Some security researchers have found a vulnerability in the BGP ( Border Gateway Protocol ) routing protocol that could allow one to intercept internet traffic on a scale not possible before, except by a group such as the NSA with their Echelon project. The attack exploits a man-in-the-middle type vulnerability in BGP to monitor and possibly even modify traffic. The exploit works by using the BGP issue to redirect traffic to the eavesdropper’s network where sniffing and other tools can be used to look at the traffic. The attack can only intercept data going to a target ( not from a target ).
The BGP issue has long been known as a theoretical one, however no one has publicly done this until recently at the Defcon Conference where Anton Kapela and Alex Pilosov successfully intercepted traffic bound for the conference and redirected it to New York.
The issue is a result of the BGP notion of trust – BGP routers talk to each to indicate paths ( quickest an efficient ) for the transport of traffic. However, the information passed between BGP routers is not checked and is taken as the truth. An eavesdropper simply advertises a route for a particular target and this is propagated immediately around the world. Traffic bound for the correct target could now be rerouted if that fake path is chosen.
Unlike your average IP hijack, the traffic is silently redirected and no one is the wiser. Normally this is not possible but the attack here uses and BGP feature called AS path prepending that can cause a number of BGP routers to reject the deceptive advertisement. Those ASs can then be used to forward data.
One of the solutions that have been put forward is to create a certificate registry where ISPs would register their ASs and right to do BGP updates. Another option is Secure BGP, which requires BGP routers to digitally sign their prefix advertisements with a private key. Peer routers would then be given certificates authorising them to route its traffic.
All in all, a difficult position for all operating in the Internet space. Costs are high and margins thin so security is not always first on the list. Let’s hope some of the possible solutions are brought to the fire before serious damage is done to the Internet.
