

Researchers say U.S. Internet traffic was re-routed through Belarus - RougeFemme
http://www.washingtonpost.com/blogs/the-switch/wp/2013/11/20/researchers-say-u-s-internet-traffic-was-re-routed-through-belarus-thats-a-problem/

======
windexh8er
Meh... "By default your neighbor just believes you, and doesn't have a really
reliable way to tell if you are actually telling the truth" \- while this is
not 100% true with regard to most peering configurations via tier 1 carriers,
there is a slight nugget of truth here. You can't just order a circuit from
AT&T/Verizon/Sprint and inject whatever you want. First you have to have an AS
assigned to you (if you're to have the ability to announce anyway) and then
beyond that it's generally a process of negotiating sane terms of what you're
presenting to them and what they're presenting to you (generally as the
customer you want the entire table, but there are exceptions). At that point
the config on the far end will mimic what was agreed upon (prefixes advertised
and general length protections such that you don't spam out thousands of /30s
from your transport or something horrid like that). While there is no way to
truly validate the authenticity of the update - there is generally a decent
chain of custody.

BGP is a great playground for injection research. The best part is via looking
glass sites it's very trivial to target specific, and core, platforms.

That being said... Regardless of BGP itself beyond certificate validation and
pinning we should also be doing path checking. I mentioned this to Moxie for a
potential addition into Convergence, and from the page:

"Convergence trust notaries use network perspective to validate your
communication by default, but can be extended to use whatever methods the
notary operator would like. This might include DNSSEC, BGP data, "SSL
observatory" results, or even CA validation."

...AS path should be looked at more closely in all secure communications we're
delivering. It's trivial to get the AS path for the hops and, since it is
generally static from known origination networks it would be relatively easy
to build history of known AS path order and vet with regionalized crowd-
sourcing.

Huge path swings should be obvious, today they're not to most. Some good
resources are: * Team Cymru - [https://www.team-
cymru.org/Monitoring/BGP/](https://www.team-cymru.org/Monitoring/BGP/) *
Colorado State BGPmon -
[http://bgpmon.netsec.colostate.edu/](http://bgpmon.netsec.colostate.edu/) *
Cyclops (UCLA) - [http://cyclops.cs.ucla.edu](http://cyclops.cs.ucla.edu)

...and there's also BGPMon (the service), but it has turned into a more paid
for service (although you can monitor 5 x AS for free). * BGPmon -
[http://www.bgpmon.net/](http://www.bgpmon.net/)

------
dublinben
Original article from two days ago: [http://www.renesys.com/2013/11/mitm-
internet-hijacking/](http://www.renesys.com/2013/11/mitm-internet-hijacking/)

------
SEJeff
As I said in the other article on this...

Also the author shouldn't rule out Halon's razor[1]. Advertising the wrong AS
is often caused by incompetence or mistakes of network engineers. Note that
I'm not a network engineer (I'm a linux monkey by trade), but know you can do
BGP AS path filtering[2] ala ACLs to prevent a rogue/incompetent entity from
advertising routes that dont' belong to them. If more ISPs would simply lock
down their routing infrastructure a bit more, a lot of these types of attacks
would be rendered mostly void.

[1]
[http://en.wikipedia.org/wiki/Hanlon's_razor](http://en.wikipedia.org/wiki/Hanlon's_razor)

[2] [https://ftp.apnic.net/meetings/22/docs/tut-routing-pres-
bgp-...](https://ftp.apnic.net/meetings/22/docs/tut-routing-pres-bgp-bcp.pdf)

------
conformal
i have long suspected that BGP routes can be altered on-demand to push
domestic traffic outside national borders and justify its recording and use by
intelligence services.

it is entertaining to see this done in the wild.

~~~
windexh8er
It's not that they can be altered - it's that the path can be manipulated so
that the path "looks" better. Generally there needs to be some collusion in
that regard however since it's oft easy to steer traffic by AS-prepending
(making ingress swing across multi-homed AS), but harder to control the
egress.

If you can announce a relatively concise prefix of traffic you know you want
and nobody notices it's pretty easy for this to go unnoticed for a period of
time. As the prefix gets smaller that's harder to control however (since more
specific routes will generally be installed in the routing table over less
specific).

That being said it shouldn't be trivial to announce networks you don't own.
This is where the people process oft breaks down.

