BAD: BGP

superluser · August 29, 2008, 12:23:20 AM

Normally, I don't go in for fear-mongering, but this Wired article has me a little worried. They claim that BGP is broken as designed, and that there are known exploits that can result in man in the middle attacks.

What has me most concerned is that, unlike the recent DNS exploit, this will require massive infrastructure changes to mitigate. Unfortunately, there's no workaround at this point, so we'll have to trust that our data are safe for a while longer. I doubt that there's any serious threat, but I thought this was important enough to let people know.

QuoteESTRAGON: Nothing to be done.
VLADIMIR: I'm beginning to come round to that opinion.

Alondro · August 29, 2008, 01:02:51 AM

I'm just glad I don't do my banking online.

Reese Tora · August 29, 2008, 02:42:33 AM

The funny thing is, I thought you were talking about Border Gateway Protocol, but then I though, no, it must be an acronym for something else, just my Cisco classes talking... and then it turns out I was right about what you were talking about.

Vidar · August 29, 2008, 04:36:12 AM

OH SNAP!
Good thing the vulnerability is only linked to unencrypted data. Once the piratebay has encrypted the entire internet this will be something of a non-issue, I hope.

rabid_fox · August 29, 2008, 08:06:52 AM

Can you translate this for the slow of thinking?

superluser · August 29, 2008, 09:14:04 AM

Quote from: rabid_fox on August 29, 2008, 08:06:52 AMCan you translate this for the slow of thinking?

Reese would probably be able to answer this more definitively, but essentially, here's the issue (apologies of this is fuzzy--I had insomnia last night).

If I want to connect from my computer to the Clockwork Mansion server, I get the IP address of the server, and then I ask all the computers I'm connected to to tell me which one has the shortest route to that address. These are called routing tables. When the internet was first starting out, all of those computers were owned by the military, defense contractors, or universities with defense contracts. So they were all assumed to be trustworthy, and the basic procedure for proving that you had the fastest route was to say so.

But now, we can't assume that all the computers are trustworthy. A nefarious person could slip into the routing tables a bogus entry that sends traffic for a particular IP to that computer. The problem is that, if the computer is not the shortest route, if it tries to relay that information, all of the computers that it is connected to will send the data back to the attacker's computer, since it claims to be the shortest route.

This made the attack unusable in practice, since my data would just disappear and I wouldn't be able to access the forums, and the forums wouldn't be able to see any traffic, and *someone* would notice.

But the new attack bypasses this by doing something that I'm not quite clear on (and that's probably a good thing), which makes it possible that this type of attack would be undetected.

Executive Summary: An attacker can intercept, spy on and modify your data, and then send it to your intended destination, all without you knowing that you're being attacked.

Ars Technica has a good synopsis.

Reese Tora · August 29, 2008, 02:52:16 PM

more or less...

on the internet, or any routed network, your traffic passes through routers which each have a routing table that says "this way to destination network"

BGP is the prefered (only, even) protocol by which routers on the internet tell each other how to get to their network.

Under normal conditions, BGP allows anyone to send anyone a route, and numbers can be fudged to make the fake route more desirable. This is a known vulnerability, but it's not very useful by itself, because any trafic caught by this would not be forwardable to the intended recipient, so man in the middle wouldn't work. (they can always set up a complete copy of a site, of course, but the site that is hijacked in this fassion would notice the drop in traffic pretty quickly.)

What this is, is that someone's found a way to target these updates and leave a channel that they can use to forward the hijacked packets to the intended destination once they've done whatever they intend to do.

Packets taking the return trip aren't intercepted, though.

basically, someone who wanted to could capture the packets you sent to an internet server, examine them, and maybe modify them, before forwarding them to the internet server, but the return traffic from your request would not be intercepted, and the nature of encryption used on the web means that they couldn't get into the packets in real time to successfully perform an attack.

So, yeah, encrypted communication is not vulnerable to this unless the encryption is weak or the attacker has the private key that is being used by whatever online service you're using. The possibility of this kind of attack is actually factored in to the encryption systems used on the internet.

bottom line is: don't use websites that don't encrypt your personal information.

