BGP spoofing - why nothing on the internet is actually secure
Effective use of BGP spoofing is not within the reach of script kiddies, but there's a lot of it going on. How much? Nobody knows and nobody can know. It's possible to detect that an attack is going on, but it's impossible to prevent it and it may be difficult to stop an attack in progress.
Dave Rand, Technical Fellow at Trend Micro. Back in the mid-90's Rand worked at an ISP and first encountered BGP spoofing used to facilitate spamming. The routing in the mail headers of the spam looked particularly genuine because all the addresses were correct. At the bottom of it was a compromised router at an ISP. Dave has known over years about BGP spoofing. He's always considered it a very serious problem that is fundamentally insolvable and I'd like to thank him for all the information below.
networkingIn the hands of a talented attacker, BGP spoofing can perform startling attacks and can't be stopped
How is all this possible? It starts with the very basics of how the internet works.
The internet is a network of networks. Routers are used to move data between networks according to IP addresses that are stored intheir routing tables. Routers will advertise to each other that they use certain addresses.
But — and this is very important — there is no authority to check to confirm that a particular address belongs to a particular network. There are organizations, such as RIPE in Europe and ARIN for the US and Canada, which allocate IP addresses (all they have left is IPv6 addresses), but there's no where you can check to confirm an allocation authoritatively. Because of this, the updating of routing tables is done entirely on trust.
Consider this simplistic example: ISP1 has the address space 18.104.22.168/8 and ISP2 has 22.214.171.124/8. They each advertise their space to the other. Now ISP3 advertises 126.96.36.199/8 to ISP1 and asks ISP1 to advertise its addresses, which it does. ISP1 becomes a transit provider for ISP3, a service for which ISP3 pays ISP1. But ISP1 has no real way to confirm that ISP3's advertisements are accurate.
Here's another important point: shorter routes get higher priority from the router. If ISP3 were to advertise a small subset of addresses to ISP1 with shorter paths than what ISP1 already had, ISP1 would follow those routes instead of what was already in the routing table.
It's important to note that in order to execute this attack you need control of an ISP router. You might think that this would be hard to do, and it's harder than it used to be, but it's not impossible. It's still possible to find routers with default admin passwords or passwords on a common dictionary list. And once you do and take control, there's nothing to stop you from advertising Bank of America addresses on your network.
I suspect that the large majority of erroneous advertisements are, well, erroneous. They're not malicious, they're just screwups. There was a recent incident where some bad routes in NedZone Internet BV's network included Amazon.com and a bunch of big banks. It looks way too brazen to be an attack.
If you really wanted to be effective and surreptitious with such an attack you'd be lower-profile. You'd attack the router of a small or mid-size ISP and you'd only advertise it for a short time, but during that time you'd have other attacks, like cross-site scripting and targeted spam, ongoing against that ISP's users. When they attempt to communicate with their bank or retailer they will instead go to your servers; you can spoof those servers, see the cookies, it all depends on how ornate you want to get, but all you really need is to get users to log on to the site, which can satisfy SSL and get the little lock icon because the attacker can control those addresses too. Once you have validated logins for those accounts you can sell them for a lot.
Sometimes malicious attacks are not for profit, but just network vandalism. In 2008 there was a dispute between YouTube and the government of Pakistan about certain content. Sometime later false BGP routes pointed YouTube traffic in much of Europe to Pakistan Telecom, stealing traffic from YouTube but also flooding Pakistan Telecom with all of YouTube's traffic. RIPE, the regional internet registry for Europe, has a fascinating YouTube video of how it happened.
After an attack like this there may be no footprints left. Nobody logs router advertisements. There are groups that log and analyze the global routing table, such as the fascinating CIDR Report, and look for routes that don't make sense. But these only catch changes that propagate out to the global routing table. A transient advertisement which only goes to an ISP's peer and not a transit provider won't get to the global table. And even if it does, by the time anyone can see what's going on it will be too late.
It's impossible to block BGP spoofing attacks in a consistent, automated fashion, but it is possible to apply some common sense and experience, what you might call heuristics, to determine that a route isn't kosher. If a small ISP in Brazil starts advertising routes to PayPal then an experienced CNE might think twice about replicating it. But these things don't usually get vetted by a human being; there's too much going on. All ISPs advertise their routes to the other networks to which they connect and these companies (there are 30 or 40 thousand ISPs now) have a relationship and contracts, so they trust each other. And if they wanted to check the addresses they couldn't; there's no authoritative place to check.
You might complain that best administration practices, such as good route filtering, would prevent these attacks, and there's something to that. You can certainly prevent a lot of them with best practices. There are other practices that can make it harder to exploit such attacks successfully, such as using strong encryption and authentication for all local traffic, but there's no technique that will block these attacks in all cases.
If you find out that an ISP has bogus routes to your network what can you do? All you can do is call them and ask them (nicely or otherwise) to withdraw the route, but you can't make them. If they don't respond adequately you can complain to their upstream providers and ask them to block the route, but once again there is no official mechanism for doing this because there is no authority in charge of it, and you probably don't even have a relationship with the ISP to which you're complaining.
Of all the attacks happening under the radar on the internet, the most dangerous ones are likely based on BGP spoofing. It's the best reason to assume that a lot more network compromising, by criminal and government actors, is happening than is officially acknowledged, and even the officials don't really know how much is happening. What can be done? If Dave Rand doesn't know then I sure don't.
Saturday, March 7, 2015