Schneier on Security
A blog covering security and security technology.
« How to Avoid Getting Arrested |
| Reddit "Ask Me Anything" »
November 21, 2013
Rerouting Internet Traffic by Attacking BGP
Renesys is reporting that Internet traffic is being manipulatively rerouted, presumably for eavesdropping purposes. The attacks exploit flaws in the Border Gateway Protocol (BGP). Ars Technica has a good article explaining the details.
The odds that the NSA is not doing this sort of thing are basically zero, but I'm sure that their activities are going to be harder to discover.
Posted on November 21, 2013 at 1:42 PM
• 38 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
Another good reason to start defaulting everything to TLS/SSL.
I'd be interested to know what you think the odds are that these particular events are false-flag attacks meant to establish external threats to justify NSA activity and/or to discredit and marginalize Russia and Iceland.
If they first observed this in February, I'm concerned that we are only hearing about this now. Presumably Renesys let their customers know about it earlier.
It'd be nice if there was a more real-time public alert system. A community solution seems possible - A couple hundred nodes periodically trace-routing each other and publishing anomalies going one way versus the other.
Both the Belarussian and Icelandic "hijacks" made the traffic travel through London. Was this GCHQ's work (maybe on NSA's friendly request)? Or at least the Denver - Denver hijack, which made the domestic traffic magically a foreign one allowing a "legal" interception?
While it could be seen what AS had announced the route, it is unclear why a particular router or set of them announced it - was it a willful operator intervention, operator error, software bug, or external exploitation of some vulnerability... In the latter case, the attack could be performed by anyone and in the same time the blame would be put on some unsuspecting and (somewhat) random ISP, while the actual interception is not going in that ISP's infrastructure but somewhere else on the transit route. The attacker could exploit the current routing topology, knowing that diverting the traffic to any one from some set of ASes would make it travel through a know "choke point" when it has a possibility to look at it. Chances are that some of such ASes are served by routers with vulnerable software on them...
Given highly amusing statistics about what sort of numbers of CAs/sub-CAs there are that modern browsers and operating systems trust.. I am 100% certain any entity that can divert BGP traffic so that it doesn't get immediately noticed has couple of sub-CAs that they can sign certificate for about any domain with if they want to target someone.
So good luck with TLS/SSL there, unless you plan to run your own separate CA hierarchy while at it.
Unfortunately, the Renesys article didn't have any useful detail on the BGP advertisements that were used. The days of "Old Cisco routers classfully consolidating two /24s into a /16 or /8" should be long gone, so this was probably targeted attacks, but it's possible that it actually was incompetence on the part of a customer or small ISP that was incompetently not filtered by their upstream.
I've known several large ISPs that advertised their networks as pairs of /9s to defend against those attacks (works because BGP prefers the longer /9 routes to the shorter /8.)
LMAO!!! Er, you were being sarcastic and/or ironic, right?
The NSA wouldn't do squat about something like this. This was published in Wired back in 2008, and finally someone has actually gone and done it. Any protocol that is vulnerable to a MITM attack will be attacked at some point.
ARP poisoning can be used to create a MITM attack. I just bought some switches that can monitor for ARP attacks, among quite a few other things. BGP is vulnerable, and so finally someone put together an attack.
I imagine that the perpetrator is looking for user name & passwords, as usual, and will try them against various banking sites, just they'll do with Cupid Media's info.
Really, all it amounts to is, "what took you so long?"
Also, it wouldn't surprise me if this is spammer/botnet crime rather than NSA/KGB spying. Lots of companies have /24s so they can own their own address space and use BGP to manage carrier diversity, but really only use part of the space and have most of their servers behind NAT. Hijacking the prefix lets the bad guys "borrow" the unused addresses, and only get noticed if somebody's doing traceroutes to track down latency problems.
Some carriers and some third-party services do a lot of proactive BGP route monitoring, just to see who's advertising changes to their address space and whether they're legitimate, because we've been burned too many times with route instability before we started doing that (and back then it was usually incompetent customer router configs rather than deliberate hijacking.)
There are some browser plugins to tell you when a (previously visited) site's cert changes.
I think there is also a plugin which uses some sort of database to do the same thing, so it doesn't have to be previously visited (by you). I don't have a link atm.
I may be wrong, but as far as I can tell this particular attack is unidirectional, so although you can manipulate traffic going one way, you can't see the traffic going the other way. If this is indeed the case, a fake certificate wouldn't be usable; hell, a purely ephemeral key exchange model would work. Now, of course there are ways around that, e.g. HTTP redirects to the fake server IF your inital connection is unencrypted (which is often the case), but in that case you could just redirect to an unsecured server in the first place.
