LAS VEGAS — There is no shortage of news around cybersecurity breaches. A dozen new major ones appear every week. Follow-up news stories around understanding the cause and patching the vulnerabilities have become routine.
But then there are those persistent security holes that just won't go away. The internet's core Domain Name System (DNS), for instance, is subject to several types of attacks, including denial of service and zero days.
The DNS system is not likely to change any day soon. Neither is the Border Gateway Protocol, a core function that belongs to all internet routers. BGP forms the address book for internet traffic, and is designed to offer the fewest hops, or fastest routes to a destination.
To exploit BGP, bad actors use fake IP addresses to direct traffic to routers they operate. From there they can send traffic to a black hole or through other domains for more nefarious purposes.
That is likely what happened earlier this year when a large chunk of mobile traffic from Europe was routed through China Telecom. It was suspicious because the traffic had no business being routed through China's largest telecom company, and because the traffic took two hours to get back on course.
BGP is not immune to errors and sometimes there are mistakes, but those usually can be identified or fixed. Those that can't, fall into a few malicious use cases, said ESG Network Security Analyst John Grady at Black Hat last week.
"BGP has been around for all time. The security issue is, the way the internet was developed and the way we use it don't fit together," he said . "Attackers can hijack a specific domain’s traffic, steal cryptocurrency, or send traffic to server farms pushing ads."
The problem, as with DNS, is that there is nothing that can be done about it from a security perspective, although there have been attempts to make it more reliable.
"BGP was a protocol based on trust, with no allowance for malicious actors," said Mark Nunnikhoven, Trend Micro's Vice President of Cloud Research. “Yes it’s a problem but very little can be done about it because of where it sits on the internet.”
Despite the apparent risk, last week's Black Hat and Def Con events didn't have one session that mentioned BGP hijackings. Are they a real threat? “The risk is low if the traffic is encrypted, and the risk of interception is low,” Nunnikhoven said.
In addition, bad actors would need a lot of resources to be able to route that much traffic to cause a real disruption, and would need powerful computers to read encrypted traffic. One possible malicious use case, in addition stealing state secrets, would be to use it as “flash-bang that blinds and distracts while something more nefarious is going on,” Nunnikhoven said.
The big three cloud vendors could help, as each controls large sections of its own network and can route traffic exclusively along it—for extra fees. ESG’s Grady suggested that distributed ledger technology also could be used to ensure the accuracy of the routing. But at the end of the day, he said, “it's a routing bug more than a security flaw.”