Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

The Internet's Biggest Security Hole Revealed

kdawson posted more than 6 years ago | from the kaminsky-was-a-warmup dept.

Security 330

At DEFCON, Tony Kapela and Alex Pilosov demonstrated a drastic weakness in the Internet's infrastructure that had long been rumored, but wasn't believed practical. They showed how to hijack BGP (the border gateway protocol) in order to eavesdrop on Net traffic in a way that wouldn't be simple to detect. Quoting: "'It's at least as big an issue as the DNS issue, if not bigger,' said Peiter 'Mudge' Zatko, noted computer security expert and former member of the L0pht hacking group, who testified to Congress in 1998 that he could bring down the internet in 30 minutes using a similar BGP attack, and disclosed privately to government agents how BGP could also be exploited to eavesdrop. 'I went around screaming my head about this about ten or twelve years ago... We described this to intelligence agencies and to the National Security Council, in detail.' The man-in-the-middle attack exploits BGP to fool routers into re-directing data to an eavesdropper's network." Here's the PDF of Kapela and Pilosov's presentation.

cancel ×

330 comments

Sorry! There are no comments related to the filter you selected.

The man in the middle (3, Funny)

symbolset (646467) | more than 6 years ago | (#24760119)

Must have the world's largest collection of online porn.

Which would figure, actually.

Re:The man in the middle (5, Funny)

gnick (1211984) | more than 6 years ago | (#24760297)

How can a title including 'The Internet's Biggest ... Hole' not be kicked off with a goatse joke?

Re:The man in the middle (0)

Anonymous Coward | more than 6 years ago | (#24760417)

that wouldn't have gotten +5

Re:The man in the middle (2, Funny)

newr00tic (471568) | more than 6 years ago | (#24760591)

that wouldn't have gotten +5

No, +11 !

Re:The man in the middle (1)

zappepcs (820751) | more than 6 years ago | (#24760343)

There is one thing about that collection though, they'll end up with 1403 copies of every picture, all with different names. I want a look at the software that detects duplicates and sorts all those files out.

Re:The man in the middle (2, Insightful)

symbolset (646467) | more than 6 years ago | (#24760443)

.... I want a look at the software that detects duplicates and sorts all those files out.

Lucky you. The article is still on Slashdot's main page [slashdot.org] .

Re:The man in the middle (5, Insightful)

EdIII (1114411) | more than 6 years ago | (#24760565)

Yeah.. That's funny. Nice observation there...

Just one thing though... You sound like the teenage boys who always claim they want to grow up to be a gynecologist. Problem with that is that gynecologists usually see the worst looking, diseased, and nasty vagina. Not the good looking, sweet smelling, celebrity vagina.

So the guy who has all the internet porn is going to have quite a collection of goatse and things that will make you WANT to go back to looking at goatse.

Re:The man in the middle (1)

symbolset (646467) | more than 6 years ago | (#24760677)

The only thing that would make me want to go back to looking at goatse would be footage of the the DNC and RNC. Goatse is abhorrent but my morbid curiosity has limits.

Fun fun fud (2, Interesting)

Anonymous Coward | more than 6 years ago | (#24760129)

Everyone loves sensationalist news headlines. *sigh*
Anyone have any insight as to how serious this ACTUALLY is?

Re:Fun fun fud (5, Insightful)

lordsid (629982) | more than 6 years ago | (#24760167)

Depends on how much you value your privacy.

Re:Fun fun fud (5, Funny)

Kingrames (858416) | more than 6 years ago | (#24760269)

Depends on how much you value your privacy, Mr. Stephen P Wallagher of 4242 Green Leafy Forest Terrace, Springfield, Ohio 55538, Phone number 1-900-Hot Dude, alias "Lovestospooge."

fixed.

Re:Fun fun fud (0)

Tubal-Cain (1289912) | more than 6 years ago | (#24760307)

I thought his alias was 'lordsid'?

Re:Fun fun fud (1, Informative)

Anonymous Coward | more than 6 years ago | (#24760607)

wooosh!

Re:Fun fun fud (5, Interesting)

QuantumG (50515) | more than 6 years ago | (#24760191)

Let's put it this way. Email right? It's delivered between hosts completely unencrypted. Imagine you could sniff all the email passing into, say, the white house.. would that be worth something?

Note, I've also given you the hint to prevent this bullshit from being a problem.

Re:Fun fun fud (5, Funny)

Anonymous Coward | more than 6 years ago | (#24760299)

Let's put it this way. Email right? It's delivered between hosts completely unencrypted. Imagine you could sniff all the email passing into, say, the white house.. would that be worth something?

