Stealing the Internet: Missing the Point

By stretch | Saturday, August 30, 2008 at 7:19 a.m. UTC
Cover slide from the presentation

By now you've probably heard of the Defcon presentation given recently by Anton Kapela and Alex Pilosov titled "Stealing The Internet - A Routed, Wide-area, Man in the Middle Attack." Their presentation illustrates the exploitation of a design vulnerability in BGP that has existed since the protocol's inception: if not properly filtered by his service provider, a customer can inject whatever routes he wishes into the global Internet routing table. Slides of the presentation are available on the Defcon website (PDF link).

This simple vulnerability is nothing new. Anyone familiar with the workings of BGP realizes the inherent flaws with implicitly trusted peerings such as BGP implements. People have been (accidentally and otherwise) injecting inappropriate routes now and then for as long as the Internet has been around. However, Kapela and Pilosov expand this concept of route hijacking to a full-blown man-in-the-middle attack with global reach. They demonstrate the ability to reroute traffic from one autonomous system to another as they please through a combination of route hijacking and AS prepending to force a return route to the intended destination, intercepting traffic without disrupting service. They also show how TTL modification can be used to obscure the results of a traceroute from the victim AS, further cloaking the attack. Wired has a good article covering the presentation, as well as some proposed solutions (aside from simply forcing ISPs into responsible action).

After reading some of the general press covering their presentation and watching the back-and-forth on mailing lists, I find myself frustrated and disappointed by the response these guys have received. Here they've obviously put a tremendous amount of work into an informative, well-executed presentation, only to have it over-hyped by the ignorant outer circle, and berated by the "informed" inner circle. The mainstream IT press, with a few exceptions, has concentrated on the long-known issue of route hijacking rather than the bulk of the presentation. Naturally, this provided plenty of fodder for the "I've known this forever!" trolls on industry forums, who of course are far too busy to bother reviewing the presentation itself. Many people have expressed their appreciation for the talk, but I feel the pair of speakers has had to ensure a grossly disproportionate amount of misinformed criticism, even for a Defcon presentation.

The irony brought forth by people who gloat about having known of the vulnerability for years, is that most have done little or nothing to improve the situation, for years . I know my opinion doesn't count for much, but I see this presentation as both interesting and serving the public interest. Obviously, the Internet routing structure needs to be improved, but no real progress can be made until people start talking about it in the terms presented here. Well done, gentlemen!

About the Author

Jeremy Stretch is a network engineer living in the Raleigh-Durham, North Carolina area. He is known for his blog and cheat sheets here at Packet Life. You can reach him by email or follow him on Twitter.

Posted in Opinion


Lara Losi (guest)
August 30, 2008 at 7:41 a.m. UTC

Such a great article thanks

zlobb (guest)
August 30, 2008 at 11:30 p.m. UTC

I think the correct link to the pdf slide is here

August 31, 2008 at 7:20 a.m. UTC

Fixed the link in the article, thanks for the heads up!

as52340 (guest)
August 31, 2008 at 2:23 p.m. UTC

I don't think many people would attempt this attack because if they did get caught they would risk losing their peer / business relationship with their BGP neighbor. Even if you claimed it was an accident, it still looks pretty bad.

Ryan (guest)
September 1, 2008 at 12:20 p.m. UTC

If they get caught...if your not cutting off communication it is difficult to detect

Eric (guest)
September 10, 2008 at 4:52 p.m. UTC

The movie/tv scenarios here are endless... Great article.

Jean-Fran├žois Audenard (guest)
September 23, 2008 at 11:22 a.m. UTC

Hello. I wrote 2 posts explaining how the attack works. They may contains some errors has I'm not a network expert. Perhaps they'll be useful anyway. As they're written in French, use a translation tool such as Google to have them in English. Cheers, JF.

Comments have closed for this article due to its age.