This sponsored post is produced by Kentik.
How much would it matter to you if all of a sudden your company’s Internet traffic started going somewhere else? Maybe to your competitor, a criminal organization, or a foreign government? Sound bad?
In my last article, “The Great Network Forgery,” I explained how the Internet infrastructure industry allows mass forgery of IP addresses. That digital identity theft allows botnets to exist, and the consequences plague us all. Well, there’s another, grander sort of identity theft that the Internet also allows: theft of an entire organization’s Internet traffic.
How and why it happens
Consider the IP address on your laptop. It’s handed out of a block of addresses to your laptop by your company’s network devices. Your company’s ISP announces that block of addresses (a ‘route’) to the 60,000 telecom, enterprise, government, and education organizations networks that connect in a hierarchical mesh of routers and fiber, and *are* the Internet.
Each of those 60K Internet node organizations has a unique identifier called an “Autonomous System Number” (ASN), and uses the Internet standard Border Gateway Protocol (BGP), to announce routes to the rest of the Internet.
What happens when someone accidentally mis-configures one of their routers to announce another company’s routes? The victim company’s Internet traffic can become “black-holed.” This actually happens on a regular basis. Sometimes whole countries at the periphery of the Internet are taken offline accidentally.
And this has happened since the early days of the commercial Internet. The reason: there is no authoritative list of who is allowed to announce which Internet routes.
What if It’s not a mistake?
If you’re someone like me who personally owns an ASN and announces routes from your house, you could theoretically steal the traffic from a corporate network by announcing or ‘hijacking’ that network’s routes with malice, or accidentally with a typo.
Route hijacking can form one basis for what’s called a “man in the middle” attack. That ill-gotten traffic flows into the attacker’s network, and then they can create traffic “tunnels” to remote ISP(s) so that it keeps flowing to and fro on the Internet. Then, it’s technically feasible to set up servers to insinuate themselves into every email, and hack into traffic sessions — even, in some cases, secure HTTP. Or, to proxy email with a server that refuses to accept encrypted communication sessions.
Dig deeper: Download Kentik’s whitepaper, “Big-Data SaaS Network Visibility.”
The difference between phone #s and routes
In my last article, I mentioned how confusing it would be if you could have no reasonable expectation that the caller ID phone number showing up on your smartphone was who you expected it to be. Some readers may have thought that I was implying that you couldn’t forge or “spoof” caller ID. It certainly is possible — I wasn’t implying otherwise.
But with phone numbers, at least you know which company is supposed to be responsible for maintaining the integrity of that caller ID — down to the individual numbers. And those companies are much more responsive, even internationally, than many ISPs. So much so that there are businesses like Neustar that operate number portability services based on a standardized process for finding out who owns and manages phone numbers.
On the Internet that’s not the case. Back in the early days of the Internet, there was an attempt to establish routing “registries”. But since they were never mandatory, the data wasn’t fully reliable and not many ISPs used them.
Today, some providers require their customers to enter their routes into a routing registry. Many actually configure their network devices to enforce these registrations. Even without live enforcement, this can work for validating routes from their customers.
But for many wholesale providers, and for many providers in countries at “the fringe,” routing registration often becomes a point of business friction and competitive disadvantage. When you’re selling Internet bandwidth to other providers, or even more so, when you’re trading Internet bandwidth with huge provider organizations, routing registration is not universally done. And without a universal and accurate registry, there’s simply no way to keep up with the continuous changes on the Internet.
Further, while many providers do enforce restrictions on routes heard from their customers, almost no large networks enforce them down to the route level on their “peers” — the ten to hundreds of other networks that every large network needs and/or chooses to connect to to get to those peer networks’ customers, and thus provide complete Internet connectivity.
So in practice, it’s not nearly as hard as it should be to find a large commercial Internet provider that will take un-filtered routes.
Solved but not attempted
It used to be a chicken and the egg problem — routing registries weren’t used because they weren’t accurate, which made them not used, which made them inaccurate.
That doesn’t mean there isn’t now a technical answer to this problem, however. An organization called IANA hands out all the address blocks. It’s the source of truth on who owns which route. In the 90’s there was a proposal called S-BGP which used public key cryptography to authenticate route announcements from regional “registries” that get large address blocks from IANA. The problem was that the CPU’s in routers in the 1990’s were so weak that it just didn’t work, and much of the Internet engineering community wasn’t interested.
But today CPU’s are way faster, and there is a new protocol called RPKI which shares many of the same ideas as S-BGP. It would take real effort, but if fully deployed, it would make all routing announcements trustworthy. There’s been a real effort to support RPKI — in particular, the regional registries are actively working to help with education and infrastructure to support RPKI.
So if this is such a problem, why haven’t we seen more malicious targeting of specific companies by these internet routing attacks? Well, first of all, it’s already possible to detect almost all instances of route hijacking that affects user traffic. However, I think there’s more at play here.
My personal theory is that criminals don’t want to foul their own nest. Yes, you could destroy the Internet every day, but then you wouldn’t be able to make as much money as doing spam, getting bitcoin ransom payments from DDoS attacks, or stealing credit cards and federal government IDs. In short, other attacks get a higher ROI. But that doesn’t mean malicious route theft couldn’t become a more regular part of the Internet landscape.
How can you protect your organization? Ask your Internet provider what their policy is for registering routes. Make sure it meets your business continuity needs. If these kinds of attacks start happening, the default assumption among providers might be to stop accepting some or all routes from their peer networks that don’t do any validation, which would, at the least, be disruptive to your Internet connectivity. Is at least one of your providers well-connected and well-engineered enough that the likelihood of that happening is very low?
And coming back to my big question from the beginning of this post, how much would that matter to you?
Avi Freedman is CEO of Kentik.
Sponsored posts are content that has been produced by a company that is either paying for the post or has a business relationship with VentureBeat, and they’re always clearly marked. The content of news stories produced by our editorial team is never influenced by advertisers or sponsors in any way. For more information, contact email@example.com.