http://www.internetweek.com/story/INW20011217S0004 By Rutrell Yasin December 17, 2001 Bored with initiating traffic-flooding attacks that take down Web servers, hackers are focusing on router vulnerabilities that could let them divert large amounts of traffic to Internet wastelands, security experts warn. The vulnerability lies in the Border Gateway Protocol, which translates routing tables from different vendors' equipment. BGP has been used in commercial routers since 1994, and the security problems have been known for at least two years, but experts say they're seeing more router break-in kits being shared on Internet Relay Chat networks frequented by hackers. Similar kits have helped hackers temporarily take down several ISPs and prominent Web sites in recent years us-ing packet-flooding attacks. Router attacks aimed at ISPs are even more attractive to hackers, because routers control not merely Web site traffic, but all Internet traffic managed by an ISP--even pass-along traffic originating from other ISPs. Enterprises and carriers alike are ill-prepared to address the threat, said Carlos Recalde, a director of telecommunications at KPMG. "I'm concerned with attackers launching something specifically on my Cisco routers," Recalde said. The KPMG IT staff is resorting to internally developed scripts that map out router images periodically to track changes in configurations. Although the use of such scripts can help reveal the path of destruction, it can't prevent the intrusion itself, Recalde said. "It doesn't protect against an outright attack, which would happen so fast that no one knows what happened," he said.Experts caution IT shops not to use default passwords to administer their routers, a practice that's far too common, said a spokesman for the CERT Coordination Center, a security watchdog. CERT advocates an added layer of authentication using public key infrastructure (PKI) technology, which requires not only a password, but also a unique identifier like a smart card to access network administration tools. This way, a hacker armed with only a password sniffer can't access routing tables. Cisco, the dominant vendor of Internet routers, didn't respond to inquiries about its plans to secure its routers. Everybody's Job Securing the routing infrastructure isn't only a job for router vendors and their customers, Recalde said. Carriers such as AT&T and WorldCom also must make sure their network traffic isn't hijacked, he said. Carriers and ISPs can implement stronger authentication, filters to direct traffic and tools to detect and trace attacks, but the bottom line is that protocols such as BGP need enhanced security, said Jim Lippard, director of computer network security at carrier Global Crossing. To add some protection to routers, carriers and enterprises should make special peering arrangements with other ISPs and lock out traffic from all other networks, Lippard said. This way, messages can't be spoofed from just any carrier. To ensure that reliable routing information is sent to other carriers' routers, Global Crossing is using an authentication method called Message Digest (MD5), which supports BGP. When a router sends updates to another router, MD5 compresses a public key while it's being transmitted, preventing the key from being read until it reaches the neighboring router. Router vendors also have built-in filters that let carriers control the routes a customer's traffic can take. The filters help carriers set limits on which IP addresses can be used on other ISP networks. Tougher Measures But while these measures can prevent someone from impersonating a customer to view that individual's personal data, they won't protect against someone sending spoofed traffic claiming to be another customer and overwhelming the router with data, Lippard said. Within the past year, Arbor Networks, Asta Networks and Mazu Networks have developed technology that can warn of imminent router attacks through the use of agents that sit on the network and look for traffic anomalies. But there's nothing available to prevent these attacks from happening in the first place, Lippard said. Efforts are under way to incorporate digital certificates and other PKI technology to strengthen BGP security. The Secure BGP Project, led by BBN Technologies, a Verizon company, has developed with the Defense Department a test version of a protocol called S-BGP. S-BGP uses PKI to authenticate the ownership of an IP address block, Autonomous System numbers and the BGP router's identity. IPSec is also used to encrypt data and let BGP routers authenticate one another for traffic exchange. Whereas MD5 is a simple authentication method, S-BGP provides multilayer security, enabling ISPs to digitally sign and encrypt all kinds of configuration data, Lippard said. But a big stumbling block for S-BGP is that Internet registries, router vendors and ISPs all have to agree to implement the protocol for it to be effective. "For S-BGP to fly, you have to go through the IETF standards process, and then the vendors have to implement it," Lippard said. Meantime, IT shops should perform "periodic vulnerability assessment checks against their routers," said Todd Hudspeth, principal security architect at Espiria, a consultancy. Network administra-tors often make inadvertent changes to router parameters during maintenance, which could leave them exposed. In addition, companies should deploy technology that lets them at least detect abnormal traffic patterns and adjust to spikes in bandwidth use. Weather.com recently deployed Lancope Inc.'s StealthWatch security appliance, which analyzes data patterns in high-speed networks to determine whether traffic is legitimate, said Don Agronow, vice president of quality control and site operations. Earlier this year, the company was hit by a denial-of-service attack that shut down operations for several hours when the routers of its hosting facility, operated by Exodus, were clogged with bogus traffic. Recently, Weather.com switched to WorldCom. "It's important to have an ISP as a partner," Agronow said, noting that WorldCom appears to be experienced in handling such attacks. Still, Agronow worries that a skilled malicious hacker could wreak havoc on any Web site by attacking the routing infrastructure. - ISN is currently hosted by Attrition.org To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY of the mail.
This archive was generated by hypermail 2b30 : Wed Dec 19 2001 - 12:15:22 PST