Note, I've also given you the hint to prevent this bullshit from being a problem.

So we need to destroy the White House?

Re:Fun fun fud (1, Insightful)

Repton (60818) | more than 6 years ago | (#24760455)

Nah, all important white house email gets sent through private servers anyway..

Re:Fun fun fud (5, Funny)

Anonymous Coward | more than 6 years ago | (#24760651)

No, it gets sent through Dick Cheney's hotmail account.

Re:Fun fun fud (1)

Grey Ninja (739021) | more than 6 years ago | (#24760793)

Nah, all important white house email gets sent through private servers anyway..

Can you explain that further? Because that just makes no fucking sense.

Re:Fun fun fud (4, Funny)

Anonymous Coward | more than 6 years ago | (#24760841)

What, you didn't get your secret decoder server?

Re:Fun fun fud (5, Insightful)

jd (1658) | more than 6 years ago | (#24760209)

Find me an internet provider not using BGP, and I'll show you a European who favours ESES. Yes, this is a major problem, BGP is (almost) the only WAN protocol anyone takes seriously and is the only one meaningfully deployed. I've worried about the possibility of BGP poisoning attacks myself, but only because we have a virtual monoculture and monocultures are generally a Bad Idea. They are dangerous animals.

Re:Fun fun fud (1)

gandhi_2 (1108023) | more than 6 years ago | (#24760383)

One thing about standards...they tend to produce conformity.

Web browsers are a good example of NOT a monoculture. Where almost nothing is really 100% cross-browser compatible.

We should all use 150 different standards when we transmit IP datagrams... nothing will get anywhere, but at least it won't be a monoculture.

Re:Fun fun fud (4, Interesting)

jd (1658) | more than 6 years ago | (#24760635)

Let's see. MPLS, SCTP, STP (Scheduled Transfer Protocol), UDP-over-v4, TCP-over-v4, MPLS, UDP-over-v6, TCP-over-V6, IP-over-ATM, IP-over-SCSI, IP-over-IB, IP-over-power, IP-over-carrier-pidgeon, V6-over-V4, V4-over-V6, V6-over-V6, optional recognition of TOS, optional handling of ECN, scalable reliable multicast, anycast, optional recognition of source-based routing, optional recognition of TCP cookies, optional support for packet dropping (RED, GRED, WRED, BLUE, Stochastic Blue, GREEN, BLACK, PURPLE, WHITE), optional support for enhanced authentication packets, IPv6 extended headers, support for unidirectional links, optional support for transitory addressing schemes, optional support for Mobile IP, optional support within Mobile IP for routing realignment, optional support for NEMO, optional use of any of the experimental protocols defined under the names of TUBA, IPv5 and IPv7, anything-over-IPSEC (tunnel or host), anything-over-SKIP -- I've not bothered to keep count, but my Internet link hasn't fallen over yet from diversity. Pity to hear about yours.

Re:Fun fun fud (1)

davygrvy (868500) | more than 6 years ago | (#24760775)

I liked the carrier pigeon reference. Also known as IP over Avian Carriers (IPoAC). Good call.

Re:Fun fun fud (1)

thegameiam (671961) | more than 6 years ago | (#24760829)

Hmm - what percentage of those protocols actually work on a production or consumer network?

I have had a hard time finding an ISP who will offer native IPv6,

Re:Fun fun fud (4, Funny)

Z34107 (925136) | more than 6 years ago | (#24760521)

Monoculture is bad? Good thing Internet Explorer offers a different take on W3C standards...

I kid, I kid.

Re:Fun fun fud (5, Funny)

jd (1658) | more than 6 years ago | (#24760649)

Heh. Standards should be the starting point, not the end goal (or, in IE's case, the work of fiction based on the screenplay based on a True Story of one man and his chair).

Re:Fun fun fud (4, Funny)

RuBLed (995686) | more than 6 years ago | (#24760309)

Anyone have any insight as to how serious this ACTUALLY is?

Yes. Someone had managed to re-open the goatse.cx site again.

if you don't believe me, you know there is only one way to find out

Re:Fun fun fud (1)

techno-vampire (666512) | more than 6 years ago | (#24760401)

If Steve Ballmer wanted to be seen as a hero, he'd have the default hosts file for Windows Vista include a line setting goatse.cx to 127.0.0.0. That would be real news for nerds!

Re:Fun fun fud (2, Funny)

Zwicky (702757) | more than 6 years ago | (#24760947)

if you don't believe me, you know there is only one way to find out

I believe you! I BELIEVE YOU!!