I don't think this is directly the work of NSA, GCHQ etc. unless they are trying to put somebody else in the frame it is more likely it's somebody else trying to frame them.
The reason for this thinking is BGP is known to be easy to attack this way and it happens a lot accidentialy and is usually quickly discovered and rectified.
Anyone remember a couple of years back when a whole load of traffic got (accidently) redirected through a chinese node? It created quite a bit of noise at the time with speculation it was cyber espionage...
So if the solution is to sign and secure routing updates, why haven't ISPs done exactly that?
With this happening, and with all the discussion about SSL/TLS it now seems the time might be right to summarise what is badly broken and what is just broken, and what is decimated in the SSL/TLS world. And which browsers and servers work properly and which ones fall back to clear text.
For instance - a problem I have been wondering about - do the non-diffie-helllman versions of RSA TLS as implemented actually use the client certificate in the generatoion of the AES session key or not, or are they just generating a nonce and firing the client certificate info back for the sake of the exercise??
We probably need someone to summarise stuff like this across all the SSL/TLS options (big job!!).
I wonder if this would make secure versions of BGP, e.g. S-BGP, deployed more widely (like DNSSEC vs plain DNS)...
With SSL, key exchange is done through RSA, so it is secure. What it doesn't provide is perfect forward secrecy; in other words, with the existng RSA key exchange, if the private key is later recovered, an attacker who has logged all encrypted traffic would then be able to decrypt it all. RSA with ECDHE uses RSA for authentication and ECDH with ephemeral (one time use) keys for key exchange to provide perfect forward secrecy, since the private keys are only recoverable as long as they are in memory.
I was kinda putting a couple of other things in my thoughts - which is why I asked abt the client certificate - If I assume that NSA has already got the server root key (by whatever means) can using the RSA option without forward secrecy but requiring use of the client certificate (presumably from a good CA) protect the session??
In the early 2000's, there were a number of products on the market (such as PathControl) that manipulated BGP for legitimate purposes. The technology worked well, but a broken implementation could potentially be quite disruptive. As Anura points out, the technique affected traffic in only one direction.
That's not to say this isn't an attack, but it's worth considering the alternative possibility is that someone's trying to create a modern version of the technology and screwed up their code.
I've known for about five years that I was being hacked into. The first time was when I noticed that a BOINC user was still logged into my computer. And then weired things kept happening. Drives were losing space. I've discovered how they did it and it's almost as depressing as what I read when John Young @cryptome put up a huge cache of Snowden documents. I'm not going to speak about that because they were only up for a few hours and I became very depressed about that. I've been tweeting about privacy @noseyparkerunit and started about two weeks before Snowden arrived on the scene. Lucky timing but my wife says its causing me to become non-functional. My obsession with the mean spiritedness of what is happening is quite depressing, anxiety filled and not able to concentrate on things. When you know you're being watched it's nmough to drive you crazy.
incidentally Bruce, do you have any comments on computers bonding with cable boxes via bluetooth. I'm well aware that bluetooth is enabled on computers that are not wired to the internet, even on motherboards that are not labeled so. Some idiot tried to get me to check some of the stuff that Richard Stallman was doing and demonstrated that computers could be off the wire and fully capable of surfing as fast as capable. If Richard Stallman asked me I would do it. But that was eye opening.
Yep - That was my read - but I was hoping to be wrong - so I wonder what the main SSL/TLS implementations default to if other negotiations fail, and particularly if you can direct them away from the Diffie Hellman key agreement protocols.
If you are in the middle whether you can fiddle in the handshake of them to make them negotiate towards simple RSA with client certificate and simple client nonce to generate the AES session keys
I am kind of expecting this might be possible over this GCHQ routing as discussed separately in this thread
I should have edited that previous post before I hit the submit button. At any rate, also do you have any comments on hooks being put into file systems such that an encrypted system is hooked to the root file system. I keep burning disks like ubuntu and others that always read as having an extra file. And it's always that hook.
I thought I was safe until I installed Fedora and had the same thing happen. Fedora and Suse are probably the best two OS's out there and if I can't be protected when using them, (I can't I know) then anyone using anything less is subject to the same.
I do know that if my wife didn't use Windows this wouldn't be a problem. I've got major complaints against Microsoft for this kind of thing. The hook actually sends it back to the Windows machine. I learned that when a driver automatically installed on her Windows machine that was to my etherenet. Actually long before that. I started to reinstall Microsoft Windows 7 that I have a full license for an can use on any computer as long as I only use it on one machine, and the thought of what Snowden revealed just made me not do it. The gag reflex is still in my throat.
