It’s Groundhog Day and everything old is new again. Dave Rand at Trend Micro (from the Kelkea acquisition which was MAPS before that), is making noise about spammers hijacking BGP announcements. He describes a technique where spammers inject a route for a short period of time, source a bunch of spam from it and then withdraw the route. This means that the actual IP addresses used to send the spam are routed to someone other than their registered owner at the time the spam is sent. Nasty stuff.
BGP hijacking (unauthorized route injection) has been discussed (and mitigated) for many years now. The fact that Trend Micro appears to be just discovering it and that they’re “working on a protection scheme” without any reference to the existing work (and commercially available protection schemes that are already deployed) is not encouraging.
There are at least three good sources of information about global routing:
- The Route Views Project
- The RIPE RIS Project (including the MyASn Notification System – more on that later).
- And, of course, my company’s Routing Intelligence service
All of these are great sources for the kind of information that Rand believes is missing. They give network managers a consolidated view of global routing information to verify the reachability of their networks and determine whether anyone is routing their prefixes without permission. So when Rand says (quoting from the article, again) “There’s no central source monitoring all of the address blocks on the Internet,” technically, he’s right. There is no single central source. There are at least three (and plausibly many more). This part of the problem is solved and Rand (and the journalists he’s talking to) just haven’t realized it yet.
So far so good. But the cute part comes next, where Rand claims that “The only telltale sign that your addresses have been hijacked is that traffic on the network [from which they’ve been stolen] is reduced.” For networks that don’t monitor the availability of their routing, that may be true. But users of the RIPE MyASn project and users of Renesys Routing Intelligence have the capability of receiving alerts (via email or SNMP) whenever a change in global routing affects their networks.
The use case is this: someone somewhere starts pretending to be you. That is, they start announcing networks that are yours (or smaller parts of networks that are yours) into the global routing table. This is sometimes malicious (as is the case that Rand is discussing with spammers). It is sometimes inadvertent (as was the case of Con Edison Communications hijacking a number of customers and former customers last week. This situation is challenging because unlike most security threats, BGP route hijacking does not involve a violation of site security, a compromise of servers or routers, or any other kind of privilege escalation.
Attackers take public information about the target and use it to lie about them. This is almost exactly equivalent to identity theft in the real world. If i know your name (public information) and I walk down the street of Hanover, NH telling everyone that I’m you, some people might believe me. And if enough people believe me, I’ll start getting your mail, and credit card offers for you, and birthday presents and maybe even your salary. I might be able to pick your kids up at school or take your spouse out to dinner. To do this, I don’t have to break into your house, or steal your credit card or anything visible to you at all. The only thing that’s necessary for the attack to work is for me to convince enough people that I am you. In the real world, unless you work away from home more than 80-90 hours per week, it’s unlikely I’ll convince your spouse or your children that I’m really you. In the world of Internet routing, this is unfortunately very, very easy. Pretty much everyone believes pretty much everyone else almost all the time. As a result bad things happen.
Whether the hijacking is malicious or inadvertent, the solution is a system to monitor the availability and routing status of all networks (prefixes) and connections (AS adjacencies) that affect a given customer’s network. Whenever a route related to any of that customer’s networks appears, it is compared against the routing policy for that network. If there’s a violation of policy (someone lying about where your networks are or who they’re connected to), an alert can be raised.
Renesys has been providing realtime alerting on a commercial basis since 2002. We do this for some of the largest networks on the planet. RIPE has been operating the MyASn project since at least 2003 or so, so again, Rand isn’t onto anything new. From the article: “Rand says Trend Micro is working on a protection scheme. But right now, he warns, there isn’t a darn thing you can do.” I hope Trend Micro contacts us (or RIPE) to discuss pricing and partnership opportunities, as I suspect either of us could save them some development costs or patent licensing fees. 🙂
The serious issue is that many networks are baffled by this problem and even baffled by the notifications about it. With most network outage notifications, the workflow involves logging onto routers, checking configurations, troubleshooting links, etc. With route hijacking, the workflow involves researching global routing tables, finding the nearest “responsible” upstream networks to the hijacker, and contacting them out-of-band (frequently by phone) to ask them to modify their configurations to no longer accept and propagate the hijacked networks. This is not a workflow that many NOC managers and many NOC technicians are trained for or comfortable with.
The friction is mostly a cultural one, I think. Many networking engineers think of their network as being the set of assets that they have ‘enable’ on (privileges to modify). For a small, non-Internet-connected network, that may be true. But the reality is that for Internet-connected networks, the security and integrity of the network doesn’t stop at the network edge. It extends across the entirety of the Internet. Anyone, almost anywhere else on the Internet, can affect the routing integrity and service availability for your networks, and changing your router configurations cannot change that. Absent an interesting technical solution (several have been proposed, none are gaining steam), I suspect this problem will require ongoing cultural change to fully address.