Revealed: The Internet's well known BGP behavior

Alex Pilosov alex at pilosoft.com
Thu Aug 28 15:25:41 CDT 2008


On Thu, 28 Aug 2008, Anton Kapela wrote:

> I thought I'd toss in a few comments, considering it's my fault that
> few people are understanding this thing yet.
> 
> >> On Thu, Aug 28, 2008 at 2:28 PM, Gadi Evron <ge at linuxbox.org> wrote:
> >>>
> >>> People (especially spammers) have been hijacking networks for a while
> 
> I'd like to 'clear the air' here. Clearly, I failed at Defcon, WIRED,
> AFP, and Forbes.
> 
> We all know sub-prefix hijacking is not news. What is news? Using
> as-path loop detection to selectively blackhole the hijacked route -
> which creates a transport path _back to_ the target.
> 
> That's all it is, nothing more. All but the WIRED follow-up article
> missed this point *completely.* They over-represented the 'hijacking'
> aspects, while only making mention of the 'interception' potential.
> 
> Lets end this thread with the point I had intended two weeks ago: we've
> presented a method by which all the theory spewed by academics can be
> actualized in a real network (the big-I internet) to effect interception
> of data between (nearly) arbitrary endpoints from (nearly) any edge or
> stub AS. That, I think, is interesting.
Yep. While it was common knowledge that it is "easy" to jack space, it was
really considered in terms of "denial of service" attack. It was known
that you could do traffic monitoring via manipulation of BGP communities
and reinjecting traffic "closer" to the target via tunnels - however that
technique is not generic. We've demonstrated ability to monitor traffic to
arbitrary prefixes. Slides for presentation can be found here:  
http://eng.5ninesdata.com/~tkapela/iphd-2.ppt

I'd also like to draw attention that it didn't draw much attention when
Tony has posted immediately after the conference to the nanog-list, which 
has an extensive reading list - and I highly recommend that before further 
posting on this, you read through it. 
http://www.gossamer-threads.com/lists/nanog/users/107423 

Added attention to the issue after our public demonstration is good news -
more attention to the problem is likely to get people do use best
practices in filtering.

I'd also like to point out that while presentation went over a lot of 
people's heads at defcon, it appears that unexpectedly, it did went over 
people's heads here as well.

To clear up some misunderstandings:
*) Yes, this is a real problem. 

*) Yes, it has been known for years.

*) There is no currently deployable solution to this problem yet.

*) Filtering your customers using IRR is a requirement, however, it is not 
a solution - in fact, in the demonstration, we registered the /24 prefix 
we hijacked in IRR. RIRs need to integrate the allocation data with their 
IRR data.

-alex [your former moderator]













More information about the NANOG mailing list