To Russia With Love

No, this is not a new Bond movie;  it is, instead, an example of one of the many weaknesses of an Internet that was never designed to handle malicious attackers.

I will try to make this as non-technical as I can, but it will be a bit technical, so please stay with me.

Larger Internet users, whether businesses or Internet providers, often have multiple connections to the Internet so that customers and partners can continue to reach them even if one of their Internet connections goes down.  Some companies might have 3, 4 or more connections.  Somehow, these companies need to tell other companies and Internet providers on the ‘net how to reach them – which connection to use for which internal nets.

Out of this problem – and literally on a couple of sheets of paper (see below), an IBM and a CIsco engineer designed BGP the Border Gateway Protocol.

Unfortunately, back in 1989 no one considered security.

How BGP works is that when someone wants to tell other Internet users about a new BGP connection, they “announce” it.

Unfortunately, the BGP protocol has not changed much since 1989 and still has no security.

What this means is that ANYONE can announce a new route.  This happens non-stop, every day.  Without security, you hope it gets done right.

We have seen many instances of BGP announcements that are very suspicious; earlier this month we had another one.

On December 11/12, for a three minute window, about 80 “routes” were hijacked, then for about 2 hours, 40 “routes” were hijacked and finally, at the end of this event, for a couple of minutes, 80 “routes” were hijacked again.

Surprisingly – or not – the hijacked routes all went through Russia.  While there is no security on BGP, a route does have to be associated with a specific user.  That is how we know the announcements came from Russia.

There are two reasons why Russia might do this.  One reason is to siphon a whole lot of data and then try to decrypt or analyze it.

The other reason would be to take down a large part of the Internet.  If the malicious user takes in all this data but does not put it back out on the Internet, then all of the traffic destined for these affected sites gets “black holed”, which means that all of their traffic goes into the digital trashcan.

The sites affected by this attack were Google, Facebook, Apple, Microsoft and a few others.  Likely not a coincidence.

Lets assume that this was just a test.  You route the traffic through Russia but put it back out on the Internet and maybe no one is any the wiser.

Then, when you want to create chaos, you route the traffic through Russia but put ZERO traffic back out.  The sites that you attack are totally down.  Hopefully, relatively quickly, the sites can announce new routes, but then the attackers can re-announce their routes.

It would be a mess.

And don’t count on the Internet gurus to fix this security “hole” any time soon.  It has been this way for decades and fixing it would be a many year process.  First you have to agree to what the fix is, then you have to develop the fix, next you have to test it and finally get everyone in the world who uses BGP – literally – to install it.  It would probably take a decade.

This is why companies closely monitor their BGP announcements – ones that they make and ones that other people make on their behalf – illegally.

Information for this post came from Ars Technica.


Leave a Reply

Your email address will not be published.