I know I've got to not use the motherboard I'm typing this note from. The install disk that came with the motherboard won't update the bios anymore. The bios in it now has been manipulated. I could fix it with Windows disk that I almost put on it the other day but I just gag when I think about what they did. When oh when are motherboard manufacturers going to make a bios that is Linux friendly and open source?
Sometime soon I expect. I tweeted from the day the Snowden revelations came out that the information we now had now was going to devastate American tech. And so it will. There's opportunity galore out there for other countries.
I just hope some developers here will start a new company to make better hardware that's NSA proof. I have no doubt it can be done but it's a major problem if we don't stop this totalitarian behavior.
I'm not convinced this was an IC operation. It could have been done by anyone with a BGP router (e.g. ISP's, large corporations). Tony Kapela and Alex Pilosov did a proof of concept at DefCon 2008, successfully intercepting traffic bound for the conference network and redirecting it to a system they controlled in New York before routing it back to DefCon in Las Vegas. Their MITM attack didn't involve a bug or flaw in BGP but simply exploited the natural way BGP works.
This type of eavesdropping can be prevented by aggressive ISP filtering to allow only authorized peers to draw traffic from their routers, and only for specific IP prefixes. Most however don't because it's hard work and if only one ISP doesn't participate it breaks the entire system. Another way is to authenticate ownership of IP blocks, and validate the advertisements that ASes send to routers so they don’t just send traffic to whoever requests it, and which basically is what S-BGP is all about. Unfortunately, S-BGP heavily relies on PKI/CA which introduces new vulnerabilities.
Dirk: a tech at Verizon accidentially started advertising one of our netblocks on one of their border routers. We started getting phone calls from customers who said their websites that we were hosting were down but we could access them locally. A bit of digging around from remote hosts revealed that one of Verizon's AS were advertising our netblocks and that basically the routing table had diverged with some trusting us and some trusting Verizon. Long story short if a tech at a telco can stuff up and poison the table accidentally then it is unsurprising that this is being used maliciously.
BGP "attacks" are often just naive misconfigurations, other times what appear to be simple badly done filtering or prefix mapping may be a genuine malicious attack.
None of this is new and everyone with the even the slightest sense of paranoia has been locking down BGP at peering and transit points as long as they have existed. However, that only solves half the problem and the more trusting or simplistic ISPs at the other end have tended to accept whatever paths they've been sent. Which is fun.
Out of curiosity, could an ISP be doing this to garner carriage fees or offset their traffic balances between various top level networks?
I can remember, a couple of years ago, being at a customer site where they were having issues with the connection from their office to their data center. Their office is in Smyrna, GA, and their data center is in Atlanta, GA. You'd never guess where their traffic was being routed through.... Reston, VA.
Peter: exactly right. Unfortunately the mitigation strategies (route filtering) can create more problems and at best is a bandage stuck over a gaping wound. BGP - like many internet protocols was conceived when the Internet was still very small. Unfortunately the number of AS's exploded and the routing table has grown to epic proportions - I guess classless routing has contributed to this. Now I know that BGP has some rudimentary peer authentication but this doesn't really fix the root of the problem. A "trusted" peer, no matter how trusted shouldn't be able to advertise routes that they have no authority over. This happens frequently and has happened to me in the past (as I mentioned a few posts back).
As far as I am concerned there are two solutions. One is to use PKI and I guess this is similar to what's already been proposed in SBGP. Another less centralized idea would be to get their peers to sign their certs (and vice versa) creating a web of trust. AS's that have higher aggregate trust scores on their advertised routes (that is - the routes have been in the table longest) are trusted more than, say an AS that has only a few blocks and has only started advertising a week ago). The longer the routes stay in the table the more credibility that particular advertised route into the AS attains. Thus an "upstart" (either deliberately or misconfiguration) who suddenly started advertising someone else's routes would be ignored as a router elsewhere with a much higher credibility score is still advertising itself.
If an organization deliberately wants to move a netblock to, say another side of the world then they can do so - but because they are also moving with their original certificate and have ceased advertising from their old location the transfer will occur smoothly.
Bottom line is that it would reduce the effectiveness of route poisoning. It isn't a panacea but it is an improvement on the existing system and won't require a centralized CA run by the region wide registrar's of record (ARINC, APNIC, etc).
