Become a fan of Slashdot on Facebook

 


Forgot your password?
Close
typodupeerror
×
Networking Security

BGP Hijacking Continues, Despite the Ability To Prevent It 57

Posted by Soulskill from the won't-fix dept.
An anonymous reader writes: BGPMon reports on a recent route hijacking event by Syria. These events continue, despite the ability to detect and prevent improper route origination: Resource Public Key Infrastructure. RPKI is technology that allows an operator to validate the proper relationship between an IP prefix and an Autonomous System. That is, assuming you can collect the certificates. ARIN requires operators accept something called the Relying Party Agreement. But the provider community seems unhappy with the agreement, and is choosing not to implement it, just to avoid the RPA, leaving the the Internet as a whole less secure.
This discussion has been archived. No new comments can be posted.

BGP Hijacking Continues, Despite the Ability To Prevent It More

BGP Hijacking Continues, Despite the Ability To Prevent It

Comments Filter:

  • BGP? (Score:3, Informative)

    by danceswithtrees ( 968154 ) on Friday December 12, 2014 @05:41PM (#48585787)

    What if we agree to spell out obscure acronyms the first time? Yes, I can google/bing it to find likely candidates, but what if you make life easier for all involved and actually use Border Gateway Protocol (BGP)? Mmmmkay?

    • Re: BGP? (Score:3, Funny)

      by Anonymous Coward

      this is a site for nerds...or at least used to be until your lazy ass showed up

      • This is a site for nerds, not IT types.

        Do you know what a LASCR is, and how and why you might use it to slave a photoflash? If not, GTFO.

        • Re: (Score:3)

          by Mashiki ( 184564 )

          This is a site for nerds, not IT types.

          Strange, I remember when it was a site for IT types, but that was back when CowboyNeal was still here, and the plebs hadn't really destroyed the internet.

        • Re: BGP? (Score:4, Funny)

          by dbIII ( 701233 ) on Friday December 12, 2014 @11:57PM (#48587553)

          Do you know what a LASCR is

          An Indian sailor.

          and how and why you might use it to slave a photoflash

          Slavery is wrong.

    • Re: (Score:2, Funny)

      by Anonymous Coward

      This is slashdot you insensitive clod, a site for nerds. I knew what BGP meant without looking it up.

    • Re: (Score:2, Funny)

      by Anonymous Coward

      Guess it's "News for Plebians".

    • I don't think BGP is simple enough for a non-nerd like you to understand in less than an hour, If you don't know what it means just pass.

      • I don't think BGP is simple enough for a non-nerd...

        Since when did "nerd" only cover people who understand BGP? I don't remember that on the entrance exam...

        Heaven forbid anyone should be allowed to come away from reading a story on Slashdot more informed. Can't be having that!

        A simple, painless expansion of an acronym would at least give every reader a fighting chance at a rough guess of what it does, or at least what it relates to.

        • Re:BGP? (Score:5, Insightful)

          by David_Hart ( 1184661 ) on Friday December 12, 2014 @06:47PM (#48586251)

          I don't think BGP is simple enough for a non-nerd...

          Since when did "nerd" only cover people who understand BGP? I don't remember that on the entrance exam...

          Heaven forbid anyone should be allowed to come away from reading a story on Slashdot more informed. Can't be having that!

          A simple, painless expansion of an acronym would at least give every reader a fighting chance at a rough guess of what it does, or at least what it relates to.

          Um... given that BGP is THE core routing protocol for the Internet... Yeah... you should at least know what it is at a basic level. It fits into the same category as DNS, HTML, ISP, etc.

          It's a lot like the programmers talking on here about the Waterfall model. It's expected that if you don't know something that you will take 5 seconds to look it up. Just maybe you'll learn something new... oh horrors... (grin)

          For those who still don't know, BGP stands for Border Gateway Protocol. At a very basic level, it's a routing protocol used to advertise routes between ISPs and other Internet connected organizations. It's these routes that we use to get to Netflix, for example.

          • Both Parent and GP are right in some sense.
            My point was you have to know the authentication algorithm, the path choosing algorithm, what a peer group or a router id is and which ones are relevant or irrelevant to a BGP hijacking to be able to actually understand what this is all about.
            BGP is not your everyday routing protocol, it's not RIP, that was my point.

    • I see Fry narrowing his eyes.

    • I think both sides of the argument are pretty mute anyhow. I don't think much is gained or lost either way you go.

