It is disturbingly easy to attack the backbone of the Internet to block access to a major online service like YouTube, or to intercept online communications at vast scale.
So say security researchers trying to rouse their industry into doing something about long-standing weaknesses in the protocol that works out how to route data across the different networks making up the Internet. Almost all the infrastructure running that protocol does not even use a basic security technology that would make it much harder to block or intercept data.
“The technology is available—the problem is we’re not using it,” said Wim Remes, manager of strategic services at security company Rapid7, in a talk at the Black Hat security conference in Las Vegas Wednesday. “There is limited probability of these attacks but the impact once they happen is huge.”
The weakness lies in the border gateway protocol, or BGP. Large routers operated by Internet service providers and major corporations use BGP to figure out how to get data between different places. Each of these major routers turns to others like itself—ones operated by other companies—for the information it needs to most efficiently dispatch data to its destination. Companies operating the routers manually choose which other routers theirs will trust.
Unfortunately, BGP doesn’t have security mechanisms built in that allow routers to verify the information they are receiving or the identity of the routers providing it. Very bad things can happen when routers spread incorrect information about how to route data, intentionally or otherwise.
That problem has been known for decades. It was the basis of the hacking group L0pht’s 1998 claim before Congress that they could take down the Internet in 30 minutes. But incidents that have illuminated BGP’s flaws have prodded some security companies to take it more seriously.
In 2013, the security company Renesys observed several instances in which U.S. Web traffic was inexplicably diverted via Belarus and Iceland, in what may have been a “man in the middle” attack designed to covertly intercept data. In June this year, a Malaysian ISP misconfigured its routers and caused traffic from around the world to converge on its network, leading to hours of outages or sluggish performance for services including Snapchat, Skype, and Google. Artyom Gavrichenkov, a researcher with the security company Qrator, showed at Black Hat how BGP could be manipulated to obtain a security certificate in the name of a particular website without permission, making it possible to impersonate it and decrypt secured traffic.
Remes of Rapid7 says that companies running BGP infrastructure aren’t taking the risks of such problems seriously enough. A technology called RPKI can be used to give routers a way to verify that information they receive from others is valid. But only 16 of the world’s most heavily accessed sites have implemented it, and Facebook is the only site in the top 10 to have done so, he said.
Andree Toonk, manager of network engineering at OpenDNS, a security company recently acquired by Cisco Systems, says even wide adoption of RPKI would only go some way to addressing the hazards of BGP because it’s possible to work around it. “It solves 90 percent of the problem, but it is not foolproof,” he said.
In his own talk at Black Hat on Thursday, Toonk planned to describe a system of probes he set up around the world to track the activity of BGP routers. OpenDNS is to launch a kind of public alert system that will broadcast worrying changes in data routes via Twitter.