Border Gateway Protocol (BGP), the high level routing protocol that figures out how to route packets between ISPs and other large Internet entities, has been seeing a lot of press recently. While BGP is vitally important to the Internet, it's not often talked about in the mainstream press. However, two rather interesting security related issues have come up in the past few weeks.
First, there has been a lot of attention on the BGP hijacking attack demonstrated at DEFCON 16 last month. It has long been known in network operations circles that nothing inherent in BGP prevents a rogue actor from announcing IP space they don't own. Until recently this attack has been seen mostly useful as a denial of service attack. This is because once a rogue actor starts announcing the target's IP space, they start receiving all traffic destined for the target. This makes it very obvious to the target that something bad is going on. It is also easy to trace the bad actor because BGP records the path a route announcement took, including its point of origin.
However, Alex Pilosov and Tony Kapela's DefCon presentation revealed a way to intercept traffic and then route it back to the target. As the victim continues to receive their normal traffic, there is no reason for them to suspect that something malicious is afoot. They also suggested ways to alter the TTL on diagnostic packets to cloak the hijacked route from traceroute and similiar IP layer utilities. This means that the target would have to examine BGP tables to discover that their traffic has been hijacked. As most organizations don't directly use BGP, this results in a pretty stealthy attack.
The other BGP related issue in the news recently is the depeering of Atrivo. BGP is designed to connect networks administered by independent, autonomous groups. This requires each autonomous system (AS) to connect to various peers (including a kind of paid peering known as a transit link see this for more info) to maintain connectivity. Awhite paper was recently released by Jart Armin describing a large amount of malicious activity on a service provider network known as Atrivo. This included details on how the malicious sites have lingered on the network for years, despite being reported to the Atrivo abuse department. That report has been publicized in a variety of places, including the Washington Post.
This spawned a discussion on the North American Network Operator's Group (NANOG) mailing list regarding Atrivo. A number of Atrivo's peers have severed their connections with them, making it more difficult for them to route traffic. Despite the large amounts of information on the abuse coming from Atrivo's network, a number of network operators expressed concerns. These included worries that one man's malicious traffic is another man's censorship, copyrighted traffic, this should be handled by law enforcement,conspiring to keep the Internet clean may lead to legal liability, and an interesting discussion on if providers should have to prove the cleanliness of their networks.