      I know what BGP is but I never memorized what the letters stand for. Even if we spelled it out, that barely scratches the surface of what it is and doesn't make the article anymore informative for someone not versed in what BGP is.

      Yes, it is usually standard practice in any formal writing. Slashdot is hardly formal though, when Bennet gets to spout his half formed ramblings every week.

      • I think both sides of the argument are pretty mute anyhow.

        frysquint.jpg

        • Re: (Score:2)

          by sconeu ( 64226 )

          Based on this thread, I doubt they're mute, given that people are expressing opinions on both sides...

          On the other hand, both sides might be moot....

    • Concur. I happen to know what BGP is, but there's plenty of nerds for whom this site provides news that could have probably used a link [wikipedia.org] - especially if they wanted to understand it better before reading the article. [...but after first posting.]

      • Re: (Score:2)

        by epyT-R ( 613989 )

        or they could've spent two seconds typing 'bgp' into a search engine. I bet the wiki link would be on top.

    • Re:BGP? (Score:5, Insightful)

      by nblender ( 741424 ) on Friday December 12, 2014 @06:29PM (#48586125)
      I guess I disagree. I don't want to have to see "Transmission Control Protocol / Internet Protocol" the first time in every article that mentions TCP/IP... I'm surprised you also didn't mention that "ARIN" wasn't expanded, or "IP"... Probably because you know what those mean. I've been in this industry for dozens of years and there are abbreviations that come up all the time that I don't know but I just google them... It's not a big deal.

      • Re: (Score:1)

        by Anonymous Coward
        If everything in nerdland should be obvious, that means nerds only know obvious things.

      • What if we agree to spell out obscure acronyms the first time?

        I guess I disagree. I don't want to have to see "Transmission Control Protocol / Internet Protocol" the first time in every article that mentions TCP/IP

        good news everyone! [youtube.com] using time travel, i have added a html tag specifically for abbreviations. go ahead and try it, it's the <abbr> tag.

    • a) Its a headline b) " for all involved " maybe you're not involved. skip over it and let the adults carry on

    • I think most people on this website knows what BGP is, hence the acronym.

    • Re: (Score:2)

      by epyT-R ( 613989 )

      if you don't know what some acronym means, look it up or go whine about it on your tumblr.

  • ARIN requires operators accept something called the Relying Party Agreement.

    But the provider community . . . is choosing not to implement it

    So ARIN apparently has no ability to enforce the 'requirement', making the 'requirement' meaningless.

    • Re:Required -- Except When It Isn't (Score:4, Informative)

      by suutar ( 1860506 ) on Friday December 12, 2014 @06:17PM (#48586031)

      It's required if you want to use ARIN's data. Those who choose not to agree are simply not using that data, with the consequence that they are less effective at validating route origin identity.

    • Re: (Score:1)

      by Cramer ( 69040 )

      It's an ARIN requirement when using ARIN's RPKI services.

      The base issue with all this "route hijacking" has fuck all to do with RPKI. It's a simple matter of ISPs being a bunch of lazy asses who cannot be bothered to filter what gets announced to them. Sure, that becomes more work the larger you are, but that's the price of doing this kind of business!

      • And how do you know what to filter?

        RPKI is about providing a trustworthy database that can be used to decide what to filter and what to permit.

        • RADB for one. RPKI is pretty ugly and untill everybody uses it it's not that useful. RADB is here now and you can require that everybody registers as a condition of peering/transit.

  • More importantly (Score:4, Interesting)

    by Anonymous Coward on Friday December 12, 2014 @06:06PM (#48585967)

    Why do we continue to allow peers that have proven to be problematic in the BGP backbone? simply do not share routes with these ASs any more and fuck their shit hole countries until they stop dicking with the core of the internet.

    its not like any old admin can be like "Ok i'm going to broadcast bad routes that will be observed and respected by all the core routers of the internet"

    no these people have special agreements with the neighbours they route with, its not like BGP packets just fly around the internet from some random workstation belonging to a hacker magically find their way onto the private vlans the cores use for bgp traffic.

    even if it wasnt technically preventable it should simply be resolved by refusing peering after an incident.

  • Shoplifting occurs despite the ability to prevent (Score:4, Informative)

    by mysidia ( 191772 ) on Friday December 12, 2014 @06:23PM (#48586073)

    These events continue, despite the ability to detect and prevent improper route origination

    Locked cases with hardened glass are a technology that allow a store to protect products for sale from surreptitious pilfering. That is, assuming you can fit the products in the case. Lock manufacturers for the cases require stores to accept something called a "key security agreement", but the shop owner community seems unhappy with the inconvenience posed to customers, and is choosing not to implement it, just to avoid the KSA, leaving the goods on store shelves worldwide as a whole less secure.

