Anton Kapela on what the BGP attack *really* means

• Previous message (by thread): Service Outage in Indiana
• Next message (by thread): Great Suggestion for the DNS problem...?
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

[ I'm unthreading this, because Anton didn't think to, and I wouldn't
want anyone who canned the other thread to miss it.  --jra ]

On Thu, Aug 28, 2008 at 11:56:30AM -0400, Steven M. Bellovin wrote:
> On Thu, 28 Aug 2008 10:16:16 -0500
> "Anton Kapela" <tkapela at gmail.com> wrote:
> 
> > I thought I'd toss in a few comments, considering it's my fault that
> > few people are understanding this thing yet.
> > 
> > >> On Thu, Aug 28, 2008 at 2:28 PM, Gadi Evron <ge at linuxbox.org>
> > >> wrote:
> > >>>
> > >>> People (especially spammers) have been hijacking networks for a
> > >>> while
> > 
> > I'd like to 'clear the air' here. Clearly, I failed at Defcon, WIRED,
> > AFP, and Forbes.
> > 
> > We all know sub-prefix hijacking is not news. What is news? Using
> > as-path loop detection to selectively blackhole the hijacked route -
> > which creates a transport path _back to_ the target.
> > 
> > That's all it is, nothing more. All but the WIRED follow-up article
> > missed this point *completely.* They over-represented the 'hijacking'
> > aspects, while only making mention of the 'interception' potential.
> > 
> > Lets end this thread with the point I had intended two weeks ago:
> > we've presented a method by which all the theory spewed by academics
> > can be actualized in a real network (the big-I internet) to effect
> > interception of data between (nearly) arbitrary endpoints from
> > (nearly) any edge or stub AS. That, I think, is interesting.
>
> Indeed, and I thank you for it.  As noted, I and others have been
> warning about the problem for a long time.  You've shown that it isn't
> just an ivory tower exercise; maybe people will now get serious about
> deploying a solution.
> 
> To quote Bruce Schneier quoting an NSA maxim, attacks only get better;
> they never get worse.  We now have running code of one way to do this.
> I think most NANOG readers can see many more ways to do it.  A real
> solution will take years to deploy, but it will never happen if we
> don't start.  And we want to have the solution out there *before* we
> see serious attacks on BGP.
> 
> Again, thank you -- it was really nice work.
> 
> 		--Steve Bellovin, http://www.cs.columbia.edu/~smb

Cheers,
-- jra
-- 
Jay R. Ashworth                   Baylink                      jra at baylink.com
Designer                     The Things I Think                       RFC 2100
Ashworth & Associates     http://baylink.pitas.com                     '87 e24
St Petersburg FL USA      http://photo.imageinc.us             +1 727 647 1274

	     Those who cast the vote decide nothing.
	     Those who count the vote decide everything.
	       -- (Josef Stalin)

• Previous message (by thread): Service Outage in Indiana
• Next message (by thread): Great Suggestion for the DNS problem...?
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]