It's clear the the current internet infrastructure is inadequate it effectively defend users against government/corporate attacks. IETFs efforts to harden the network will pay back dividends. A political solution is absolutely essential. Restructuring or reclaiming the corporations the operate the internet infrastructure will also be required. This is a tall order but it is achievable.
Just wanted to post a link to UCLA's Cyclops project, which a tor-talk listserv poster suggested Tor relay operators consider using: http://cyclops.cs.ucla.edu/
The NSA? OK, what I would like to know is, do you believe HAARP is the source of all the booms, rumblings, strange noises coming from the sky and ground being reported all over the World? You may be giving the gov't too much credit. After all, they couldn't even prevent the Snowden incident, they can't even build a web site given boatloads of money. There are a host of other examples and I'm not attacking or complaining about the gov't, my point is only that we tend to over-attribute capabilities to organizations that we can't clearly see into. It's never the reverse. If I had a second point, it would be that this tendency also causes us to ignore what is really going on. In other words, if you don't know what size a shoe is, you're more likely to expect it might fit. Until you see the shoe. What's really going on is worse than the NSA rerouting traffic and what's really going on is enough to scare the NSA.
Those with their own ASN can monitor their BGP announcements and be notified if they upstream neighbor(s) change at UCLA's Cyclops
This would let you know if someone was hijacking your announcements.
This sounds like a garden variety routing leak, with the possible twist that the leaky ISP is rewriting the AS path so it appears to be the source ASN. This is the Occam's razor explanation. An overseas ISP has two paths to the Internet; Over Path A it advertises the target IP block, over Path B it delivers traffic to the target IP block. I am pretty far from convinced that this is malicious rather than accidental, because this can easily be accomplished with a screwy router config. This config can be leveraged for a MitM, but not reliably. The original valid route needs to remain in the global routing table, in order to ensure eventual delivery, and an attacker will have a very hard time predicting which segments of the Internet will select the bogus version of the route instead of the original valid route. It would also be very difficult to ensure that the multiple paths you have available to yourself will provide you with both a valid path as well as one to carry the bogus path. In many multi-homed configurations, your upstream peers are often peers of each other, and that seems more likely to create a loop than an asymmetrical routing opportunity that can be exploited.
In response to the suggestion that it could be an intermediary router injecting the bogus route to force traffic through a choke point, while theoretically possible, it would require either additional exploited routers between the choke point and the apparent source of the bogus route, or (perhaps the more sinister possibility) that those apparent hops to the source of the bogus route are spoofed, and traffic isn't traversing to Belarus, or Iceland, or wherever, at all. Even assuming this was the case, it would still be an incredibly difficult (if not impossible) attack to fine tune, and of somewhat limited utility. You're only seeing traffic from one direction, and it's very difficult to predict which network segments will select your bogus path. However, the more choke points you have available to leverage, the wider your range of options for forcing select networks to use your bogus route. This does lend itself to the theory that its a state-sponsored attack, except for one detail. All these BGP paths are logged, so it is a very open-air method of route coercion, especially when compared to the man-on-the-side attacks or backbone taps that are available to these state actors.
My money is on bored or incompetent network administrators mucking around with router configs, but it wouldn't hurt for organisations to track BGP advertisements to their net blocks to alert them when a bogus route to them appears in the global routing table.
The NSA? OK, what I would like to know is, do you believe HAARP is the source of all the booms, rumblings, strange noises coming from the sky and ground being reported all over the World?You may be giving the gov't too much credit. After all, they couldn't even prevent the Snowden incident, they can't even build a web site given boatloads of money.
I would second that point of view. I think esp. in situations like this there is a tendency to over-estimate the capabilities of the government.
Apologies for being off-topic but just a brief addition to my previous comment: HAARP was supposedly shut down early May 2013.
According to the source of that tidbit (http://en.wikipedia.org/wiki/HAARP), DARPA is expected to use the HAARP site to finish up some research in fall 2013 and winter 2014. Let's hope there is no weird "consequences" from that "research".
@edge: Yes, there is a community contribution built system called RIPE Atlas:
couple hundred nodes periodically trace-routing each other and publishing anomalies going one way versus the other.
there are 4300 HW probes doing traceroutes and pings to root nameservers constantly, and the volunteers who host these probes can do their own measurements to any destination they choose. all (most) measurement data is public, source code of the measurments is published, there is API and web interface, and probes are free as in beer.
Voltaire can't stop laughing. Who ever said the internet as implemented had a particular topology, secure or otherwise?
What is sensitive data doing on this network?
Schneier.com is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc.