,
26 tweets,
8 min read
Read on Twitter
Had a recent discussion with somebody who didn't believe me that "THE INTERNET" is vulnerable...
We have become so dependent on the internet, our crucial infrastructure depend on it, our money, our communication, our privacy, our valuable data, our entertainment, our democracy,
We have become so dependent on the internet, our crucial infrastructure depend on it, our money, our communication, our privacy, our valuable data, our entertainment, our democracy,
The truth is “the internet” itself didn’t evolve with us and in its core, is still old and vulnerable. If we ask the simple question, what is “the internet”, in my opinion the internet is 2 things. Most important, underlying interconnectivity is done by the routing protocol BGP.
But this is solely connectivity and deals with protocols, IP’s and ports, this is to difficult and it is impossible to use the internet this way.
This is why the second part was implemented on top of this to make it easier to interact with “the internet”, Domain Name Servers.
This is why the second part was implemented on top of this to make it easier to interact with “the internet”, Domain Name Servers.
DNS, a way to easily type google.com in your browser and of you go, without knowing any IP’s, protocols or ports. In its core form, hijack any of these 2 & you hijack “the internet”. Let us start with the first layer, BGP, (If you don’t know the basics, look it up)
The internet is seen as the largest network in the world routing tracking from one AS to another, but as stated before it is old and vulnerable.
This is not me saying this and was not discovered yesterday, more info, check this memo by the IETF from 2006: ietf.org/rfc/rfc4272.txt
This is not me saying this and was not discovered yesterday, more info, check this memo by the IETF from 2006: ietf.org/rfc/rfc4272.txt
The biggest issue in BGP is that it is based on trust, I trust what you advertise to me. This trust can be misused for malicious purposes, or unintentional cause problems.
Intentionally/unintentionally manipulating the routing to reroute the traffic to yourself.
Intentionally/unintentionally manipulating the routing to reroute the traffic to yourself.
The intentions can not always be verified see the recent Nigerian issue or the famous Pakistan Youtube example.
You do need some networking knowledge to understand the process.
If we look at the most impacting security vulnerabilities for BGP, in my opinion, it would be these 2:
You do need some networking knowledge to understand the process.
If we look at the most impacting security vulnerabilities for BGP, in my opinion, it would be these 2:
1) BGP Route Manipulation by actually blackholing the traffic destined to a particular destination, so the traffic doesn't reaches its destination.
This is less worrisome because it gets discovered quickly because people will not be able to reach the service.
This is less worrisome because it gets discovered quickly because people will not be able to reach the service.
This has happened more then once, but one of the most famous was the Youtube Pakistan example:
dyn.com/blog/pakistan-…
arstechnica.com/uncategorized/…
You can follow the propagation here animated:
stat.ripe.net/events/youtube…
dyn.com/blog/pakistan-…
arstechnica.com/uncategorized/…
You can follow the propagation here animated:
stat.ripe.net/events/youtube…
2) BGP Route Hijacking, this is the most dangerous attack, where a adversary announces prefixes to reroute traffic TO or THROUGH themselves.
All major powers are playing with this. Why not it is easy and provides you with a huge volume of traffic.
All major powers are playing with this. Why not it is easy and provides you with a huge volume of traffic.
USA: In this presentation from the Snowden leak you see how the NSA is using this, in the presentation Yemen was the example target:
documentcloud.org/documents/3871…
China: Has been doing this as well with their state-owned ISP that started spinning up POPs
scholarcommons.usf.edu/cgi/viewconten…
documentcloud.org/documents/3871…
China: Has been doing this as well with their state-owned ISP that started spinning up POPs
scholarcommons.usf.edu/cgi/viewconten…
Russia: The same as China a state-owned ISP attracting traffic of some of the most important companies.
arstechnica.com/information-te…
Iran: State-sponsored actors trying to remotely gain access to social media and secure messaging applications.
blog.talosintelligence.com/2018/11/persia…
arstechnica.com/information-te…
Iran: State-sponsored actors trying to remotely gain access to social media and secure messaging applications.
blog.talosintelligence.com/2018/11/persia…
These are examples of the main actor in the cybersecurity world... And you see all of them use it!
Is there no solution for these issues? Well as stated BGP in its essence is mostly based on trust,but allot of these attacks could have been prevented by setting up BGP correctly
Is there no solution for these issues? Well as stated BGP in its essence is mostly based on trust,but allot of these attacks could have been prevented by setting up BGP correctly
To show you, let's take the famous Youtube Pakistan example:
When this route (intentionally or unintentionally) escaped the Pakistand Telecom network, their ISP PCCW in Hong Kong, which propagated the route to the rest of the world.
When this route (intentionally or unintentionally) escaped the Pakistand Telecom network, their ISP PCCW in Hong Kong, which propagated the route to the rest of the world.
So any packets for YouTube would end up in Pakistan Telecom's black hole instead. PCCW could have prevented this from happening and this way isolating the issue.
Another more recent example is the Nigerian ISP that knocked down Google:
blog.cloudflare.com/how-a-nigerian…
Interesting
Another more recent example is the Nigerian ISP that knocked down Google:
blog.cloudflare.com/how-a-nigerian…
Interesting
Instead, they were routed first through TransTelecom (a Russian Carrier), then to China Telecom CN2 (a cross border Chinese carrier), then on to MainOne (the Nigerian ISP that misconfigured), and only then were they finally handed off to @Google
This could be relatively isolated if the Chinese and Russian carriers had filtered it out after a verification as allot of ISP's in Europe and the US do.
But then again I PERSONALLY do not think that the above countries don't know how to do it, but see the benefit of it ;)
But then again I PERSONALLY do not think that the above countries don't know how to do it, but see the benefit of it ;)
At the moments these measurements are not enforced & policed, so again it is based on trust.
While now there are organisations that are trying to focus more and document the internet through BGP, I think we will uncover more of these attacks.
While now there are organisations that are trying to focus more and document the internet through BGP, I think we will uncover more of these attacks.
This is a good thing to enforce a change, not in enforcement of certain policies but the protocol itsel
There have been some different BGP improvement proposals, papers and artticles but that is not easy to say the least.
As any network engineers working in an enterprise knowns,
There have been some different BGP improvement proposals, papers and artticles but that is not easy to say the least.
As any network engineers working in an enterprise knowns,
you don't just upgrade a routing protocol, even a simple internal routing protocol. So what do you expect from a protocol connecting the world, different governments, different hardware, ...
It is not exactly a walk in the park.
It is not exactly a walk in the park.
So this will not be for tomorrow, meaning an intermediate step is needed.
I kind of see 2 things for that:
1) Provide help 2 implement best practices as mentioned above
NIST provides interesting guidelines to some best practices:
csrc.nist.gov/publications/d…
csrc.nist.gov/publications/d…
I kind of see 2 things for that:
1) Provide help 2 implement best practices as mentioned above
NIST provides interesting guidelines to some best practices:
csrc.nist.gov/publications/d…
csrc.nist.gov/publications/d…
2) As mentioned above some companies start to monitor these BGP flows, from this some companies will start to offer their services to provide alerting if something is changing. This could be challenging but I think AI could help in that.
I mentioned the second part of the internet is the layer we use on top, DNS.
This can also cause allot of damage as was seen in the Dyn attack a couple of years ago, causing Twitter, SoundCloud, Spotify, Shopify,... go down.
techcrunch.com/2016/10/21/man…
This can also cause allot of damage as was seen in the Dyn attack a couple of years ago, causing Twitter, SoundCloud, Spotify, Shopify,... go down.
techcrunch.com/2016/10/21/man…
But DNS was not part of my discussion, and I just wanted to pen down the point I tried to make in this recent discussion.
So I think I was able to convince him that "THE INTERNET" in itself was old and vulnerable in itself.
These views are my own personal opinion :)
So I think I was able to convince him that "THE INTERNET" in itself was old and vulnerable in itself.
These views are my own personal opinion :)
For the ones not interested to read the above thread but still want to learn about the internet and about its vulnerabilities, I have this short summary. Enjoy!
Part 1:
Part2:
Part 1:
Part2:
@threadreaderapp please unroll