Re:Fun fun fud (3, Interesting)

kjots (64798) | more than 6 years ago | (#24760423)

Anyone have any insight as to how serious this ACTUALLY is?

How serious? This could potentially render the entire Internet inoperable. For real. Anyone who knows anything about basic Internet protocols should be shitting themselves right about now.

What we have here is a basic weakness in one of the fundamental Internet protocols; an assumption of trust that is no longer valid. Think spam but a million times worse.

I'm not usually one to fall prey to 'Imminent Collapse Of The Internet' hyperbole, but this one has me really worried.

Re:Fun fun fud (0)

Anonymous Coward | more than 6 years ago | (#24760685)

I'm not usually one to fall prey to 'Imminent Collapse Of The Internet' hyperbole, but this one has me really worried.

And the guy's been talking about it for over ten years. Maybe getting "really worried" about this now is kind of stupid. God forbid you actually encrypt your shit.

Re:Fun fun fud (1)

Hucko (998827) | more than 6 years ago | (#24760715)

Me too, I'll have lost my last excuse for staying inside.

Re:Fun fun fud (1)

teh moges (875080) | more than 6 years ago | (#24760787)

The article has a pretty good indication. Its proof of concept now (at least, there could be real world implementations in the government that aren't public).
It can intercept any information going to a targeted address (but not from). That makes it pretty serious.

SSL (4, Insightful)

jamesh (87723) | more than 6 years ago | (#24760185)

I hope that all of those people who thought that getting users to blindly accept self signed certs was a good idea are starting to feel a bit stupid now...

An SSL cert signed by a trusted central authority isn't the absolute solution to all mitm attacks, but it's a whole lot closer to 'safer' than not.

Re:SSL (5, Interesting)

Free the Cowards (1280296) | more than 6 years ago | (#24760229)

I don't think anyone thinks that self-signed certs should be blindly accepted.

What should be done is that self-signed certs should be acceptable, with the right handling. The way ssh does this is a good one; it alerts you when you initially connect, and throws up an extremely loud and nasty warning if the host's cert has changed from the last time you connect. This gives you the opportunity to verify the cert out of band if you should care to, and forces an attacker to hit you on your very first access to a given site.

Properly signed certs should be given higher priority, but a self -signed cert is still vastly better than nothing. The problem is that current browsers treat self-signed certs as being the worst of the three, when in reality they're much better than a naked HTTP connection.

Re:SSL (4, Insightful)

Jah-Wren Ryel (80510) | more than 6 years ago | (#24760555)

What should be done is that self-signed certs should be acceptable, with the right handling. The way ssh does this is a good one; it alerts you when you initially connect, and throws up an extremely loud and nasty warning if the host's cert has changed from the last time you connect.

That's great and all if you are an internet mechanic. But what if you just want to drive the damn car? For those people, who are the majority, those messages don't mean squat. Which means they have just as much a chance of picking the unsafe choice as they do the safe choice. So Firefox's solution has been make it hard to pick the unsafe choice. Make it so that you pretty much have to understand what's going on in order to even get the chance to pick the potentially unsafe choice. That seems like a pretty good policy to me.

Re:SSL (1)

moderatorrater (1095745) | more than 6 years ago | (#24760799)

There are many more sites with no certificate at all which would use a self-signed cert than there are sites with a verified cert which would use a self-signed cert instead. I would want a certificate on all my sites, but very few (if any) would require a verified one.

Re:SSL (1)

PitaBred (632671) | more than 6 years ago | (#24760887)

It's NOT more secure, though. It's simply very slightly easier. It encourages people to use plaintext HTTP instead of HTTPS for communication except with people who can afford root certificates. Do you really think it's better using NO encryption or authentication than to use self-signed encryption that is authenticated on every subsequent access? If you do, I certainly hope you aren't in the security biz.

Re:SSL (4, Insightful)

nine-times (778537) | more than 6 years ago | (#24760657)

Properly signed certs should be given higher priority, but a self -signed cert is still vastly better than nothing. The problem is that current browsers treat self-signed certs as being the worst of the three, when in reality they're much better than a naked HTTP connection.

Exactly. I certainly don't want to sign on to my online banking for the first time and find that it's using a self-signed certificate. On the other hand, if I had to choose between a self-signed certificate and transmitting login information in plain-text, there's no contest.

I'm of the opinion that encryption should be encouraged in order to stop simple snooping, even if it doesn't prevent more complex attacks. It's not as though certificate authorities are all that diligent in their identity verification anyhow.

