So basically, if nobody's looking over your shoulder (either literally, or by way of a keylogger or other method), the carriers are to all intents and purposes as secure as they need to be. The authors of the study are fear mongering, at least as far as I'm concerned.