Demonstration Reveals Net Superattack to be Very, Very Real

August 28, 2008 – 6:28 AM

A pair of security researchers recently demonstrated that a theoretical attack possible against the internet’s most embedded infrastructure can, in fact, be very real.

The attack exploits normal behavior in the internet routing protocol BGP, which ISPs use to determine how best to route traffic destined for other parts of the internet. If an attacker is positioned correctly – which means, generally, that he either has control of an ISP’s routing equipment, has found a way to intercept and alter another ISP’s BGP traffic, or has found an ISP that doesn’t filter internal BGP traffic originating from someplace other than its routing equipment – he can use the protocol to trick the internet’s routers into diverting traffic to his network, making it available for snooping or man-in-the-middle alteration, all before it reaches its destination.

Detailed by Anton “Tony” Kapela, data center and network director at 5Nines Data, and Alex Pilosov, CEO of Pilosoft, the technique relies heavily on an inherent trust in the data that BGP routers have in each other, once the updates they receive are verified by an admittedly loose authentication scheme – a necessary evil that allows two points in a completely decentralized mesh network, where they are sometimes located across the world, to find the most optimal path between each other.

The weaknesses of that trust became especially clear earlier this year, when an identical phenomenon knocked video-sharing supersite YouTube offline for several hours last February: a Pakistani attempt to block the site inside the country inadvertently spilled out into the world when misconfigured Pakistani routers sent BGP updates to the world, claiming that the country’s servers were the best available YouTube route. The resulting traffic quickly overwhelmed its internet capacity, before it was shut off entirely by an upstream provider in Hong Kong.

The duo demonstrated their technique publicly at the DEF CON Conference earlier this month, where they captured traffic bound for the convention and routed it through a data center in New York.

The technique is technically considered to be an IP hijack, and in the past had always resulted in a noticeable outage for the affected networks. The difference, according to Pilosov and Kapela, is that their version works without any outages, and potentially from anywhere in the world.


You must be logged in to post a comment.