Re:SSL (4, Informative)

Antique Geekmeister (740220) | more than 6 years ago | (#24760245)

And you actually trust Verisign to be a primary signature authority for SSL? Why? They've cooperated in all sorts of stupidity, such as their temporary insistence on returning their own squatting domain as a valid entry for every non-existent domain in *.com, which was particularly nasty because they own the .com master servers. Do you really think that Verisign is that secure, and wouldn't cooperate in faking keys if a national security agency asked them to?

Re:SSL (4, Informative)

jd (1658) | more than 6 years ago | (#24760325)

They gave away Microsoft's private keys to someone who called them, a while back, in a rather infamous case that forced Microsoft to change their entire update system and their collection of "secure" sites. If they've done it once, it can clearly happen again, and the lack of publicity may simply be evidence of better media management. I'd be very wary of trusting them with anything and would be skeptical of any institution that relied on Verisign for any kind of critical proof-of-identity situation, though they're probably reasonable enough for personal certs.

Re:SSL (5, Informative)

Anonymous Coward | more than 6 years ago | (#24760749)

Here's a link to information about the incident you mentioned:

http://www.microsoft.com/technet/security/Bulletin/MS01-017.mspx

Re:SSL (1)

Architect_sasyr (938685) | more than 6 years ago | (#24760889)

It's continuing slightly off topic but I have a rule: If I google it and find nothing bad, the company obviously wastes too much money on their lawyers, and not enough on the product. It's a good rule.

Re:SSL (1, Insightful)

Anonymous Coward | more than 6 years ago | (#24760319)

Despite trying to, you still haven't made a case for a "trusted central authority." People don't read cert warnings, they blindly click "ok" and soldier on.

Your best bet (in an organization) is to distribute the correct CA cert for your sites, even if it is self-signed, and tell people to stop accepting cert warnings, period. That way even if the traffic is sniffed and your users are redirected to a poser site, there's no way he can generate a cert that doesn't raise the warning flag.

Re:SSL (1)

moderatorrater (1095745) | more than 6 years ago | (#24760397)

I hope that all the people who thought that spandex was a good idea are starting to feel a bit stupid now...

I like the non-sequitur game! Your turn.

Re:SSL (1)

jamesh (87723) | more than 6 years ago | (#24760519)

I hope that all the people who thought that spandex was a good idea are starting to feel a bit stupid now...

Stupid is in the eye of the beholder in that case... a stupid idea is only a stupid idea to the people who didn't make money off it.

Re:SSL (1)

Xipher (868293) | more than 6 years ago | (#24760697)

I think a better option would to look at what some have already done and utilize IPSec. Some companies already do support BGP sessions with IPSec authentication. The one thing I knew of holding people back is the lack of IPSec support on Cisco gear handling BGP sessions. I'm not sure about current IOS releases or if newer hardware could handle it on the routers used by larger transit providers support it. At least adding a simple shared key authentication header should provide some additional security. I'm am in no way an expert though.

Re:SSL (0)

a5an0 (1351957) | more than 6 years ago | (#24760743)

SSL has NOTHING (read it again:NOTHING) to do with BGP peering sessions.

Re:SSL (1)

jamesh (87723) | more than 6 years ago | (#24760903)

SSL has NOTHING (read it again:NOTHING) to do with BGP peering sessions.

No, but it has a lot to do with the consequences of hijacked BGP peering sessions. Most other people got it.

Scary Much? (5, Informative)

creature124 (1148937) | more than 6 years ago | (#24760201)

I find the thought of this genuinley scary. Correct me if I am wrong, but we would have to change the BGP protocol itself to fix this issue. That isn't going to happen anytime soon I reckon, so I guess there is nothing we can do but encrypt senstive transmissions and hope for the best.

Re:Scary Much? (1, Funny)

Anonymous Coward | more than 6 years ago | (#24760233)

I find the thought of this genuinley scary. Correct me if I am wrong, but we would have to change the BGP protocol itself to fix this issue. That isn't going to happen anytime soon I reckon, so I guess there is nothing we can do but encrypt senstive transmissions and hope for the best.

Hell, lets 'fix' SMTP while we're at it... ;)

Re:Scary Much? (3, Funny)

jd (1658) | more than 6 years ago | (#24760419)

Fixed SMTP is called X.400.

Re:Scary Much? (2, Funny)

Randle_Revar (229304) | more than 6 years ago | (#24760851)

XMPP

Re:Scary Much? (5, Insightful)

dlgeek (1065796) | more than 6 years ago | (#24760265)

Well, no. Large ISPs don't have to accept and forward routes from customers without verifying them. The solution to this is the same as preventing forged IP source addresses: stop it at the origination point. If you're an ISP with customer A and customer A starts advertising routing for an IP range they haven't previously advertised, don't accept the advertisement and forward it up the chain until you verify that they actually should advertise that route.

Re:Scary Much? (3, Informative)

jd (1658) | more than 6 years ago | (#24760267)

BGP is supposed to be authenticated between peers, but clearly not nearly enough. If IPSEC was enabled (it's likely to already be present) on all routers, then BGP traffic between routers would be guaranteed both encrypted AND authenticated. Or, if you prefer, there are a very very few other routing protocols for WANS - ESES probably being the one most taken seriously. (ESES is the exterior gateway version of ISIS. Both are mature protocols with a lot of hardware out there that can support them.)

ESES is mature? (4, Insightful)

thegameiam (671961) | more than 6 years ago | (#24760567)

I've seen implementations of ISIS, and have deployed it myself in both IP and ATM environments. I've never seen an actual deployment of ESES, and I've never heard of one either. I've encountered ISIS adjacencies which don't form correctly, and come up as ESIS, though.

What hardware supports ESES?

Re:Scary Much? (4, Informative)

Alascom (95042) | more than 6 years ago | (#24760853)

BGP is authenticated, and using IPSec will not solve anything. BGP peers must configured the IPs of their neighbors, and in many cases an MD5 secret as well. This is pretty strong authentication. The point here, is that anyone can get a high-speed link from an ISP, and that ISP will talk BGP to you. Then you simply tell you ISP about your network through BGP, and also tell it about some additional network routes and the ISP passes it along.

The way to prevent this today, would be for the ISP that peers with you to know which IP blocks you own, any filter out any other routes your send over. But, this is a lot of work for the ISP so very few of them do it.

Why this is not an issue: (4, Insightful)

teknopurge (199509) | more than 6 years ago | (#24760279)

BGP is almost always setup manually, at least when first configured. Network admins: DO NOT PUT UNTRUSTED PEERS IN THE ACLs. Joe smith running BGP on 123abcxxxhost.nl has no business being in your tables. If you're accepting adverts from any AS you deserve what you get.

The routing on the Internet has always been hierarchical: get updates from your upstreams. If they send you bad info you're SOL anyway, just like SSL certs and Verisign's root certs.

Re:Why this is not an issue: (1)

QuantumG (50515) | more than 6 years ago | (#24760357)

RTFA.

You can bet good money... (4, Insightful)

Caspian (99221) | more than 6 years ago | (#24760291)

...that the good folks at the NSA (and/or the FBI, CIA, DHS, ATF, etc., as well as their counterparts in other nations) have been exploiting this for years.

Re:You can bet good money... (4, Informative)

inKubus (199753) | more than 6 years ago | (#24760427)

Yeah, but they don't need to poison BGP to read our data, since they have access by the Tier 1 providers and telcos to the actual photons on the backbone fibers. And of course legal immunity now that they passed that bill.

Nay, this would best be used against other countries, where the NSA actually works.

Re:You can bet good money... (1)

CodeBuster (516420) | more than 6 years ago | (#24760529)

Nay, this would best be used against other countries, where the NSA actually works.

Which is probably why nothing was done about it all of these years. The Congressional testimony was quickly buried as an 'unproven curiosity' in the footnotes of the meeting minutes and the NSA, CIA, and FBI probably took careful notes during the 'private demonstration' and then after shaking his hand told him that none of it ever happened 'or else' and quitely began exploiting it. This wouldn't be the first time that the NSA kept mum about flaws in commercial technologies in order to draw out the amount of time that the exploit remains viable (although they probably advised the US goverment to avoid BGP for sensitive or encrypted traffic).

Re:You can bet good money... (1)

ultranova (717540) | more than 6 years ago | (#24760705)

although they probably advised the US goverment to avoid BGP for sensitive or encrypted traffic

BGP is what Internet routers use to tell each other what incoming traffic should be routed where. It isn't used for actual user data transmission.

Re:You can bet good money... (2, Interesting)

inKubus (199753) | more than 6 years ago | (#24760819)

BGP is what Internet routers use to tell each other what incoming traffic should be routed where. It isn't used for actual user data transmission.

Yeah, probably it's best to avoid the internet for sensitive traffic. And they do. They have their own copper, fiber, microwave, and satellite telcom system. Yes, some of it is leased from the telcos but I doubt if the packets come anywhere near the internet routers.

But not all governments have the luxury of that sort of system and I'm sure a lot of them use the internet to communicate globally. That's why we generously helped them put in all those undersea cables...

Oh, by the way, there are "private" companies with undersea fiber that are not peered to the internet, and no one knows about them. Some things you can't trust the telco with.

