Border Gateway Protocol (BGP), the high level routing protocol that figures out how to route packets between ISPs and other large Internet entities, has been seeing a lot of press recently. While BGP is vitally important to the Internet, it’s not often talked about in the mainstream press. However, two rather interesting security related issues have come up in the past few weeks.

First, there has been a lot of attention  on the BGP hijacking attack demonstrated at DEFCON 16 last month. It has long been known in network operations circles that nothing inherent in BGP prevents a rogue actor from announcing IP space they don’t own. Until recently this attack has been seen mostly useful as a denial of service attack. This is because once a rogue actor starts announcing the target’s IP space, they start receiving all traffic destined for the target. This makes it very obvious to the target that something bad  is going on. It is also easy to trace the bad actor because BGP records the path a route announcement took, including its point of origin.

However, Alex Pilosov and Tony Kapela’s DefCon presentation revealed a way to intercept traffic and then route it back to the target. As the victim continues to receive their normal traffic, there is no reason for them to suspect that something malicious is afoot. They also suggested ways to alter the TTL on diagnostic packets to cloak the hijacked route from  traceroute and similiar IP layer utilities. This means that the target would have to examine BGP tables to discover that their traffic has been hijacked. As most organizations don’t directly use BGP, this results in a pretty stealthy attack.

The other BGP related issue in the news recently is the depeering of Atrivo. BGP is designed to connect networks administered by independent, autonomous groups. This requires each autonomous system (AS) to connect to various peers (including a kind of paid peering known as a transit link - see this for more info) to maintain connectivity. A white paper was recently released by Jart Armin describing a large amount of malicious activity on a service provider network known as Atrivo. This included details on how the malicious sites have lingered on the network for years, despite being reported to the Atrivo abuse department. That report has been publicized in a variety of places, including the Washington Post.

This spawned a discussion on the North American Network Operator’s Group (NANOG) mailing list regarding Atrivo. A number of Atrivo’s peers have severed their connections with them, making it more difficult for them to route traffic. Despite the large amounts of information on the abuse coming from Atrivo’s network, a number of network operators expressed concerns. These included worries that one man’s malicious traffic is another man’s censorship,  copyrighted traffic, this should be handled by law enforcement, conspiring to keep the Internet clean may lead to legal liability, and an interesting discussion on if providers should have to prove the cleanliness of their networks.

Now that I’m back from Las Vegas and have had a week to dig out from under email and work tasks, I’d like to share a short post-con wrap-up.

The Black Hat Briefings 2008 were a good time. Just as important as the briefings, I had a lot of fun meeting new people, seeing old friends, and networking with others in the security community. Our industry is really based on trust and trusted relationships, so I always try and get out and mingle at the con.

Both of my DEFCON presentations seemed to be really well received. I was surprised with the large turnout Friday 10am for my web application firewall (WAF) talk, given that my slot was competing directly with the Dark Tangent’s annual DEFCON keynote and Joe “Kingpin” Grand’s talk on the making of this year’s badge. There were a few good questions, so at least someone was awake and paying attention.

My Friday afternoon talk on Snort plug-in development was very well attended. A group of Sourcefire employees were filling out the front row. They didn’t throw any rotten vegetables at me, so I figure I did alright.

Updated presentation materials should be getting posted to the DEFCON site soon. Here are links to the slides for my WAF talk, and slides for my Snort-plug-in development talk. I’m busy adding to my Snort preprocessor for weak SSH2 Diffie-Hellman Group Key Exchange, and should be releasing some new code released in the next few weeks.

I’ll be delivering two talks at DEFCON 16 in Las Vegas this Friday, August 8th. My first talk, The Wide World of WAFs, covers web applications firewalls and some PCI DSS background. In talk that afternoon, Snort Plug-in Development: Teaching an Old Pig New Tricks, I’ll be releasing GPL licensed Snort plug-ins for ActiveX control detection and for detecting OpenSSH clients and servers using a broken Debian OpenSSL PRNG.

I hope to see some of ya’ll out in Vegas!