by texan on 12/6/13, 3:36 AM with 43 comments
by PhantomGremlin on 12/6/13, 7:35 AM
Back when Usenet mattered, there used to be something called a "Usenet Death Penalty". What we need here is an "Autonomous System Death Penalty".
BGP works between "Autonomous Systems" (aka AS). ISPs almost invariably are. Bigger companies usually are. Anyone who wants to be independent of their upstream IP connection gets an AS number. The only way some ISP in Belarus can interfere with your IP packets is to announce over BGP that packets should be sent to their AS.
So anyone who was affected by some rogue ISP in Belarus should simply tell their BGP routers to totally ignore anything from that AS. Forever. And if they're a govt agency they simply tell Comcast, Verizon, AT&T, etc to drop any and all packets from that AS. To anywhere! And if it's a govt agency making this "request", there's a good chance that the Tier 1 IP providers will comply.
Done. That podunk ISP in Belarus has now been disconnected from a large part of the Internet. And good luck with them trying to get Verizon etc to undo that.
So, what the death penalty means is "you get to intentionally mess around with routing just once, then you go away forever". Now that podunk ISP can either go out of business or it can go begging IANA for a new AS number. And since ICANN (which operates IANA) answers (at least for now) to the US Dept of Commerce, it might not be too easy to get a new AS.
Yes I know the propeller-head nerds who operate the "technical" Internet would immediately think my proposal is much too harsh. But, ultimately, nerds need to understand that sometimes things are done for "political" rather than "technical" reasons. And the managers who sign the nerds' paychecks are political creatures; they almost invariably aren't nerds.
by r0h1n on 12/6/13, 6:20 AM
FWIW, I found the renesys post more informative than the Wired article (though on a standalone basis it is pretty good too).
by ds9 on 12/6/13, 2:40 PM
"The stakes are potentially enormous, since once data is hijacked, the perpetrator can copy and then comb through any unencrypted data freely"
Apparently then, the harm amounts to:
H1. The method is a little stealthier than the NSA's other modus operandi, the badge + "national security letter" + secrecy order, and similar conduct of other state actors.
H2. The reach extends surveillance capabilities outside the attacker's territory.
On the other hand:
M1. There is no new MITM that was not possible before. Well-encrypted traffic is still opaque, and plaintext traffic is still vulnerable, regardless whether it is hijacked BGP-wise or by the on-premises tactics.
M2. This does not go unnoticed, there is no way to force affected parties to shut up about it, and like the other wiretapping, this will bring on countermeasures. It's self-limiting.
by Anon84 on 12/6/13, 7:11 AM
by stevehawk on 12/6/13, 12:17 PM
who the hell made this map? Buster?
by ak217 on 12/6/13, 4:19 AM
by coldcode on 12/6/13, 3:54 PM
by gwu78 on 12/6/13, 3:12 PM
by ommunist on 12/6/13, 7:09 AM
by cpsempek on 12/6/13, 4:48 PM
by callesgg on 12/6/13, 7:27 AM
by apierre on 12/6/13, 10:22 AM
by question612 on 12/6/13, 5:00 PM
by windexh8er on 12/6/13, 4:59 AM
Another BGP finger-pointing article that still doesn't get it right.