back to article Hacking internet backbones - it's easier than you think

Network backbone technologies used to route traffic over large corporate networks are vulnerable to large-scale hijacking attacks, according to two researchers who released freely available software on Thursday to prove their point. The tools, demonstrated at the Black Hat security conference in Amsterdam, are intended to show …

COMMENTS

This topic is closed for new posts.
  1. Steven
    Stop

    Everything is Possible

    Everything is Possible... Impossible just takes longer. There is no such thing as hacker proof, even encryption just makes the hackers life harder but it is not fool proof and never will be. As technology gets faster so to does "breaking" (guessing all the possible combinations not really breaking) the encryption.

  2. Chris Miller

    Physical access required?

    "If somebody gets access to this network, it's quite easy to cause disastrous havoc."

    If a third party can gain physical access to your or your carrier's backbone, it's pretty much game over.

  3. jake Silver badge

    @Chris Miller

    "If a third party can gain physical access to your or your carrier's backbone, it's pretty much game over."

    Kinda.

    In the old days it was fairly easy. Pull the lid on a telco repeater site (conveniently spaced roughly a mile apart, clear across the country), plug into the test/monitor port on the repeater, and there's your SF or ESF framed signal. As it was pulled out of the repeater portion of the circuitry (duplicated, not watched in transit), it wouldn't even send a blue alarm to either end of the circuit, because the circuit was never broken. Piece o'cake. The only hard part was figuring out which of many twisted pairs contained the signal you wanted.

    These days, with long-haul fiber, you have to either have physical access to the terminating equipment, or have access to some rather esoteric gear that is capable of reading fiber without breaking it, or physically break into the fiber to install your own monitorable repeater ... All of these three are going to raise some serious security flags in a hurry.

    And of course, as the article pointed out, if it's even faintly proprietary, encrypt it.

    So basically, if nobody's looking over your shoulder (either literally, or by way of a keylogger or other method), the carriers are to all intents and purposes as secure as they need to be. The authors of the study are fear mongering, at least as far as I'm concerned.

  4. Tom
    Alert

    Interesting.

    @ Chris Miller

    That's an interesting read of what you write, though, are you not missing the point that is written into the article that the two researchers released freely available SOFTWARE, and demonstrated that it was possible at the Black Hat security conference in Amsterdam? Therefore, I doubt very much that this is fear mongering as you put it, but more of a reality.

  5. jake Silver badge

    @Tom

    I'm not Chris Miller, but I think you were responding to mine ...

    "That's an interesting read of what you write, though, are you not missing the point that is written into the article that the two researchers released freely available SOFTWARE, and demonstrated that it was possible at the Black Hat security conference in Amsterdam? Therefore, I doubt very much that this is fear mongering as you put it, but more of a reality."

    Nah. The software runs on hardware[1]. The hardware in question belongs to the carriers, not the GreatUnwashed[tm] ... If the BadGuiz(c) have physical or remote access to that hardware, the carrier in question is completely screwed and will be promptly de-peered. To you and I this is a transparent problem as it happens in (what should be) out of publically accessible channels.

    [1] There is no such thing as software; software is merely the current state of the hardware.

  6. Phil Koenig
    Pirate

    @jake - re: access to hardware

    Part 1:

    Both BGP and MPLS messages are transmitted over the same public network backbone that internet packets are. Ergo: forge those control messages=control IP routing.

    BGP is more exposed because it runs over TCP, while MPLS is reputedly a "layer 2.5" protocol. However, if you are able to tap into the fiber, you essentially have access down to the physical (layer 1) layer.

    Here in Silly Valley, we were reminded a few days ago about just how exposed a carrier's infrastructure often is when someone severed 2 separate fiber rings in the San Jose area (one ATT, one Sprint), bringing down all sorts of communications for about 12 hours.

    Part2:

    After reading one of the referenced papers, 2 points stand out. A) They are discussing MPLS *VPNs* - which actually are running over layer 3. This implies that *physical* network access is not required, only access to the data stream. (various ways of achieving that)

    B) The authors state certain background assumptions, including "Assumes attacker has access to traffic path (in core)". I note that this does not necessarily imply "access to physical hardware", only access to the "traffic path". Once again, there are ways to achieve this that do not require access to a physical router/etc.

    Note that many of the vulnerabilities revolve around the use of MD5 for authentication (for BGP, over which some of these MPLS packets are traveling), which of course is now known to be crackable.

  7. jake Silver badge

    Assumptions.

    Phil Koenig scrive:

    "Both BGP and MPLS messages are transmitted over the same public network backbone that internet packets are. Ergo: forge those control messages=control IP routing."

    On your network, maybe. Not on mine. But that's beside the point ... I thought we were talking about so-called Tier-1s, whose command & control stuff is out-of-bandwidth.

    "This implies that *physical* network access is not required, only access to the data stream. (various ways of achieving that)"

    So let me get this straight. You are going to access the ones&zeros of the "data stream" (whatever that is) without physically accessing the medium those ones&zeros are being transmitted over? Neat trick, that. Care to expand on this thought?

    I'll give you a minute. Maybe two. Or eight days. Or a month. Got anything?

    ::crickets::

    I didn't think so. Go back to school, young'un. Stop assuming everything you read on t'innernets is automagically accurate.

    "The authors state certain background assumptions, including "Assumes attacker has access to traffic path (in core)". I note that this does not necessarily imply "access to physical hardware", only access to the "traffic path". Once again, there are ways to achieve this that do not require access to a physical router/etc."

    Did you even bother to parse what I typed?

    Kids these days! Furrfu!

This topic is closed for new posts.

Other stories you might like