As someone who works in technology, but has only a cursory understanding of BGP, I find BGP's trust mechanism flabbergasting. Would anyone like to explain why it remains the preferred protocol and what improvements are in the works to mitigate the effect of these sort of hijacks?
>What improvements are in the works to mitigate the effect of these sort of hijacks?
I happen to have published research in this area[0]. There are two systems being developed to secure BGP.
The first is the RPKI which aims to provide a Public Key Infrastructure to attest to the origination of IP addresses. To grossly oversimplify it: everyone would get a certificate that says "AS X is allowed to originate IP prefix Y". Many routers already support the RPKI[1] and the RPKI is currently undergoing deployment[2], but it should take some time before operators begin using it to make routing decisions. Once used the RPKI offers substantial security benefits[3].
The second protocol is BGPSEC which is designed secure routing paths. It will use the RPKI as its foundation.
Would anyone like to explain why it remains the preferred protocol
Legacy.
BGP is a policy mechanism and sometimes the policies are either misconfigured or we can't trust hostile actors with access to wide open Internet (e.g. backwards countries null routing all of YouTube because censorship and it propagates outwards instead of inwards).
In most cases, if you are talking BGP to your ISP, your ISP filters your BGP traffic to only allow specific routes you can claim ownership of to be updated. Normally, non-infrastructure-level villains can't do bad BGP things if they have responsible upstream ISPs doing filtering correctly (kill you on flapping, kill routes you shouldn't be originating, etc). But, as we've seen with ISPs not even verifying UDP source address spoofing that allows you to generate multi-hundred-gigabit DDoS attacks, many ISPs are still run by morons.
BGP is also the magic behind anycast since you can intentionally duplicate any routes with no oversight (besides any upstream filtering in place).
what improvements are in the works
Good luck upgrading every embedded peering router in the world?
The goal of the Internet is no central point of failure. The downside (from a regulating abuse perspective) is there's no central point of authority either.
SMTP had the problem where any node on the Internet could send email for any other node on the Internet creating a game of N^2 whack-a-relay.
To even get access to the core Internet BGP peering infrastructure you have to be at the upper levels of ISP connectivity to start with. So, in the US at least, that requires maybe dropping a few thousand dollars and having Official Contacts first before you're even in the game of getting your own BGP peering arrangement.
If you are an intentional bad actor with bad actor connections like these awful italian hacker people then the only solution is after-the-fact punishment. The same goes if you are a country-level ISP (or any ISP part of the "core" Internet with no further upstream provider) and want to be a bad actor, then there's no oversight except when the rest of the world's network administrators comes together after seeing your malicious behavior and collectively say essentially "don't let Pakistan advertise any AS for Google properties."
(alternative answer: the internet should be based on the blockchain! Imagine if every network administrator had to get on /r/InternetBackbone at the same time to agree to shut down the Internet for 20 minutes so they can all deploy a bugfix to core-internet.exe. "uh oh, we accidentally forked the Internet again.")
It would absolutely be possible to have a functioning decentralized protocol. Look at the efforts like cjdns and snow. With the addition of some kind of lightweight payment ledger, you might be able to eliminate ISPs and switch to a model where people "mine bandwidth", generating revenue by switching on networking equipment running the protocol. Not saying it's easy, of course.
AFAIK, there is no alternate routing protocol in wide use to switch to. The problem isn't actually with the protocol, which seems to be a reasonable way to advertise routes.
The problem is how do you know which routes you should trust. Most ISPs should have a reasonable idea of what netblocks most of their customers should be advertising and should be filtering there; but between large ISPs, I don't think there's a reasonable way to determine if you should trust a given advertisement for a small block. The owner could have gotten alternate transit, or sold the block, or many other things.
BGP is a mess, but the real problem is the underlying policy. No matter how good the routing protocol is, it's going to be hamstrung by the complexity of who's supposed to announce for what, and how often that changes.
BGP's transitive trust mechanism involves 2 parties. The router making an "announcement" or "withdrawal" and the router "accepting" or "origin validating" these. If one of the party announces a false/hijacked route to its upstreams it could have an adverse effect to the entire Internet routing table.
BGP itself, is a path vector protocol (came from standard and vetted Graph Theory algorithms) and therefore for the scalability of the Internet Prefixes - works perfectly with many network devices talking the standard protocol.
Work has always been done within the IETF wg on BGP attributes that the protocol carries for many use-cases and so far BGP has been the preferable choice for many networks, both within an AS and outside an AS(Autonomous System).
You wouldn't want the Internet be controlled by a central authority, that is an absolute NO - at the same time - you have to work together to make sure the "global routing table" or the "default free zone" is not polluted with unnecessary updates and churn and overseeing misbehavior from other ASes.
I believe with so many disparate organizations and networks around the world - we could not have built a common talking "language"/"protocol" without having accountability into it and constantly monitoring it.
Everyone should just blackhole any traffic to and from the Aruba ISP. They have failed to maintain the trust relationship needed at high-tier ISPs and should no longer be operational.
Can somebody explain how they got the police to help them?
"You remember the RAT we sold you? Yea... That's broken because ... Help us or people might notice." If that's it.. Wow. This whole story gets more fishy by the minute.
I'm not surprised, in Italy the Mafia blew up or assassinated prosecutors and lawyers threatening them. In countries where the government is not the law, anything can happen with the right sized envelops of cash.
You can take over other providers IP space by announcing their IPs via BGP from well connected high ranked tier ISPs, but just because you can do one thing does not mean you should exercise it.
Internet was built on the premise that you can trust other organisations such as good willed universites, it was not built for a landscape of internet crime and state sponsored hackers.
BGP and central certificate authorities is flawed in princicple and this sense. Its very easy to create fake certificates for big organisations if you have the power of a state.
Diginotar is such an Epic fail of CA which shows exactly why you cannot trust central trust when there is state hackers at work.
So you either hijack BGP, DNS or Central certificate authority then you steal peoples cookies. Since most does not use two factor authentication that is enough to take ownership of their email accounts. Once the email accounts is compromised all other accounts can be compromised through password resets.
This is pretty crazy. I wonder how the route hijack didn't get noticed by anyone at the time, though? Or at least if someone did notice, they didn't make a fuss about it.
as long as they continue to route traffic out to the real destination.. who would notice latency jump from 50ms to say.. 120ms? I don't know if they did this, but you could absolutely be covert about this, and be nearly transparent to the victim.
I do not undertsand this. We recently had to change our announcement to upstream ISPs from/23 to /22 and our ISPs verified with ARIN that the entire /22 belonged to us, before changing their filters. Also, there's RADb database.
I used to work at a spam company and we did this and similar techniques.
One similar technique was we basically created our own fake ISPs, disguised as rural wireless Internet providers. Paid yearly ARIN fees, had or own /20 blocks of IP space allocated, etc. We specifically requested ip filtering completely removed from our peering connection with major upstream/backbone ISPs. They did so without question. This allowed us to source route any IP out to the Internet. Then, we would purchase large blocks of IPs (a couple of /20s a month) from Romania and Argentina. We would create GRE tunnels over to RO and route them back to the US. It's been years since I was involved so my memory of the technical details is hazy now...
Not getting listed on Spamhaus was a constant battle. One time our network engineer made a huge mistake by announcing 15-20 /20 blocks registered with RIPE out of the US ASN. Spamhaus apparently automatically scans for this type of suspicious behavior and falgged like 20,000 ips.
