
Someone’s Been Siphoning Data Through a Huge Security Hole in the Internet - texan
http://www.wired.com/threatlevel/2013/12/bgp-hijacking-belarus-iceland/?cid=co15315354
======
PhantomGremlin
Bah. Real simple cure for this nonsense. Too bad it's unlikely to happen.

Back when Usenet mattered, there used to be something called a "Usenet Death
Penalty". What we need here is an "Autonomous System Death Penalty".

BGP works between "Autonomous Systems" (aka AS). ISPs almost invariably are.
Bigger companies usually are. Anyone who wants to be independent of their
upstream IP connection gets an AS number. The only way some ISP in Belarus can
interfere with your IP packets is to announce over BGP that packets should be
sent to their AS.

So anyone who was affected by some rogue ISP in Belarus should simply tell
their BGP routers to totally ignore anything from that AS. Forever. And if
they're a govt agency they simply tell Comcast, Verizon, AT&T, etc to drop any
and all packets from that AS. To anywhere! And if it's a govt agency making
this "request", there's a good chance that the Tier 1 IP providers will
comply.

Done. That podunk ISP in Belarus has now been disconnected from a large part
of the Internet. And good luck with them trying to get Verizon etc to undo
that.

So, what the death penalty means is "you get to intentionally mess around with
routing just once, then you go away forever". Now that podunk ISP can either
go out of business or it can go begging IANA for a new AS number. And since
ICANN (which operates IANA) answers (at least for now) to the US Dept of
Commerce, it might not be too easy to get a new AS.

Yes I know the propeller-head nerds who operate the "technical" Internet would
immediately think my proposal is much too harsh. But, ultimately, nerds need
to understand that sometimes things are done for "political" rather than
"technical" reasons. And the managers who sign the nerds' paychecks are
political creatures; they almost invariably aren't nerds.

~~~
jlgaddis
"propeller-head nerd who operates the 'technical' Internet" here...

I don't think it's too harsh, but it would never happen, of course. It would
all go out the window the first time some large corporation was affected.

There are already solutions for this (filtering inbound announcements, RPKI,
etc.), but people (ISPs) don't use them. BCP38 solved the "IP spoofing" issue
years ago but AS's don't even implement that.

(Side note: IANA doesn't directly issue ASNs to entities. Here in the U.S.,
for example, you get them from ARIN. And they'll gladly give 'em out ($500
each).)

~~~
EthanHeilman
RPKI
([http://en.wikipedia.org/wiki/Resource_Public_Key_Infrastruct...](http://en.wikipedia.org/wiki/Resource_Public_Key_Infrastructure))
is getting increasing use and looks to be the consensus solution among RIRs,
ISPs, etc. Events like this, and there have been quite a few recently, will
drive faster adoption.

HTTPS wasn't rolled out with 100% in a year or two either.

Disclaimer: I am an RPKI researcher.

------
r0h1n
Here's the post at Renesys upon which this article is based:
[http://www.renesys.com/2013/11/mitm-internet-
hijacking/](http://www.renesys.com/2013/11/mitm-internet-hijacking/)

FWIW, I found the renesys post more informative than the Wired article (though
on a standalone basis it is pretty good too).

~~~
runjake
We know. The article you linked to is mentioned and linked in the Wired
article at least twice, if you read through it.

~~~
r0h1n
I know you know :) Just wanted to say that there's a difference in the way
both were written, and that I personally found the Renesys piece more
interesting. I don't think all readers will have the time to read two long
pieces on the same subject, so a bit of context helps.

------
ds9
Let's assess the damage. Says the article:

"The stakes are potentially enormous, since once data is hijacked, the
perpetrator can copy and then comb through any unencrypted data freely"

Apparently then, the harm amounts to:

H1. The method is a little stealthier than the NSA's other modus operandi, the
badge + "national security letter" \+ secrecy order, and similar conduct of
other state actors.

H2. The reach extends surveillance capabilities outside the attacker's
territory.

On the other hand:

M1. There is no new MITM that was not possible before. Well-encrypted traffic
is still opaque, and plaintext traffic is still vulnerable, regardless whether
it is hijacked BGP-wise or by the on-premises tactics.

M2. This does not go unnoticed, there is no way to force affected parties to
shut up about it, and like the other wiretapping, this will bring on
countermeasures. It's self-limiting.

------
Anon84
Related discussion
[https://news.ycombinator.com/item?id=6773889](https://news.ycombinator.com/item?id=6773889)

------
stevehawk
a map where blue is land?

who the hell made this map? Buster?

------
ak217
Very interesting - is BGP fundamentally vulnerable to this attack? Is there a
way to put the equivalent of a certificate revocation list on top of BGP?

~~~
windexh8er
And the best solution to replace BGP out there is LISP. However, even in LISP
there are fundamental flaws that weren't designed for from inception.

When I had control over an AS I made a very specific point to always monitor
path changes for performance and security reasons all the time. If you have an
AS and you're not - then you're doing it wrong with the most critical piece of
your infrastructure.

~~~
jlgaddis
Heh, most AS's don't even adhere to BCP38 and you expect them to be monitoring
for path changes and hijacks?

------
coldcode
Someone or the NSA? If I was them I would hijack some poor country ISP and
siphon everything through them. At this point assuming it's the NSA should be
the default assumption. Remember that Snowden's encrypted data (assuming it's
real) includes everything not yet public. So likely we only know a fraction.
Thus assuming NSA is probably safe.

~~~
IvyMike
I think from the NSA's perspective this is both crude and unnecessary. They
have better ways.

------
gwu78
Off-topic: I alwyas liked the idea of like loose source routing. And the
original netcat supports it. Does your kernel support it? Would you use it if
you could?

------
ommunist
That someone in Minsk may well be US operative working at huge IBM facility in
Minsk.

------
cpsempek
I love the picture of Iceland.

------
callesgg
Is this realy a bug?

------
apierre
Maybe Dr Evil in his secret volcano lair.

------
question612
I can't understand it.It seems to be business so, why did`nt make`em pay ?

------
windexh8er
_sigh_

Another BGP finger-pointing article that still doesn't get it right.

~~~
rsingel
So the totality of your criticism of a story from one of the best security
reporters in the business is _sigh_ and "doesn't get it right"?

And this is the top comment on Hacker News?

 _Sigh_

~~~
windexh8er
Best security reporter does not equte to any level of understanding of BGP.
You're asserting a false parallel. And, see my other comments.

~~~
AsymetricCom
Never mind that, the article is simply written horribly.

