back to article Net boffins brew poison for BGP hijacks

The Border Gateway Protocol (BGP) is one of the Internet's basic pieces of plumbing technologies, but it's also so old it was designed before the security needs of a multi-billion-user network were understood. In particular, BGP is notorious for allowing sysadmins to “black-hole” huge swathes of traffic either by fat-fingering …

Silver badge

That's pretty freakin' cool.

That's another gold star on the report cards of those wiz kids for proving once again the old addage that you can't fuck with the internet: it routes around the fuckage & then fucks back.

I'll buy a round of drinks for the team & raise my tankard in toast. Good job!

14
1
Anonymous Coward

Although...

Which is why a group of researchers from Europe and America reckon they've created a framework that would let service providers neutralize a BGP hijack in minutes.

It then goes on to state as little as 5 seconds, maybe 60 seconds etc. The more important point is did the relevant agency of the country concerned get access to the data they required in this time interval or not? Let's face it, the accidental traffic diversion involving Russian and Chinese companies has intelligence gathering written all over it in which case this may not help that much at all.

5
0
Silver badge

Couldn't attackers use the same techniques?

Attacker advertises 10.0.0.0/23, white hat advertises 10.0.0.0/24 & 10.0.0.1/24, attacker advertises 10.0.0.0/25, 10.0.0.128/25, 10.0.1.0/25, 10.0.0.1.128/25, and so on...

3
1
Stop

Re: Couldn't attackers use the same techniques?

Have you of lately advertised a prefix longer than /24 towards your Tier 1 ISP?

Have they accepted it and propagated it?

Name 3 Tier 1 ISPs who allow that and I would give you £5 for the effort.

Somehow I doubt you will collect.

4
0
Gold badge
Go

Nice thing is it does not require *all* BGP nodes to adopt it to work.

Of course then there's the question of implementation. I think most protocols can (and should) be implemented through FSM design tools which write the actual executable*

I'm not sure if this will be the final word, but it sounds like a good start.

*FSM's are not Turing complete, but how many comms protocols are complex enough to demand a Turing complete processor?

0
0

Some issues with this

@DougS: as a general rule, most providers ignore v4 advertisements smaller than /24, so advertising a /25 wouldn't help much.

Deaggregating doesn't seem much like a scaleable solution either. The whole "our crappy routers are about to run out of route memory if someone adds another 5K routes" is less of an issue these days (if you ignore the Cisco 6509 Sup720 issue from a couple of years back), but there is scope to produce an awful lot of churn as various automated mitigation systems automatically announce new prefixes willy nilly.

The issue is not that BGP is somehow out of date as a protocol, but more that there's no way of signalling trust to peers. SBGP was designed to fix this by allowing people to whether as AS was cryptographically allowed to advertise an IP block, but has never taken off: it's a bit of an all or nothing issue, and the idea of relying on the network to check whether the network is allowed is a tad circular.

Perhaps the ability to signal trust via BGP on a per AS and prefix basis might help: using communities obviously. AS's that have never existed before or prefixes that were previously advertised elsewhere could be assigned lower trust levels, allowing their advertisements to be damped.

7
0
Silver badge
Paris Hilton

Re: Some issues with this

Is the page you are viewing this thread on lacking the 'reply' button for posts by any chance?

0
0

So the first thing the Bad Guys do is to blackhole RouteViews and RIS, then they can get on with their Nefarious Deeds unmolested...

0
0

RIS and route views take feeds from multiple providers, so blackholing them would prove difficult

0
0

So, this is all based on the hope that a nefarious neverdowell won't start the fight with /24 address announcements, in the hope that the routers won't accept /25 addresses?

0
0
Anonymous Coward

more hashtags and some sort of phone app needed

Interesting how lax security was/is here relying on the baffling complexity to keep things working and secure in the knowledge anyone with the ability to effect things was probably in a high paying job enjoying the fruits of years of hard graft and study.

Now we are in this world were the highly skilled and knowledgable are 10 a penny and regularly reminded of it.

Oh dear.

0
0

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Forums

Biting the hand that feeds IT © 1998–2018