ACM News Service

ACM TechNews

Revealed: The Internet's Biggest Security Hole
Wired News (08/26/08) Zetter, Kim
Eavesdropping via Border Gateway Protocol (BGP) is no longer a theoretical vulnerability, as demonstrated by security researchers Anton Kapela and Alex Pilosov at the recent DefCon hacker conference. They unveiled a method that exploited the protocol so that they could silently monitor and intercept unencrypted Internet traffic bound for the conference network and reroute it to a system they controlled, and it is feared that this tactic could be used to commit corporate espionage, nation-state surveillance, and data mining by intelligence agencies without the need for ISP cooperation. Kapela said the security hole is not an actual software bug or protocol error, but rather a flaw that stems from "the level of interconnectivity that's needed to maintain this mess, to keep it all working." BGP's trust-based architecture makes the protocol vulnerable to claims from unfriendly routers that they are trustworthy, and Pilosov and Kapela have eliminated the outages such hijacks typically generate by forwarding the intercepted data surreptitiously to the actual destination. To prevent the data from boomeranging back to the attacker, the researchers employ Autonomous System (AS) path prepending that causes a chosen number of BGP routers to reject their deceptive advertisement, and then use these ASes to route the captured data to the appropriate recipients. Kapela noted that ISPs could prevent BGP eavesdropping by aggressively filtering to permit only authorized peers to draw traffic from their routers, and only for particular IP prefixes. The problem lies in the enormous amount of work this would entail, and the unaffordable cost of performing such filtering on a global scale. Douglas Maughan with the Department of Homeland Security's Science and Technology Directorate concluded that "the only thing that can force [ISPs to fix BGP] is if their customers ... start to demand security solutions."

© Copyright 2008 Information, Inc. This service may be reproduced for internal distribution.