Jairus · August 29, 2008, 04:26:35 PM

Quote from: Reese Tora on August 29, 2008, 02:52:16 PM
bottom line is: don't use websites that don't encrypt your personal information.

So, as an idiot who only understands this stuff because you spelled it out for me, is this website safe?

Faerie Alex · August 29, 2008, 04:40:24 PM

So, if I'm understanding this right, no. I wouldn't worry myself, I doubt how much harm someone could do with your username and password from here.

VSMIT · August 29, 2008, 07:38:12 PM

Yeah, unless you've got your address, social, or some other important info, I doubt that you're in any trouble here.

Jairus · August 29, 2008, 07:40:16 PM

Quote from: VSMIT on August 29, 2008, 07:38:12 PM
Yeah, unless you've got your address, social, or some other important info, I doubt that you're in any trouble here.

Hm... maybe I should delete my profile from the Photo Album...

superluser · August 29, 2008, 08:37:56 PM

Quote from: Jairus on August 29, 2008, 07:40:16 PM
Quote from: VSMIT on August 29, 2008, 07:38:12 PMYeah, unless you've got your address, social, or some other important info, I doubt that you're in any trouble here.
Hm... maybe I should delete my profile from the Photo Album...

Uh, you are aware that this only applies to information being transmitted over the internet, right?

Information stored somewhere will not be compromised by this exploit, and if the information in question is already publicly available on the internet, they don't need to hack anything to get at it.

Or is my sarcasm detector broken?

Jairus · August 29, 2008, 08:39:21 PM

Quote from: superluser on August 29, 2008, 08:37:56 PM
Quote from: Jairus on August 29, 2008, 07:40:16 PM
Quote from: VSMIT on August 29, 2008, 07:38:12 PMYeah, unless you've got your address, social, or some other important info, I doubt that you're in any trouble here.
Hm... maybe I should delete my profile from the Photo Album...

Uh, you are aware that this only applies to information being transmitted over the internet, right?

Information stored somewhere will not be compromised by this exploit, and if the information in question is already publicly available on the internet, they don't need to hack anything to get at it.

Or is my sarcasm detector broken?

I have a spare sarcasm detector, if you would like to borrow it until you get your current one up and running again.

Reese Tora · August 29, 2008, 11:22:39 PM

In the case of THIS site, the only information vulnerable would be your PMs and your username & password (and, I suppose, any information in your profile that you've chosen to have remain hidden from public view, but only if they logged in as you to view it having got your password)

I'm not sure if there's anything protecting the password when it's transmitted; you'd have to ask the resident code monkey.

Mostly what is protecting what little information is vulnerable here is the fact that we're a small forum, and not a likely target for a targetted attack like this. I know, security through obscurity is NOT good security, but it's true that we're unlikely to be a target. About the only useful to malicious people information that could be taken is email addresses for sending spam.

Eibborn · August 30, 2008, 12:52:14 PM

...It's probably bad that this thread reminded me that I had to do some online banking.

Jairus · August 30, 2008, 12:56:49 PM

Quote from: Eibbor_N on August 30, 2008, 12:52:14 PM
...It's probably bad that this thread reminded me that I had to do some online banking.

... probably. Then again, I've been reminded of weirder things before. I'm still trying to figure out how "picture of sword = name of second grade teacher."

superluser · August 31, 2008, 12:55:18 AM

Quote from: Eibbor_N on August 30, 2008, 12:52:14 PM...It's probably bad that this thread reminded me that I had to do some online banking.

Banks don't fool around with this sort of stuff, so they're probably one of the most immune to it.

First, they use HTTPS, which is encrypted. Also, they use a number of anti-phishing techniques. My bank, for example, had me choose an image that the bank will display any time they ask me for a password. If someone tried to reroute me, they'd also have to break into my bank's system to determine which image I have chosen.

rabid_fox · August 31, 2008, 12:44:36 PM

About halfway through the explanation, my brain cut in and said, "It's magic. Stop reading."

superluser · August 31, 2008, 10:28:55 PM

I bring news.

A birdie tells me that SIDR, a replacement for BGP, is making headway. You can find a Powerpoint (ugh) presentation here. There's also a PDF available for $25. If you're really interested, I might be able to get a copy and answer any questions.

