Bah. Real simple cure for this nonsense. Too bad it's unlikely to happen.
Back when Usenet mattered, there used to be something called a "Usenet Death Penalty". What we need here is an "Autonomous System Death Penalty".
BGP works between "Autonomous Systems" (aka AS). ISPs almost invariably are. Bigger companies usually are. Anyone who wants to be independent of their upstream IP connection gets an AS number. The only way some ISP in Belarus can interfere with your IP packets is to announce over BGP that packets should be sent to their AS.
So anyone who was affected by some rogue ISP in Belarus should simply tell their BGP routers to totally ignore anything from that AS. Forever. And if they're a govt agency they simply tell Comcast, Verizon, AT&T, etc to drop any and all packets from that AS. To anywhere! And if it's a govt agency making this "request", there's a good chance that the Tier 1 IP providers will comply.
Done. That podunk ISP in Belarus has now been disconnected from a large part of the Internet. And good luck with them trying to get Verizon etc to undo that.
So, what the death penalty means is "you get to intentionally mess around with routing just once, then you go away forever". Now that podunk ISP can either go out of business or it can go begging IANA for a new AS number. And since ICANN (which operates IANA) answers (at least for now) to the US Dept of Commerce, it might not be too easy to get a new AS.
Yes I know the propeller-head nerds who operate the "technical" Internet would immediately think my proposal is much too harsh. But, ultimately, nerds need to understand that sometimes things are done for "political" rather than "technical" reasons. And the managers who sign the nerds' paychecks are political creatures; they almost invariably aren't nerds.
Yes I know the propeller-head nerds who operate the "technical" Internet would immediately think my proposal is much too harsh. But, ultimately, nerds need to understand that sometimes things are done for "political" rather than "technical" reasons. And the managers who sign the nerds' paychecks are political creatures; they almost invariably aren't nerds.
Nah, but I do think you can go fuck yourself for being so patronizing.
"propeller-head nerd who operates the 'technical' Internet" here...
I don't think it's too harsh, but it would never happen, of course. It would all go out the window the first time some large corporation was affected.
There are already solutions for this (filtering inbound announcements, RPKI, etc.), but people (ISPs) don't use them. BCP38 solved the "IP spoofing" issue years ago but AS's don't even implement that.
(Side note: IANA doesn't directly issue ASNs to entities. Here in the U.S., for example, you get them from ARIN. And they'll gladly give 'em out ($500 each).)
In the history of the Internet (or at least the WorldWideWeb), how many times has a big corporation pulled this stunt, even accidentally? If the answer is 0 or even a number I can count on 1 hand, I say go for it. Even if it was an accident, this is the type of fuck up that deserves Internet death. Think of it like the digital equivalent of walking out onto a highway with a semi barreling down the center lane.
My gut reaction is that this highjacking was "opportunistic" and "state sponsored". The "actors" knew there wouldn't be any consequences.
It would be nice to "send a message" by banning an AS number. The hassles involved in revoking that ban and/or obtaining a new AS number would make it unlikely that such opportunistic bad behavior would recur very often.
Could a system like this not be abused? If you wanted to get your competitor out of business, all you'd have to do is arrange for them to get blacklisted in this manner (I'm assuming it would be possible to achieve, as these things invariable are).
Yes, you just announce a bad BGP route with their AS. The blacklist idea assumes that BGP route announcements are attributable, which in many cases they are not.
You might want to consider that "intentional" is not always a clear-cut case.
In this scenario, Renesys claims that it's obvious that this was no accident, but there's also mention of a Pakistani accidental hijack and a presumably accidental Chinese incident.
Intelligence agencies are masterful at the art of making things look like coincidences or accidents, and many smaller ISPs could make an accidental hijack that looks intentional and dangerous.
Do we have enough numbers available to scratch definitively some?
There is also the political problem of leaving the one nation in charge of something global (they don't like due process when it's about foreign matter). It'd better be an international body.
I would like to note, however, that there are very large number of REAL situations where the best route for an EU-EU bound packet is via the US.
Depending on the providers in question, the specifics of their interconnects, and the explicits of any congestion mitigating traffic engineering, the shortest AS-Path announcement may come via an US peer.
Another solution would be to implement Tor like onion routing so that capturing the data on the fly would be useless and tampering with it - not possible.
I know you know :) Just wanted to say that there's a difference in the way both were written, and that I personally found the Renesys piece more interesting. I don't think all readers will have the time to read two long pieces on the same subject, so a bit of context helps.
