![[personal profile]](https://www.dreamwidth.org/img/silk/identity/user.png){kind=small}
thewayneA security exploit was explained and demonstrated at the DefCon conference in 2008, and this year a security research firm found it operating in the wild.
The vulnerability involves something called BGP, Border Gateway Protocol. If you're an internet backbone provider, you mainly move packets between networks, not within networks. You maintain and advertise BGP lists that announce what networks are tied to you and what networks you know about, so if you receive a packet destined for network X and you don't know X, but you know W and it's near X, you send the packet to W.
The way the hack works is that it sends a BGP announcement that it services networks X, Y, Z and sends it in such a way that packets destined for those networks instead go to the hackers. And this has happened before: someone screws up a BGP list, it propagates, and all of a sudden some servers go dark. This happened not too long ago when Pakistan tried to filter YouTube so that certain videos were not viewable within Pakistan, instead it sucked all requests for YouTube vids in to a black hole that took a couple of hours to fix.
Through some clever engineering, these hackers have done a two-part hack. They propagate the poisoned BGP lists to select backbone providers, so the traffic gets diverted to the crooks, then they propagate different manipulated BGP lists to other backbone providers so the traffic eventually gets to where it was supposed to go in the first place. The only way that you'd notice is if you did a traceroute or had some sort of real-time chat going on, with the traceroute you'd see the traffic that should have gone from, say, Los Angeles to New York going all over Europe before coming back to North America. A person in a real-time activity would notice a delay, but unless they did a traceroute, might think it was just normal internet occasional slowdown. Web sites might be a little slow responding, and if you were sending email, you wouldn't notice a thing since it is never instantaneous delivery.
But while the packets are in the hands of the middleman, they can be copied and altered. Any non-encrypted traffic is open to their eyes: email attachments, spreadsheets, PowerPoint presentations of corporate strategies, banking information, VoIP traffic, etc.
Lovely, eh? The article goes on to describe how organizations can monitor for this, but the easiest step is quite simple: encrypt ALL internet traffic.
http://www.wired.com/threatlevel/2013/12/bgp-hijacking-belarus-iceland/
The vulnerability involves something called BGP, Border Gateway Protocol. If you're an internet backbone provider, you mainly move packets between networks, not within networks. You maintain and advertise BGP lists that announce what networks are tied to you and what networks you know about, so if you receive a packet destined for network X and you don't know X, but you know W and it's near X, you send the packet to W.
The way the hack works is that it sends a BGP announcement that it services networks X, Y, Z and sends it in such a way that packets destined for those networks instead go to the hackers. And this has happened before: someone screws up a BGP list, it propagates, and all of a sudden some servers go dark. This happened not too long ago when Pakistan tried to filter YouTube so that certain videos were not viewable within Pakistan, instead it sucked all requests for YouTube vids in to a black hole that took a couple of hours to fix.
Through some clever engineering, these hackers have done a two-part hack. They propagate the poisoned BGP lists to select backbone providers, so the traffic gets diverted to the crooks, then they propagate different manipulated BGP lists to other backbone providers so the traffic eventually gets to where it was supposed to go in the first place. The only way that you'd notice is if you did a traceroute or had some sort of real-time chat going on, with the traceroute you'd see the traffic that should have gone from, say, Los Angeles to New York going all over Europe before coming back to North America. A person in a real-time activity would notice a delay, but unless they did a traceroute, might think it was just normal internet occasional slowdown. Web sites might be a little slow responding, and if you were sending email, you wouldn't notice a thing since it is never instantaneous delivery.
But while the packets are in the hands of the middleman, they can be copied and altered. Any non-encrypted traffic is open to their eyes: email attachments, spreadsheets, PowerPoint presentations of corporate strategies, banking information, VoIP traffic, etc.
Lovely, eh? The article goes on to describe how organizations can monitor for this, but the easiest step is quite simple: encrypt ALL internet traffic.
http://www.wired.com/threatlevel/2013/12/bgp-hijacking-belarus-iceland/