The last thing you should trust is the Internet. Even with encryption, the way it works is on implied trust relationships. So does DNS, and so does the public key infrastructure. As other posters mentioned, you are relying on your upstream provider to give you clean routing tables. The advertised routes need to be the real best route to a closer hop. And somewhere there are the root servers which have the master tables.

An interesting way to maybe catch them would be to analyze the BGP tables (archive them somewhere and actually get a real list of good hosts). I know there are projects such as Route Views [routeviews.org] which attempt to archive the routing tables. This might be a start. You would need to whitelist people though, or blacklist certain subnets, and it sort of defeats the point of the Internet being open.

Re:You can bet good money... (4, Interesting)

jd (1658) | more than 6 years ago | (#24760451)

If that's the British DHS, the American counterpart is Home Depot, and it should be obvious why they'd want to spy on people. This isn't really a security issue in the same sense broken encryption or the loss of unencrypted data is a security issue, though, so can someone icon and section to "mindless stupidity in protocol design" and/or add "Stone De Croze" to the tags?

Re:You can bet good money... (4, Funny)

KPU (118762) | more than 6 years ago | (#24760765)

Home Depot? The store that sells wood is spying on my Internet access?

Re:You can bet good money... (4, Funny)

Randle_Revar (229304) | more than 6 years ago | (#24760875)

If that's the British DHS, the American counterpart is Home Depot, and it should be obvious why they'd want to spy on people.

So they can tell if you have been going to Lowe's?

so now we know what AT&T is allowing the NSA t (1)

DragonTHC (208439) | more than 6 years ago | (#24760303)

This is the guy who taught the NSA how to spy on us en masse.

I'm glad he exposed the truth. Now we can protect against it. right?

Flaw revealed years ago (3, Funny)

sleeponthemic (1253494) | more than 6 years ago | (#24760323)

A hacker marauding by the name "Goatse" exposed it quite effectively some years back.

bring down the internet (1)

NotQuiteReal (608241) | more than 6 years ago | (#24760339)

...he could bring down the internet in 30 minutes...

OK, So do it. Now.

Really.

(Just don't wait until I am 90 and on Internet based life-support, without my consent because my money-grubbing heirs are just waiting for such a thing to happen then :-)

I archive the talk (5, Informative)

stits (1351949) | more than 6 years ago | (#24760345)

It was really cool, opened a lot of peoples eyes. Here is the archive, http://www.stits.org/fp/Defcon_16/ [stits.org] . Please don't flood it and only download it if you will use the info. I also took a ton of photos: http://www.flickr.com/photos/stits/sets/72157606608859399/ [flickr.com] Hope to see you all next year!

Wait, you're telling me.... (5, Insightful)

Alsee (515537) | more than 6 years ago | (#24760361)

Wait, you're telling me that they taught US intelligence agencies and the National Security guys how to attack the internet with man-in-the-middle attacks and exploits to fool routers into re-directing data to an eavesdropper's network...

and they didn't do anything to end the interception and eavesdropping problem???

I am shocked.

-

I'd trust Mudge on this. (4, Interesting)

kwabbles (259554) | more than 6 years ago | (#24760369)

The guy's been involved in many of security's moments in history.

Government is on it. (1, Funny)

Anonymous Coward | more than 6 years ago | (#24760395)

... testified to Congress... disclosed privately to government agents... described this to intelligence agencies and to the National Security Council

So in other words, the US government knows about the issue. This is the United States government, people! Obviously there is nothing to worry about. Like, come on, as if the US government would allow eavesdropping on the information highways to even be possible. Like come on, srsly.

If you have BGP peering... (5, Interesting)

mbone (558574) | more than 6 years ago | (#24760405)

There is a lot of harm you can do, least for a short while. But I have to say, this seems like a lot of FUD to me.

It is not trivial to get BGP peering, or to keep it if you are doing bad things. You will need one or more peers, and they will have to do this for you manually, not automatically. And (as I can attest) the AS prepending this attack relies on is a very blunt instrument.

Here are the troubles I see

- You need to be able to offer a better path from Point A to Point B than the existing Internet topology

- Unless you are Dr. Evil and can afford infinite bandwidth, this better path had better not also apply to a large chunk of the Internet, or you will get hosed with a lot of bandwidth (and, also, instantly stick up on the screens of NOCs all over the place) and

- If you are relying on AS prepends, these affect the path from you, but not directly the path to you. They are notoriously tricky and may stop working (because of changes in other people's advertisements) at any time.

So, to me, this is a might work sometimes for some people in some places, but probably not that well on a general basis.

The DNS cache poisoning sounds a lot worse, frankly.

Re:If you have BGP peering... (1)

mbone (558574) | more than 6 years ago | (#24760447)

Oh, and you hear a lot about potential router route kits, but (at lest for the big vendors) not much about them actually being used in the wild. And, really, if you can root the routers of some big ISP, you don't need this attack to do a lot of mischief.

Re:If you have BGP peering... (5, Interesting)

CodeBuster (516420) | more than 6 years ago | (#24760643)

You need to be able to offer a better path from Point A to Point B than the existing Internet topology.

It has been done before. In fact for many decades during and after the Cold War the United States offerred some of the best quality data services at the highest speeds for cheap prices (subsidized by your tax dollars) merely to ensure that the majority of the international telephone and non-satellite data traffic passed through the United States somewhere along the way from Point A to Point B.

Unless you are Dr. Evil and can afford infinite bandwidth, this better path had better not also apply to a large chunk of the Internet, or you will get hosed with a lot of bandwidth.

As I mentioned above the US Government can afford a lot of bandwidth when they want to and they want to ensure that as many ISPs around the world chose our fast subsidized fiber backbones (I say backbones because last-mile service for consumers in the US still sucks hard core compared to Korea, Japan, and even Europe) to route their traffic across the globe (i.e. they lease bandwidth from US companies and the data passes through US borders). If some people don't think that US companies are complicit in this, *cough* AT&T *cough*, then the whole telecom immunity debate just went over their heads.

So, to me, this is a might work sometimes for some people in some places, but probably not that well on a general basis.

Better than none of the time so why not try and make the best of it if you can (NSA's point of view).

Re:If you have BGP peering... (1)

mbone (558574) | more than 6 years ago | (#24760849)

The NSA doesn't need these games. They have access to the traffic on the real routes.

Correction (4, Informative)

thegameiam (671961) | more than 6 years ago | (#24760655)

- If you are relying on AS prepends, these affect the path from you, but not directly the path to you. They are notoriously tricky and may stop working (because of changes in other people's advertisements) at any time.

Not quite.

Prepends affect your outbound announcements, and this affects inbound traffic to you. Prepends are the most effective tool for BGP manipulation because they're transitive - announcing more specifics works too, but that's not quite the same thing.

Re:Correction (1)

mbone (558574) | more than 6 years ago | (#24760833)

Prepends affect your outbound announcements, and this affects inbound traffic to you. Prepends are the most effective tool for BGP manipulation because they're transitive - announcing more specifics works too, but that's not quite the same thing.

Yes, I always get that reversed. Thanks.

Sigh... (3, Insightful)

ZarathustraDK (1291688) | more than 6 years ago | (#24760425)

'I went around screaming my head about this about ten or twelve years ago... We described this to intelligence agencies and to the National Security Council, in detail.'

For a hacker he's pretty dumb. Everyone knows that the best way get attention directed to an exploit is to publish the entire kiddie-porn-folder of the person who can fix it, using the exploit in question.

Insult to injury (1)

ZarathustraDK (1291688) | more than 6 years ago | (#24760465)

Instead he chooses to reveal the exploit to the NSA.

Let me guess. Next he'll find Osama Bin Laden, and then tell everyone using youtube.

obama! obama! obama! (-1, Offtopic)

Anonymous Coward | more than 6 years ago | (#24760437)

vote for him or serve four more years under bush!

A design: X says Y=Z. (5, Interesting)

Animats (122034) | more than 6 years ago | (#24760459)

I looked at this problem back in the early 1980s, when I was doing some work on TCP. I was trying to come up with a routing protocol that didn't require passing the same information around repeatedly, because backbone networks had very low bandwidth back then, and the existing routing protocols had either O(N^2) traffic or the "hop count to infinity" problem.

I came up with something called "Gateway Database Protocol", which was a scheme for passing tuples of the form "X says Y=Z" around. The idea was that any node seeing inconsistencies in "X says ..." would propagate the tuple back to X, revealing the problem to X.

This is enough to detect hijacking, but not enough to stop it. I'd worked out a scheme good enough to automatically correct erroneous data, but not one good enough to deal with the insertion of hostile data. The design goal back then was to guarantee that if the hostile site was removed from the network (perhaps forcibly), the system would then stabilize into a valid state.

That's not enough any more. But it is worthwhile considering that a routing protocol should have the property that if X's info is being faked anywhere in the network, X hears about it. BGP doesn't do that.

Re:A design: X says Y=Z. (1)

inKubus (199753) | more than 6 years ago | (#24760901)

I posted earlier but perhaps some sort of after-the-fact analysis of the tables using an archive (something like Route Views [routeviews.org] ) could be used to figure out who's good and bad, without having to change the protocol.

