27 August 2008

BGP Hijacking Vulnerability

Just when you thought it was safe to go outside...

Wired and Slashdot reported yesterday on The Internet's Biggest Security Hole.  This time it was a long-known problem with Border Gateway Protocol (BGP) which was given a new twist by Alex Pilosov and Tony "Xam" Kapela at the most recent DEFCON.

BGP, as you will recall, is the protocol that ties together the different networks making up the Internet.  While Senator Ted Stevens (R-Alaska) famously described the Internet as a "Series of Tubes" he wasn't that far off.  The reason it's called the Internet is because it is made up of a series of interconnected networks.  These networks, referred to as Autonomous Systems (AS) have numbers (ASNs) and provide connectivity to a set of computers that are assigned a range of IP addresses. While both the ASNs and IP addresses are assigned by an official organization (ARIN in the US), the actual mapping between the two is done by a network owner using BGP to "advertise" to other networks what range of such addresses it contains.  Usually network owners are ISPs and large corporations, but we had our own AS at Convoq and used BGP so that our servers could be connected to the Internet via multiple, redundant links.  The problem is that since all such network owners are considered trustworthy, there is no widely used mechansim for verifying the validity of the advertisements.  Anyone can claim to own any range of addresses and cause the rest of the Internet to send it traffic intended for those addresses.  This happened last February when the government of Pakistan attempted to prevent its citizens from viewing a YouTube video by advertising a route for YouTube that led to a black hole.  While they probably intended that route to apply only within Pakistan it was automatically redistributed throughout the Internet and took YouTube off the air worldwide.

Something as dramatic as making a web site globabally unavailable is usually noticed and repaired fairly quickly, but what Pilosov and Kapela discovered was a way to take the traffic one purloined and then forward it on, unnoticed, to its legitimate destination, perhaps copying or moidfying it in the process.  They outlined a fix but as it will take a lot of effort and computing power to implement, most likely nothing will happen until there is a major attack and ensuing scandal.  In the meantime, it is wise to do as people in high-security government positions are taught to do, which is regard all your communications as being open unless proven otherwise.

Aug 27, 2008 3:15:25 PM | Security

The comments to this entry are closed.

NEXT POST
SnapYap While I was writing about the new wave of personal video calling companies around the world, I heard from one right here in Boston, SnapYap. It joins Userplane and Tokbox as a free, no-download service based on Flash. The product...
PREVIOUS POST
Daily Grommet Yesterday, I stopped by the new offices of the Daily Grommet, a company for which I am an adviser. The company will do live blogging of the discovery of interesting and unique products and services which they will offer from...

Christopher Herot

Founder and CEO of SBR Health, a provider of real-time video communications to the health care community.

The Typepad Team

Search

My Other Accounts

Recent Comments