Feeds

Plumbers of the interwebs vow to kill IP hijacking

Task force to send 'Rover' out to wild web galaxy

Intelligent flash storage arrays

The Internet Engineering Task Force (IETF) aims to strengthen the basic protocols of the internet, with a way to stop route, or IP, hijacking. IETF experts say the proposed fix is simpler to implement than previous suggestions.

IP hijacking exploits a fundamental weakness of the internet, Data and messages sent across the internet are transmitted via routers, and those routers are blindly trusted. No measures are in place to verify if they have been tampered with to re-direct or intercept traffic.

In 2008, Pakistan Telecom took advantage of this blind trust to send YouTube briefly into a global blackhole. CNET's Declan McCullagh wrote at the time:

By accident or design, the company broadcast instructions worldwide claiming to be the legitimate destination for anyone trying to reach YouTube's range of Internet addresses.

The security weakness lies in why those false instructions, which took YouTube offline for two hours on Sunday, were believed by routers around the globe. That's because Hong Kong-based PCCW, which provides the Internet link to Pakistan Telecom, did not stop the misleading broadcast - which is what most large providers in the United States and Europe do.

Traffic mismanagement

The same fundamental weakness in BGP (Border Gateway Protocol), a core routing protocol that maps preferred paths for traffic to flow over the internet, was used to hijack the network at the Defcon hacker conference in Las Vegas in 2008. Everything looked the same to delegates after the hijack, but all unencrypted traffic sent over the network was open to wiretapping.

In 2010, China Telecom rerouted up to 15 per cent of the world's internet destinations on two brief occasions, using false BGP route information to direct traffic through its own networks.

The hijackings sparked a security scare in the US. Even without the China dimension, America's dismay is understandable:

The [April 8] hijacking, which lasted 18 minutes, affected email and web traffic traveling to and from .gov and .mil domains, including those for the US Senate, four branches of the military, the office of the secretary of defense, and NASA, among other US governmental agencies, according to the report. It also affected traffic for large businesses, including Dell, IBM, Microsoft and Yahoo.

Similar tricks might be used to steal corporate communications, without leaving a trace or even, at least theoretically, making entire countries unreachable via IP communications. BGP has no built-in security. Routers might accept bogus routes from peers, internet exchanges or transit suppliers. Dodgy routers, however accepted, can have local, regional or global effects.

"Someone can advertise your address space and a route to get there and routers don't know any better," explained Joe Gersch of Secure64, a Domain Name System vendor. "They are just looking for the shortest path."

"It doesn't necessarily have to be malicious for something to go wrong. It could be accidental. Admins could type something wrong into router and this information would still propagate."

The issue has been known for about 10 years but previous attempts to find a fix floundered because proposed solutions were too complex or too expensive, Gersch says. More recently, governments have taken greater interest in the issue, increasing the pressure to find a fix.

Look it up

At an IETF meeting in Paris last month, a working group proposed a solution that seeks to safeguard the integrity of networking kit.

The proposal involves publishing preferred routes to sites in DNS records before applying a second step, using utilities to verify that the instructions are trustworthy.

This latter step would use DNSSEC, or DNS Security Extensions, a separate security mechanism which is gradually rolling out as a defence against cache-poisoning attacks.

The whole scheme is called ROVER, or BGP Route Origin Verification (via DNS).

Rover calls for the use of reverse DNS records to periodically publish route announcements, a process that would be done by sites themselves, before carrying out real-time verifications of BGP route announcements.

Rover uses "best effort" data retrieval with worldwide data distribution, redundancy and local caching. If the data is unreachable, the default is that routing would proceed as normal but without any checks.

Gersch said the working group (the Secure Inter-domain Routing Group, of which he is a member) believes the proposed approach has the potential to succeed because of its simplicity, in contrast with other ideas such as BGPSec or RPKI.

"Rover is a simpler method to publish your authoritative data," Gersch explained. "I own it, and you can look it up. The process can be automated."

Gersch described Rover as an "enabling technology". Preliminary discussions have already been held with members of Cisco's secure networking group on how to interface the technology with routers.

Several early adopter telcos and ISPs are in the process of publishing route origins in their reverse DNS and signing with DNSSEC. In addition, Secure64 has established a Rover Testbed available at "rover.secure64.com" (registration required).

Deployment of Rover is simple, as no changes need be made to existing routers, IOS or policies, according to backers of the technology. The system builds on DNSSEC, which firms ought to be deploying anyway – although in practice roll-out have been slow.

The Secure Inter-domain Routing Group at the IETF has worked on alternatives to Rover such as BGPSec and RPKI for at least six years.

"Rover uses something that's already there, DNSSEC crypto keys, rather than having to build out a new system," Gersch explained.

"All the ideas for preventing IP hijacking are proceeding forward. The systems can co-exist but I still expect there will be a fierce debate over which is best," he added. ®

Secure remote control for conventional and virtual desktops

More from The Register

next story
Same old iPad? NO. The new 'soft SIMs' are BIG NEWS
AppleSIM 'ware to allow quick switch of carriers
Arab States make play for greater government control of the internet
Nerds told to get lost in last-minute power grab bid at UN meeting
Brits: Google, can you scrape 60k pages from web, pleeease
Hey, c'mon Choc Factory, it's our 'right to be forgotten'
Of COURSE Stephen Elop's to blame for Nokia woes, says author
'Google did have some unique propositions for Nokia'
It's even GRIMMER up North after MEGA SKY BROADBAND OUTAGE
By 'eck! Eccles cake production thrown into jeopardy
Mobile coverage on trains really is pants
You thought it was just *insert your provider here*, but now we have numbers
Don't mess with Texas ('cos it's getting Google Fiber and you're not)
A bit late, but company says 1Gbps Austin network almost ready to compete with AT&T
prev story

Whitepapers

Forging a new future with identity relationship management
Learn about ForgeRock's next generation IRM platform and how it is designed to empower CEOS's and enterprises to engage with consumers.
Why cloud backup?
Combining the latest advancements in disk-based backup with secure, integrated, cloud technologies offer organizations fast and assured recovery of their critical enterprise data.
Win a year’s supply of chocolate
There is no techie angle to this competition so we're not going to pretend there is, but everyone loves chocolate so who cares.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Intelligent flash storage arrays
Tegile Intelligent Storage Arrays with IntelliFlash helps IT boost storage utilization and effciency while delivering unmatched storage savings and performance.