You Can Help Make The Internet Safer And Faster
A New Tool Detects If Your ISP Has Implemented Route Hijacking Mitigations
The Internet runs on a protocol called BGP, which determines how your data is routed from your ISP to its destination, such as Apple or Netflix. However, BGP, in its default configuration, is insecure and subject to hijacking attacks. There are mitigations for such attacks, but your ISP must explicitly implement them. A new tool from Cloudflare lets you check your ISP, and name and shame them if they haven’t implemented appropriate fixes.
Introduction
The BGP protocol is a decades-old routing protocol. It was never designed with security in mind. By default, its routes are unsigned, meaning that anyone can inject a route into anyone else’s routing tables, such as your ISP. When false routing information is provided via BGP, this is referred to as a routing hijack. [See note 1.]
There have been a large number of routing hijacks recently. Some have been accidental, but quite a few appear to be intentional. It has gotten so bad that the US is in the process of banning China Telecom from providing service to the US due to the large number of routing hijacks that originate from its network. Whether those hijacks are intentional or not is a matter of dispute. But, deliberate or accidental, the results are the same.
So, what exactly is a routing hijack?
Let’s pretend you live in Denver, and your bank’s servers are in Charlotte. Normally, when you visit your bank’s website, your Internet traffic may route from your home, to your ISP in Denver, then on to Austin, Memphis, Nashville, Knoxville, and finally to Charlotte. And, the return trip from your bank’s servers to your house takes essentially the same path.
But, should your ISP’s routing tables be contaminated by a routing hijack, you could find that your connection to your bank now routes from your home, to your ISP, then to San Francisco, Shanghai, Beijing, Pudong, Hong Kong, Los Angeles, Phoenix, Austin, Memphis, Nashville, Knoxville, and finally to Charlotte.
Why is route hijacking a problem?
The first sign that routing may have been hijacked is that everything suddenly slows to a crawl. Instead of a connection covering a one-way distance of less than fifteen-hundred miles, as in the above example, it is now traveling a distance closer to fifteen-thousand miles! That means, at a minimum, your connection to your bank will be at least ten times slower.
But that’s not the most serious problem. The greater concern is that Internet traffic is now being routed through a country many in the US consider hostile. With the traffic now flowing through that country’s Internet infrastructure, it means that all that traffic can now be recorded and inspected in great detail. All unencrypted traffic will be fully visible to inspection. Some encrypted traffic may even be interceptable and decrypted on the fly (what is called a Man-In-The-Middle [MITM] attack). Encrypted traffic that can’t be decrypted on-the-fly may be stored for offline attacks or traffic pattern analysis.
Regardless of what occurs to the malrouted traffic, nothing good is going to happen.
For example, let’s say that a traffic pattern analysis determines that a given IP address is visiting a website for cheating spouses. A little additional intelligence collection determines that the IP address is that of a defense contractor executive. This knowledge then creates an opportunity for espionage, such as a honey trap.
The intelligence an adversary can collect by intercepting its opponent’s Internet traffic is virtually limitless.
Now, I’m not accusing China of espionage! I am only stating that espionage would be possible under a routing hijack.
What You Can Do
Route hijacking is not just a US problem — it’s an issue worldwide. So, everyone anywhere has a part they can play, by naming and shaming their ISP if they are susceptible to route hijacking. Bad publicity from public pressure will do more to fix this problem than all the industry clout combined. Thus, please do your part. Here’s how.
The CDN and DDOS-prevention service Cloudflare has created a website that does a quick check of your ISP to determine if they have implemented route hijacking mitigations or not. They have a website that explains their effort: Is BGP Safe Yet? No. But we are tracking it carefully. And, their tool is here: Is BGP safe yet? [2]
The tool is easy to use: Simply click on the “Test your ISP” box. If your ISP fails, you will receive a result such as this:
Then, post the results (screenshot) to your ISP’s support Facebook page, Tweet stream, or wherever else they have a public presence, and ask when they are going to fix their problem. It’s that easy!
The privacy you protect may be your own. You may also be protecting your entire nation’s security in the process.
I have enabled responses for this posting. Test your ISP and post your results there!
Summary
ISPs have the tools they need to protect against BGP routing hijacks. But, it takes effort on their part to deploy those tools — efforts many seem unwilling to date to implement.
Every user can easily check if their ISP has implemented these mitigations. If they haven’t, they should be publicly embarrassed into doing so. It is both a matter of network performance and national security for them to make this effort.
Notes
- BGP: Border Gateway Protocol — The protocol used to determine how to route traffic to a given IP address (technically, to route traffic to a given Autonomous System Number).
ISP: Internet Service Provider — The company which provides your Internet connection (in the US: Comcast, AT&T, CenturyLink, WOW, etc.). - CDN: Content Delivery Network
DDOS: Distributed Denial of Service
Please check out my Blog Introduction and Index to find other postings about what we are doing wrong in security and how we need to fix it.