    • So, we should never do anything to improve security because it isn't 100% effective. Got it.

      • So, we should never do anything to improve security because it isn't 100% effective.

        Got it.

        And 100% as convenient, too, don't forget. Wouldn't want to incur any costs or have to lift a finger for that security.

      • Re: (Score:1)

        by Anonymous Coward

        And signing a mass of unenforceable rent-seeker written security theater legalese is actually better than what we have now, which amounts infrequent and temporary disruption of marginal, poorly run systems? PKI systems get compromised as well, you know.

        I'd rather risk the vulnerabilities than stop the rapid growth of the Internet, or have it bifurcate into the signatories and the non-signatories, which is the more likely outcome. The fact that a third-world civil war hellhole like Syria even has any Inter

      • Re: (Score:2)

        by mysidia ( 191772 )

        That's not the message. The message is: that some security problems can be solved technically, but the solution is so problematic, that the solution can't reasonably be accepted.

        The major problem with RPKI is the legalese, and the fact that operators have some reasons not to trust the RIRs to administer it.

        We see some of the matters of policy as self-serving. We recognize that RIRs are not infallible, and we're concerned about giving a single organization too much power over the community-operate

  • Prefix This (Score:5, Funny)

    by TheRealHocusLocus ( 2319802 ) on Friday December 12, 2014 @09:04PM (#48586947)

    Just flipped down the thread:

    AAAAASSSS????ASSSA?FFbFbb??bBM

    Key:
    A = messages complaining about use of acronym, explaining it
    S = messages questioning relevance of BGP to 'Nerd', answers
    ? = WTF responses (Fry, Bennet)
    F = political views (fuck ARIN, fuck legalese, fuck de Man)
    b = relevant but misinformed (filtering not quicky-solve, RPKI not Kill Switch)
    B = relevant, thoughtful response to a 'b'
    M = this, meta message about thread.

    If the rest of the Internet was like this, no actual routes would ever be advertised.

    My life is light, waiting for the death wind,
    Like a feather on the back of my hand.
    Dust in sunlight and memory in corners
    Wait for the wind that chills towards the dead land.
    ~T.S. Eliot

  • As the article points out, the only reason this was able to work was because one of the upstreams didn't filter announcements correctly. So instead of one provider doing something simple, the "fix" is for the rest of the world to do something complex?

    Back in the day if a provider dicked around with BGP enough (either through incompetence or malice) they would find that eventually no one would accept any prefixes originating from their network. Kind of hard to have customers when the rest of the internet won't accept your traffic, isn't it?

    BGP4 was new and exciting in 1994, and people are still doing it incorrectly. Film at 11.

    • Teirs of providers screwed up, Telecom Italia should have never accepted the routes. Considering that the whole AS has 84 ipv4 prefixes that could/should be summarized it's a pretty static list. They have one "client" bgp session to their own second AS. Telecom Italia is big enough where it looks like bigger fish dropped the ball filtering it's nearly 40k routes (possibly also hardware issues 40k long prefix lists can make routers unhappy).

    • As the article points out, the only reason this was able to work was because one of the upstreams didn't filter announcements correctly. So instead of one provider doing something simple, the "fix" is for the rest of the world to do something complex?

      Yes.

      If the entire BGP system is reliant on any 1 participant to properly implement security, then you can be assured there will be at least 1 participant who does not properly implement security.

      We should assume the entire network is hostile and full of bad actors, then "fix" accordingly.
      That's how you build robust networks.

      For example: assuming everyone will play nicely is why the NSA got to tap datacenter-to-datacenter x-fers for the major internet companies. Once this came to light, each and every compan

      • Re: (Score:2)

        by ledow ( 319597 )

        Agreed. It's like saying SSL is secure when it relies on every CA to operate in the same secure way. Oops.

        Or email is reliant on one particular server not relaying out spam to others and faking return addresses, etc.

        Lots of big tech relies on "honesty". The only way to fix it is to enforce a protocol that ensures compliance (or punsihes non-compliance with relegation).

        If you don't play ball in DNSSEC, for example, then people know you're not playing ball. You either participate properly or not at all.

        If

Slashdot Top Deals

He has not acquired a fortune; the fortune has acquired him. -- Bion

Close