More on BGP Spoofing

They say the Internet was designed for surveillance… here’s one example. I’ve covered this before, but it’s such a serious problem it’s worth discussing again.

Anyone with some technical skill can redirect traffic intended for any website and send it to the server of their choosing. No logs or traces of the attack are likely to remain afterwards, and this attack is nearly impossible to block. It’s designed into the fabric of the ‘net.

As much as I hate to say it, end-to-end authentication — done much better than we currently do, as currently many well-resourced companies and any government can impersonate most “secure” websites — is probably the only solution.

“The scariest hack of them all on the internet has been around for a long time, but it doesn’t get a lot of attention in the broader tech press. It’s BGP spoofing and it compromises the most basic functions of the internet: the routing of data from one system to another.

Effective use of BGP spoofing is not within the reach of script kiddies, but there’s a lot of it going on. How much? Nobody knows and nobody can know. It’s possible to detect that an attack is going on, but it’s impossible to prevent it and it may be difficult to stop an attack in progress.[…]

The internet is a network of networks. Routers are used to move data between networks according to IP addresses that are stored in their routing tables. Routers will advertise to each other that they use certain addresses.

But — and this is very important — there is no authority to check to confirm that a particular address belongs to a particular network. There are organizations, such as RIPE in Europe and ARIN for the US and Canada, which allocate IP addresses (all they have left is IPv6 addresses), but there’s no where you can check to confirm an allocation authoritatively. Because of this, the updating of routing tables is done entirely on trust.

Consider this simplistic example: ISP1 has the address space and ISP2 has They each advertise their space to the other. Now ISP3 advertises to ISP1 and asks ISP1 to advertise its addresses, which it does. ISP1 becomes a transit provider for ISP3, a service for which ISP3 pays ISP1. But ISP1 has no real way to confirm that ISP3’s advertisements are accurate.

Here’s another important point: shorter routes get higher priority from the router. If ISP3 were to advertise a small subset of addresses to ISP1 with shorter paths than what ISP1 already had, ISP1 would follow those routes instead of what was already in the routing table.

It’s important to note that in order to execute this attack you need control of an ISP router. You might think that this would be hard to do, and it’s harder than it used to be, but it’s not impossible. It’s still possible to find routers with default admin passwords or passwords on a common dictionary list. And once you do and take control, there’s nothing to stop you from advertising Bank of America addresses on your network.[…]

If you find out that an ISP has bogus routes to your network what can you do? All you can do is call them and ask them (nicely or otherwise) to withdraw the route, but you can’t make them. If they don’t respond adequately you can complain to their upstream providers and ask them to block the route, but once again there is no official mechanism for doing this because there is no authority in charge of it, and you probably don’t even have a relationship with the ISP to which you’re complaining.

Of all the attacks happening under the radar on the internet, the most dangerous ones are likely based on BGP spoofing. It’s the best reason to assume that a lot more network compromising, by criminal and government actors, is happening than is officially acknowledged, and even the officials don’t really know how much is happening. What can be done? If Dave Rand doesn’t know then I sure don’t.”

%d bloggers like this: