BGP spoofing - why nothing on the internet is actually secure

BGP spoofing - why nothing on the internet is actually secure

Summary: A skilled attacker with access to the right router can co-opt routes to destination IP address. When this happens, nothing on the internet is trustworthy. And there's no way to stop it.

SHARE:
17

The scariest hack of them all on the internet has been around for a long time, but it doesn't get a lot of attention in the broader tech press. It's BGP spoofing and it compromises the most basic functions of the internet: the routing of data from one system to another.

Effective use of BGP spoofing is not within the reach of script kiddies, but there's a lot of it going on. How much? Nobody knows and nobody can know. It's possible to detect that an attack is going on, but it's impossible to prevent it and it may be difficult to stop an attack in progress.

I spoke with Dave Rand, Technical Fellow at Trend Micro. Back in the mid-90's Rand worked at an ISP and first encountered BGP spoofing used to facilitate spamming. The routing in the mail headers of the spam looked particularly genuine because all the addresses were correct. At the bottom of it was a compromised router at an ISP. I've spoken to Dave many times over the years about BGP spoofing. He's always considered it a very serious problem that is fundamentally insolvable and I'd like to thank him for all the information below.

networking
In the hands of a talented attacker, BGP spoofing can perform startling attacks and can't be stopped

How is all this possible? It starts with the very basics of how the internet works.

The internet is a network of networks. Routers are used to move data between networks according to IP addresses that are stored in their routing tables. Routers will advertise to each other that they use certain addresses.

But — and this is very important — there is no authority to check to confirm that a particular address belongs to a particular network. There are organizations, such as RIPE in Europe and ARIN for the US and Canada, which allocate IP addresses (all they have left is IPv6 addresses), but there's no where you can check to confirm an allocation authoritatively. Because of this, the updating of routing tables is done entirely on trust.

Consider this simplistic example: ISP1 has the address space 1.0.0.0/8 and ISP2 has 2.0.0.0/8. They each advertise their space to the other. Now ISP3 advertises 3.0.0.0/8 to ISP1 and asks ISP1 to advertise its addresses, which it does. ISP1 becomes a transit provider for ISP3, a service for which ISP3 pays ISP1. But ISP1 has no real way to confirm that ISP3's advertisements are accurate.

Here's another important point: shorter routes get higher priority from the router. If ISP3 were to advertise a small subset of addresses to ISP1 with shorter paths than what ISP1 already had, ISP1 would follow those routes instead of what was already in the routing table.

It's important to note that in order to execute this attack you need control of an ISP router. You might think that this would be hard to do, and it's harder than it used to be, but it's not impossible. It's still possible to find routers with default admin passwords or passwords on a common dictionary list.  And once you do and take control, there's nothing to stop you from advertising Bank of America addresses on your network.

I suspect that the large majority of erroneous advertisements are, well, erroneous. They're not malicious, they're just screwups. There was a recent incident where some bad routes in NedZone Internet BV's network included Amazon.com and a bunch of big banks. It looks way too brazen to be an attack.

If you really wanted to be effective and surreptitious with such an attack you'd be lower-profile. You'd attack the router of a small or mid-size ISP and you'd only advertise it for a short time, but during that time you'd have other attacks, like cross-site scripting and targeted spam, ongoing against that ISP's users. When they attempt to communicate with their bank or retailer they will instead go to your servers; you can spoof those servers, see the cookies, it all depends on how ornate you want to get, but all you really need is to get users to log on to the site, which can satisfy SSL and get the little lock icon because the attacker can control those addresses too. Once you have validated logins for those accounts you can sell them for a lot.

Sometimes malicious attacks are not for profit, but just network vandalism. In 2008 there was a dispute between YouTube and the government of Pakistan about certain content. Sometime later false BGP routes pointed YouTube traffic in much of Europe to Pakistan Telecom, stealing traffic from YouTube but also flooding Pakistan Telecom with all of YouTube's traffic. RIPE, the regional internet registry for Europe, has a fascinating YouTube video of how it happened.

After an attack like this there may be no footprints left. Nobody logs router advertisements. There are groups that log and analyze the global routing table, such as the fascinating CIDR Report, and look for routes that don't make sense. But these only catch changes that propagate out to the global routing table. A transient advertisement which only goes to an ISP's peer and not a transit provider won't get to the global table. And even if it does, by the time anyone can see what's going on it will be too late.

It's impossible to block BGP spoofing attacks in a consistent, automated fashion, but it is possible to apply some common sense and experience, what you might call heuristics, to determine that a route isn't kosher. If a small ISP in Brazil starts advertising routes to PayPal then an experienced CNE might think twice about replicating it. But these things don't usually get vetted by a human being; there's too much going on. All ISPs advertise their routes to the other networks to which they connect and these companies (there are 30 or 40 thousand ISPs now) have a relationship and contracts, so they trust each other. And if they wanted to check the addresses they couldn't; there's no authoritative place to check.

You might complain that best administration practices, such as good route filtering, would prevent these attacks, and there's something to that. You can certainly prevent a lot of them with best practices. There are other practices that can make it harder to exploit such attacks successfully, such as using strong encryption and authentication for all local traffic, but there's no technique that will block these attacks in all cases.

If you find out that an ISP has bogus routes to your network what can you do? All you can do is call them and ask them (nicely or otherwise) to withdraw the route, but you can't make them. If they don't respond adequately you can complain to their upstream providers and ask them to block the route, but once again there is no official mechanism for doing this because there is no authority in charge of it, and you probably don't even have a relationship with the ISP to which you're complaining.

Of all the attacks happening under the radar on the internet, the most dangerous ones are likely based on BGP spoofing. It's the best reason to assume that a lot more network compromising, by criminal and government actors, is happening than is officially acknowledged, and even the officials don't really know how much is happening.  What can be done? If Dave Rand doesn't know then I sure don't.

Topics: Security, Cisco, Networking

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

17 comments
Log in or register to join the discussion
  • as headline generating this is, it's not entirely true

    Of course, each of the regional registries knows precisely whom a given range of IP addresses is allocated. That knowledge has been used for filtering BGP announcements on Internet for ages.
    There are more recent activities for resource certification, where each and every BGP announcement carries and can be tracked down to a proper digital signature certificate, thus positively proving it's existence or lack of thereof.

    Not impossible to spoof routing on BGP, not that hard to do either -- simply because there are just as many "wannabe" ISP admins, as there are IT admins doing about the same poor job in securing corporate IT infrastructure.

    Anyway, all the necessary tools are out there -- it's just a matter of education and dealing with those who do not behave. Considering that today mail servers that don't behave are already punished, we will soon see the same situation with misbehaving ISP routers.

    By the way, technology exists to combat this kind of spoofing and redirection: DNSSEC.
    danbi
    • RIRs allocate, they don't know who controls

      Just because ARIN allocated a block of addresses to MCI back in 1997 doesn't mean they know who controls it now or who that organization's customers are.

      DNSSEC is not a solution to this. All DNSSEC does is to supply IP addresses to a query. An organization's secure DNS can be intact but their IP addresses compromised.
      larry@...
      • On cryptographically secured routing...

        Things like CJDNS which is an overlay mesh network (think Tor or I2P but without anonymizing routing) that uses IPv6 addresses (in the 'fc' range) that is based on a checksum of a cryptographic public key will let you be 100% sure that the site you visit does indeed have the correct (secret!) private key, and of course only the original site should have the secret key that corresponds to that particular public key (the security of this course fails if they get hacked).

        Which means that either you get to the right site or you get a timeout, and the attacker can't read or respond to your traffic.
        Natanael_L
    • DNS irrelevant

      this IP re-routing is happening at a lower level than DNS.
      it is effectively spoofing target IP addresses.
      warboat
      • Re: it is effectively spoofing target IP addresses.

        True. But the attacker yet has to present a valid SSL certificate that corresponds to the redirected site.

        In any case, resource certification exists to solve the BGP spoofing.
        danbi
    • Email has been spoofed

      Email spoofing has happened to me and now my education process begins. My computer life has come to a halt.
      If IP addresses are assigned by some group, can my existing computer IP address be retired and a new one installed? Is the only solution to purchase a new machine and reenter my entire system by keystroke and mouse to eliminate my individual issue? NCCoastal
      NCCoast
  • Scary man in the middle attack

    Interesting topic! that's one scary way to setup a MITM attack.
    It seems as if events like this happen more and more lately (or is it just reported more?).
    As a network operator myself I recommend everyone who works with BGP to use a monitoring service such as http://bgpmon.net
    It provides great insights into your network and will report if someone other than your ASN is announcing your networks. So at least you know and can take action.
    Ghong
    • Re: Scary man in the middle attack

      By the way, you might be deluded to think such monitoring services are any useful, but they mostly help find out misconfigured routers. If I am attempting to suck your routes then I will not announce your address space from my AS, but instead will announce that I have a path to your AS via myself. This will make all the prefix/as filters happy and your traffic will nevertheless come to me.

      The only fix for this situation at present is resource certification. See here for more http://www.nro.net/technical-coordination/certification
      danbi
      • Re: Scary man in the middle attack

        Yes, but are you saying that you will know the AS that the ISP is running? IMO this is harder information to detect than an IP subnet.

        It would seem the obvious way to do this would be to advertise the IP out through your BGP AS; otherwise you are going to have to create a new BGP peer and somehow know the AS of the network you are trying to hack... Therefore it would make sense to advertise the route out.

        If I am wrong please correct me.
        Matt Howlin
  • It's Just A Denial-Of-Service Attack, Nothing More

    All the secure Internet protocols (SSL/TLS, SSH) already implement their security in the endpoints, not needing to trust any in-between part of the network. So the worst this sort of attack could do is delay or lose the traffic, eavesdropping on it isn't going to achieve anything new.
    ldo17
    • Nope

      Unfortunately, this has nothing to do with DoS. It has all to do with identity theft.

      It is trivial to play MITM between you and your SSL enabled site. I have designed such demonstrations many, many years ago, when we had to persuade the USG to permit the DNS root to be signed with DNSSEC. At this time, about the only saving grace for this kind of attack is DNSSEC and only if implemented properly and fully. DANE is a technology to use DNSSEC to securely assign certificate trust.
      danbi
      • Re: It is trivial to play MITM between you and your SSL enabled site

        1) Not unless you can control a root cert
        2) Which won't work against SSH anyway.
        ldo17
    • Just point you to my server

      After that, you're subject to whatever I want to serve you!
      DPeer
  • Just Like in the Cartoons ...

    Remember all those scenes where one cartoon character swivels the road sign at an intersection to point the wrong way, in order to confuse its enemies chasing it? That is what misrouting can do. The only solution is for YOUR router to be smarter than Wile E. Coyote. That's Road Runner security. Although that works fine in cartoons, it may take the security measures mentioned above to prevent "turning the sign" in the internet.
    jallan32
  • If using uncommon abbreviations, please explain what they are

    I have never previously encountered the abbreviation BGP and hadn't a clue what it stood for. After searching the internet for its meaning, I discovered that it stands for Border Gateway Protocol. So to all readers who, like me, were ignorant about BGP, now you know what it stands for! But are we any the wiser? When an article covers an unusual topic, it's always helpful for uncommon abbreviations to be explained when first used.
    However, one thing the article did for me is to confirm my wisdom in avoiding internet banking! I use a telephone bank that is accessible 24/7 every day, yes even Christmas Day, and I don't even need a computer to check my balance, pay credit cards, etc.
    JohnOfStony
    • Re: I discovered that it stands for Border Gateway Protocol

      Does that give you a better idea of what the article is about?
      ldo17
    • Re: I discovered that it stands for Border Gateway Protocol

      BGP is a very complex routing protocol and this article is most likely only relevant to those working in networking/telecoms - not old men still using telephone banking ;)
      Matt Howlin