"The stakes are potentially enormous, since once data is hijacked, the perpetrator can copy and then comb through any unencrypted data freely"
Apparently then, the harm amounts to:
H1. The method is a little stealthier than the NSA's other modus operandi, the badge + "national security letter" + secrecy order, and similar conduct of other state actors.
H2. The reach extends surveillance capabilities outside the attacker's territory.
On the other hand:
M1. There is no new MITM that was not possible before. Well-encrypted traffic is still opaque, and plaintext traffic is still vulnerable, regardless whether it is hijacked BGP-wise or by the on-premises tactics.
M2. This does not go unnoticed, there is no way to force affected parties to shut up about it, and like the other wiretapping, this will bring on countermeasures. It's self-limiting.
Very interesting - is BGP fundamentally vulnerable to this attack? Is there a way to put the equivalent of a certificate revocation list on top of BGP?
To your first, yes and no. Most BGP implementations are configured in such a way to protect consumption of prefixes that are larger than normal. A large prefix would be a /30 for instance in IPv4. This generally is a very specific route and is considered a bad thing in the global BGP table. Why? Because you don't advertise 2 reputable addresses at a time, you go for smaller prefixes to make the table manageable to make routing decisions on. So the no part is that generally all configurations of BGP will prevent the more specific routes like this. However it's just a numbers game of advertising a prefix one bit larger than the real advertised by, say splitting that network in half.
As for the second part of the question, no. There's no signing of any owned AS announcements. At best you can have a digest to validate your peer. But peering configurations in BGP are generally very specific, as in your peer is a host route, generally reachable directly via the transport provided by, say, a purchased circuit. So - is it trivial to swing routes on improperly configured downstream? Sure. You have to find a broken subset of routing configuration at a very critical point in the network though which would indicate a core router at a large telecom hotel is comprised or, an administrator is in cahoots with the redirect operation.
There's a lot more with regard to possibilities - but just a high level take away.
And the best solution to replace BGP out there is LISP. However, even in LISP there are fundamental flaws that weren't designed for from inception.
When I had control over an AS I made a very specific point to always monitor path changes for performance and security reasons all the time. If you have an AS and you're not - then you're doing it wrong with the most critical piece of your infrastructure.
Someone or the NSA? If I was them I would hijack some poor country ISP and siphon everything through them. At this point assuming it's the NSA should be the default assumption. Remember that Snowden's encrypted data (assuming it's real) includes everything not yet public. So likely we only know a fraction. Thus assuming NSA is probably safe.
Maybe it was Santa Claus and he used Iceland because it reminds him of the Arctic. During this time of year, assuming it's Santa Claus should be the default assumption. Remember that He is "making a list" and "checking it twice". So assuming it's Santa Claus is the best bet.
Off-topic: I alwyas liked the idea of like loose source routing. And the original netcat supports it. Does your kernel support it? Would you use it if you could?
New comments tend to be placed at or near the top so they're given just enough visibility to be read and voted on. The top comment doesn't necessarily mean it's the most popular.
Back when Usenet mattered, there used to be something called a "Usenet Death Penalty". What we need here is an "Autonomous System Death Penalty".
BGP works between "Autonomous Systems" (aka AS). ISPs almost invariably are. Bigger companies usually are. Anyone who wants to be independent of their upstream IP connection gets an AS number. The only way some ISP in Belarus can interfere with your IP packets is to announce over BGP that packets should be sent to their AS.
So anyone who was affected by some rogue ISP in Belarus should simply tell their BGP routers to totally ignore anything from that AS. Forever. And if they're a govt agency they simply tell Comcast, Verizon, AT&T, etc to drop any and all packets from that AS. To anywhere! And if it's a govt agency making this "request", there's a good chance that the Tier 1 IP providers will comply.
Done. That podunk ISP in Belarus has now been disconnected from a large part of the Internet. And good luck with them trying to get Verizon etc to undo that.
So, what the death penalty means is "you get to intentionally mess around with routing just once, then you go away forever". Now that podunk ISP can either go out of business or it can go begging IANA for a new AS number. And since ICANN (which operates IANA) answers (at least for now) to the US Dept of Commerce, it might not be too easy to get a new AS.
Yes I know the propeller-head nerds who operate the "technical" Internet would immediately think my proposal is much too harsh. But, ultimately, nerds need to understand that sometimes things are done for "political" rather than "technical" reasons. And the managers who sign the nerds' paychecks are political creatures; they almost invariably aren't nerds.