Also, word on the street is that SIDR may go live at large ISPs and RIRs late this year.

llearch n'n'daCorna · September 04, 2008, 07:14:25 PM

meh.

Old news. Not even a flaw. It's _designed_ like that.

I'll explain why when I get home.

superluser · September 04, 2008, 10:44:25 PM

Quote from: llearch n'n'daCorna on September 04, 2008, 07:14:25 PMOld news. Not even a flaw. It's _designed_ like that.

Hence BAD: Broken As Designed.

There is a new issue, however, in that it was easy to detect subversion before, and this exploit is much more difficult to detect or fix.

Valynth · September 04, 2008, 11:39:21 PM

Quote from: llearch n'n'daCorna on September 04, 2008, 07:14:25 PM
meh.

Old news. Not even a flaw. It's _designed_ like that.

I'll explain why when I get home.

Because otherwise the 'net would move a slow a molasses due to the continuously growing pile of code that would be needed to check authenticity, yet be completely useless?

And yes, the pile of code will need to grow continuously and be ineffective since the very fact that a person CAN connect to the 'net introduces a massive security hole that, if plugged, would negate the very purpose of the 'net.

llearch n'n'daCorna · September 05, 2008, 01:29:04 AM

It boils down to this:

Your ISP allows other people to tell it where to send traffic. If they've got any brains, they only allow people to claim to route traffic for things that they actually have; you don't accept routes from Pakistan, to bring something from a recent news story, that claim to have a highest priority route for your own clients. Nor do you accept random junk from people without confirming that they should be able to provide what they're saying they can.

Some basic filters, and the problem doesn't show up because anyone who tries to invoke it falls foil of the filters. And promptly gets dropped...

superluser · September 05, 2008, 10:27:35 AM

Quote from: llearch n'n'daCorna on September 05, 2008, 01:29:04 AMYour ISP allows other people to tell it where to send traffic. If they've got any brains, they only allow people to claim to route traffic for things that they actually have; you don't accept routes from Pakistan, to bring something from a recent news story, that claim to have a highest priority route for your own clients. Nor do you accept random junk from people without confirming that they should be able to provide what they're saying they can.

Did you see the bit in the Wired article where they address this? You can filter your own network, but you can't filter other networks not in your control, and if *they* don't filter their own networks, you have a problem.

You can solve that issue by telling your competitors the exact boundaries of your address space...but that's not the sort of information that you want to give competitors.

llearch n'n'daCorna · September 05, 2008, 12:47:50 PM

... they're not usually competitors, they're people you have a business relationship with, since they're providing you service...

superluser · September 05, 2008, 01:05:27 PM

Quote from: llearch n'n'daCorna on September 05, 2008, 12:47:50 PM... they're not usually competitors, they're people you have a business relationship with, since they're providing you service...

Filtering also requires ISPs to disclose the address space for all their customers, which is not information they want to hand competitors.

Thus says the article.

They're peers, right? Just because they're peers doesn't mean that they're not also competitors. AT&T and Sprint are peers, but you'd be hard pressed to say they're not also competitors.

Though I do admit that I have no formal training in this area and I'm at the limits to any real knowledge about BGP.

llearch n'n'daCorna · September 05, 2008, 02:46:23 PM

...

Er. BGP also discloses the address space. It's what it's supposed to do, and why you use it.

Considered the option that it might be poor journalism? ;-]

superluser · September 05, 2008, 03:09:34 PM

Quote from: llearch n'n'daCorna on September 05, 2008, 02:46:23 PMConsidered the option that it might be poor journalism? ;-]

Fair enough. I discussed this with some other people (some of whom have written RFCs) and the subject never came up, so I assumed that the journalism was correct.

I will, however, point out that NANOG seems to think that filtering isn't being done today.

I can ask the people I talked to for their assessment of filtering options.

llearch n'n'daCorna · September 05, 2008, 09:47:40 PM

It's also possible that the people who explained it to me were mistaken. ;-] NANOG is almost certainly a better place for getting the information.

I'd be interested to know what your friends had to say; it's not an area I poke into, other than happening to listen to some folks talk about it...