Modern field guide to security and privacy

Problematic protocol that directs all Web traffic finally gets attention

Security professionals have long overlooked Border Gateway Protocol, one of the most insecure parts of Internet infrastructure. But this year it was the subject of three talks at the Black Hat security conference in Las Vegas.

|
Courtesy of Black Hat
A packed house came to see Artyom Gavrichenkov present "Breaking HTTPS with BGP Hijacking" at this year's Black Hat security conference in Las Vegas.

The Border Gateway Protocol is as important to the Internet as it is completely unrecognizable by most people that use it. But that’s starting to change.

Though most people have heard of HTML, it’s possible to use the Internet without it. Most people have never heard of BGP, but it affects all Internet traffic. And while huge movements of experts have moved to bring default security to the Web by increasing use of HTTPS encrypted communications, relatively few have campaigned for securing BGP – a protocol that’s been known to lack basic defenses since it was introduced 25 years ago.

It's even relatively anonymous in the security community. From 2007 to 2014, a total of two talks at the venerable Black Hat security conference dealt with BGP. This year's conference, which just concluded this year in Las Vegas, there were three.

"There has been a big movement around HTTPS, maybe there will be a movement around BGP next," says Wim Remes, a strategic services manager at the security firm Rapid7. He gave one of this year's BGP talks titled "Internet Plumbing for Security Professionals: The State of BGP Security." He delivered it to a packed room.

BGP is the protocol that routes traffic on the Internet. It was invented in 1989 and almost immediately outed as entirely unsecure. People have been trying to fix it since the 1990s. So far, no efforts have made a dent.

But now, with BGP increasingly being used as an attack vector, the security industry is beginning to look more seriously at how it can fix this long-ailing part of the Internet's infrastructure. 

“When we’ve been talking BGP in the past, all the events that caused damage were misconfigurations. In the past two years, it’s actually gotten malicious,” says Sharon Goldberg, an associate professor of computer science at Boston University.

In 2014, hackers used BGP to hijack a distributed Bitcoin mining operation, netting $80,000 in the process.  Even the notorious Italian spyware supplier Hacking Team, the subject of much scrutiny after its source code was leaked online, is reported to have used a BGP for digital attacks.

When the Internet was coming of age, it was often described as the "information superhighway." But it’s really more like the airways than roadways. Like air travel, Internet traffic requires multiple connections to get where it’s going, passing through a series of routers owned by corporations or countries that don’t necessarily allow direct links. BGP is the protocol that determines the best path is for data to find its destination.

With thousands of groups that have routers, getting the broad consensus needed for change is incredibly tough. Even so, many experts say that shouldn't be an excuse for not changing BGP. Currently, it has no mechanism to authenticate whether or not a router has access to a specific IP. And without authentication, it’s possible to reroute traffic to the wrong place, allowing an attacker to eliminate access to sites, or impersonate them.

BGP attacks require access to routers – it's not something angsty teenagers can do from their bedroom. But hacking threats have become better organized, and sometimes even state-sponsored, hackers are beginning to clear the very high bar for entry for this attack vector.

Even though attackers have only recently begun using BGP as a weapon, researchers have had solutions ready for nearly 20 years. "The problem is in adopting a solution," says Mr. Remes of Rapid7. “There are no incentives to adopt RPKI technology.”

The Resource Public Key Infrastructure (RPKI) is one of the most popular solutions. It allows the same organization that grants IP addresses to grant Route Origin Authorizations, which are secure certificates to authenticate proper access.

Fewer than 7 percent of websites can currently be verified with RPKI, including 3.5 percent of the Alexa top 500 sites, a ranking of the world's most popular websites. Remes estimates in a white paper that accompanied his talk that, at the current rate, it will take until 2020 for even half of IPs to be verifiable.

He hopes that, as soon as a few routers adopt RPKI, they will penalize peers who don’t with longer routing times and less access. Still, he says, it will be an even greater battle to get routers to incorporate RPKI checking services. 

“Until something is on fire, you don’t necessarily feel like you need to do anything,” says Jaeson Schultz, technical leader of Cisco’s Talos Security Intelligence and Research Group. 

Mr. Schultz is particularly excited about a major Black Hat announcement from the security network OpenDNS, which will start announcing BGP outages on Twitter (“Before us, no one announced large scale hijacks or outages,” says Dan Hubbard, chief technology officer of OpenDNS).

Schultz says he hopes the move will increase visibility of the problem, and ultimately shame those who control the backbone of the Internet into making a change. "We’re at this stage where other protocols are being worked on," Schultz says. “BGP never got the same love."

 

You've read  of  free articles. Subscribe to continue.
Real news can be honest, hopeful, credible, constructive.
What is the Monitor difference? Tackling the tough headlines – with humanity. Listening to sources – with respect. Seeing the story that others are missing by reporting what so often gets overlooked: the values that connect us. That’s Monitor reporting – news that changes how you see the world.

Dear Reader,

About a year ago, I happened upon this statement about the Monitor in the Harvard Business Review – under the charming heading of “do things that don’t interest you”:

“Many things that end up” being meaningful, writes social scientist Joseph Grenny, “have come from conference workshops, articles, or online videos that began as a chore and ended with an insight. My work in Kenya, for example, was heavily influenced by a Christian Science Monitor article I had forced myself to read 10 years earlier. Sometimes, we call things ‘boring’ simply because they lie outside the box we are currently in.”

If you were to come up with a punchline to a joke about the Monitor, that would probably be it. We’re seen as being global, fair, insightful, and perhaps a bit too earnest. We’re the bran muffin of journalism.

But you know what? We change lives. And I’m going to argue that we change lives precisely because we force open that too-small box that most human beings think they live in.

The Monitor is a peculiar little publication that’s hard for the world to figure out. We’re run by a church, but we’re not only for church members and we’re not about converting people. We’re known as being fair even as the world becomes as polarized as at any time since the newspaper’s founding in 1908.

We have a mission beyond circulation, we want to bridge divides. We’re about kicking down the door of thought everywhere and saying, “You are bigger and more capable than you realize. And we can prove it.”

If you’re looking for bran muffin journalism, you can subscribe to the Monitor for $15. You’ll get the Monitor Weekly magazine, the Monitor Daily email, and unlimited access to CSMonitor.com.

QR Code to Problematic protocol that directs all Web traffic finally gets attention
Read this article in
https://www.csmonitor.com/World/Passcode/2015/0807/Problematic-protocol-that-directs-all-Web-traffic-finally-gets-attention
QR Code to Subscription page
Start your subscription today
https://www.csmonitor.com/subscribe