The internet's biggest security hole.... (-1, Troll)

Anonymous Coward | more than 6 years ago | (#24760537)

...is the goatse.cx man's gaping anus.

Latency jump (3, Informative)

Bill, Shooter of Bul (629286) | more than 6 years ago | (#24760571)

The whole MITM thing would raise a flag unless the attackers were close enough to the real routers for the ip address block it was hijacking. Several companies I know notice when BGP screws up and doubles their latency. They notice and complain loudly.

What did he expect? (5, Insightful)

frovingslosh (582462) | more than 6 years ago | (#24760681)

a drastic weakness in the Internet's infrastructure ...to eavesdrop on Net traffic in a way that wouldn't be simple to detect. ... testified to Congress in 1998 ... disclosed privately to government agents how BGP could also be exploited to eavesdrop. '..... We described this to intelligence agencies and to the National Security Council, in detail.'....

Great, give the very people who want to abuse this the most the inside details, then show shock when it isn't fixed.

Oh, just great! (1)

Jane Q. Public (1010737) | more than 6 years ago | (#24760693)

He gives the information to "national security" 10 or 12 years ago, and we only find out about it now!!!

Thanks for nothing, guy! I am sure the NSA had a real heyday using this information to spy on us without our knowledge.

Should we lynch him? Or just refuse to employ him because of his lack of judgment?

rather silly self grand standing (1)

timmarhy (659436) | more than 6 years ago | (#24760753)

the problem with such a man in the middle attack is you are almost assured of being caught. unless you are sitting in the same complex as a backbone link someone is going to notice the huge spike in network laytency and track down where it's comming from. also since your inserting yourself between peers, it's like painting a giant target on yourself, similar to the target bubba from C lock is going to paint on your buttocks after the feds throw you in jail....

Pakistan and YouTube (1)

russotto (537200) | more than 6 years ago | (#24760755)

Didn't one Pakistan ISP rather graphically demonstrate problems with BGP when they null-routed YouTube worldwide?

Re:Pakistan and YouTube (1)

Percy_Blakeney (542178) | more than 6 years ago | (#24760939)

You didn't read the article, did you? Several slides were dedicated to exactly that situation.

Spying! (0)

Anonymous Coward | more than 6 years ago | (#24760763)

We described this to intelligence agencies and to the National Security Council, in detail.

So this is how NSA is spying on me huh?

Let the Rickrolls begin! (2, Funny)

randall77 (1069956) | more than 6 years ago | (#24760779)

Enterprising hacker hijacks BGP and Rickrolls the whole world in 3... 2... 1...

Biggest security hole? (1)

uberjoe (726765) | more than 6 years ago | (#24760805)

You mean the user right?

Everything is just damn broken (1)

maillemaker (924053) | more than 6 years ago | (#24760859)

You know, every day it seems there is another article about some other exploit discovered. Given the fact that DRM has been demonstrated to be doomed, I think we are seeing that basically all security is doomed. I think we truly are on the cusp of zero privacy. Basically we are at the point now where if someone wants to know about your electronic data, they can do it.

this is one of those exploits (4, Insightful)

circletimessquare (444983) | more than 6 years ago | (#24760861)

that requires one teensy weensy detail to work (in other words, one huge wonking detail)

here, it is to be a bgp level peer

kind of like i can empty a bank of all of its money

all i need is the key to the safe

yeah, minor detail

so do i panic now?

So you told the NSA... (1)

Sfing_ter (99478) | more than 6 years ago | (#24760885)

So you told the NSA, the NSC and Congress all about this and they listened intently then sent you back to your lair/playpen/d&d fest whilst they began setting up MITM listening networks, and you did it FOR FREE. I'm sure they are eternally grateful for all you've done to make monitoring us that much easier. At least it works for everyone, so if you're not eavesdropping it's your own fault.

As my friend AJ used to say,"I'll work for $5 an hour, just let me take the trash out once a day".

IP Prefix Interception... not new (1)

Leto-II (1509) | more than 6 years ago | (#24760895)

So how is this so groundbreaking? IP prefix interception has been studied and discussed already. For instance:

A study of prefix hijacking and interception in the internet [acm.org]

from Sigcomm 2007.

Seems to be a much better work than this Defcon presentation.

ipv6 (0)

Anonymous Coward | more than 6 years ago | (#24760927)

yeah... fud shut get ipv6 up and running in no time... go on... =)

Load More Comments
Slashdot Login

Need an Account?

Forgot your password?