Security Alerts
Network Traffic Redirection and Interception exploiting BGP (Border Gateway Protocol)
This is a critical advisory and affects all networks
What Is It?
Imagine all your network traffic gets surreptitiously diverted to Africa before it reaches you! Then an attackers can sniff all your password, sensitive files and confidential data putting your business at high risk. Two researchers at the Defcon 16 security conference demonstrated this scenario as a new "man in the middle" attack which allows interception of the traffic of an IP prefix by sending fake BGP (Border Gateway Protocol) routing packets on the wire.
In a nutshell, all BGP routers on the internet have to trust each other to route packets. They permanently share information on the best route between autonomous networks. This attack consists in injecting fake BGP router traffic (technically BGP updates) to deceive other routers in thinking that sending traffic to the attacker is the shortest way to reach the victim network.
Sending such fake information to a few BGP routers will result in the majority of the BGP routers trusting & updating their routing tables in just a few minutes.
The result is perfect "man in the middle" attack, possibly disclosing sensitive contents (passwords, online banking details, emails, any plain text connection like instant messengers, web browsing...) to be sniffed and even modified transparently.
Why Should You Care?
This vulnerability allows the attacker to do traffic monitoring (sniffing) on your network and modification of an IP prefix by diverting all your incoming traffic to attacker's network before you receive it.
In February 2008, Pakistan Telecom decided to ban the video sharing site youtube by blocking certain IP/prefixes and diverting it to a "black hole" as a measure to filter access. While the intention was to filter traffic for Pakistan users only, this routing information escaped from Pakistan Telecom to its ISP PCCW in Hong Kong, which propagated the route to the rest of the world. This affected majority of youtube users worldwide for a short period of time by ending up in the Pakistan Telecoms "black hole".
To prove that the attack is practical, the two researchers who discovered this vulnerability hijacked all the traffic sent to the domain at the Defcon conference, diverted it to their own network in New York, and then sent it back to Defcon.
How Can You Get Safe?
This attack is a limitation of core internet protocols and doesn't rely on any specific vulnerability on the routers. Therefore, fixing this bug is particularly uneasy and would require the core protocols on the internet to follow best practices such as the NIST guidelines, Border Gateway Protocol Security. Security administrators and decision makers should consider applying effective controls according to their unique needs. ISP's plays a major role in preventing these kinds of attack by not accepting rogue traffic updates and providing guarantees to the customer. Also the implementation of best practices in securing BGP requires considerable change in ISP's requirements and this can be achieved only through higher level of customer awareness about the attacks.
How Can You Protect Yourself In The Future?
To protect yourself from vulnerabilities such as this in the future, you should consider doing regular penetration testing. Gartner, leading analyst firm, recommends that "Penetration Testing that goes beyond simple vulnerability assessment should be conducted regularly".
iViZ, world's only on-demand automated end-to-end penetration testing solution can help you keep your organization's IT safe. Unlike conventional penetration testing methods which are manual, time-intensive and expensive, iViZ's on-demand solution offers superior benefits.
On-Demand, Easy and Affordable: can be used anytime, anywhere and anyhow using Software-as-a-Service subscription model
Fast & Accurate and Comprehensive: iViZ simulates multi-stage attack path to provide comprehensive solutions
Easy Compliance: with built-in compliance reporting for SOX, HIPAA, ISO27001, PCI DSS.
To learn more about iViZ, please visit iViZ Technology
Where Can I Learn More About BGP Vulnerability?
|
