Current Event: Government plans massive internet backbone security upgrade
The U.S. Federal government is planning to spend millions of dollars upgrading the backbone of the internet’s routing system. Specifically the Department of Homeland Security (DHS) is planning to quadruple its budget for improvements (from $600,000 to $2.5 million per year), which supposedly should improve the security of communications on the internet.
By implementing these changes, the DHS hopes that man in the middle attacks as well as the modification of data can be prevented. These upgrades target two major portions of the internet’s infrastructure; the border gateway protocol (BGP), and the domain name system (DNS). For BGP, the updated protocol will be called BGPsec. This adds digital signatures to BGP announcements. Security researchers have claimed that BGP is one of the weakest links of the internet because of its numerous vulnerabilities. Attacks against this protocol can be disastrous because they are often targeted at large portions of the infrastructure and not individual hosts. For DNS, the improved DNSsec will hopefully make it harder for attackers to hijack web traffic because hosts will be able to verify their domain names and IP addresses with digital signatures and public-key encryption.
The desire to upgrade these systems has recently come to the attention of researchers because there have been a number of devastating attacks against internet infrastructure. For example, security researcher Dan Kaminsky discovered in 2008 a critical DNS bug that allowed for cache poisoning. This bug required a large number of companies to address this issue as an attack could easily fake a legitimate website and conduct attacks on its visitors. Another major security threat occurred when a telecom company from Pakistan blocked the site YouTube due to a misconfiguration of BGP.
Prior to this announcement, the DHS should have consulted other agencies that deal with internet traffic. Also, there could be many other potential solutions to this problem that the DHS might be overlooking. I am sure that other internet agencies as well as many security companies would prefer to have their opinions and ideas considered when a drastic change to the fundamental internet routing protocols is being proposed.
The modification of these protocols will have an impact world wide. The DHS plans to begin implementing the upgraded protocols for all .gov domains beginning in 2009. However it will be difficult to expand it beyond domains that the DHS controls, because the change will have to be implemented globally so that the security benefits can be put to use. For this reason, it could take years if not decades for the protocols to be updated globally. Furthermore, it seems it would be beneficial for a change as significant as this to be thought out by an international consortium, as the effect of it will be felt globally. The DHS cannot expect others to adopt it simply because it is more secure, as it is likely to also become a political issue protesting U.S. control of the internet and its forced adoption.
The DHS’s proposed improvements change the basic structure of the internet from being decentralized to one where the Internet Assigned Numbers Authority (IANA) and large internet registries issue certificates for routing packets. Although they assert that their intentions are good, they have the power to prevent traffic from being delivered to entire portions of the world by denying certain digital signatures.
Although this change could be beneficial to preventing widespread attacks, it must be carefully thought out as it has vast implications for the way that the internet is structured and for potential political problems.
Via Slashdot: http://tech.slashdot.org/article.pl?sid=09/01/16/0044241
Comment by Ziling Zhao
January 17, 2009 @ 12:42 am
I’m glad that this is happening, the internet backbones seem to be the most in need of protection.
I have been watching articles about DNSsec for quite awhile now, with most security professionals clamoring for it’s implementation, I am happy to see it finally being implemented.
The original implementation of the internet was to prevent a total communications blackout from happening in the event of some disaster (nuke). This meant decentralization. This had the happy side effect of additional freedom. It is concering to see that the decentralized part of internet is fading away. Is this the proper way to secure the internet? The web has always been known for it’s freedom, and the idea that traffic can be routed away from entire portions of the world leaves a bitter aftertaste.
Who has the final say in determining what is valid traffic?
Comment by Joshua Barr
January 23, 2009 @ 10:59 pm
The slashdot article linked here links to two more articles, one about BGPSEC and the other about DNSSEC. The article about BGPSEC, here, has a quote from Mark Kosters, CTO of the American Registry of Internet Numbers. Kosters says “People don’t realize how open for attack the BGP structure is. The DHS effort is trying to close that all up.”
Thus far (as far as I understand it) the massive BGP routers have survived largely unscathed through decades of evolving internet malevolence for a few reasons. If you decide to spoof a BGP router you’ll start receiving all its traffic. “The slashdot effect” is a term for what happens to a website that’s been referred to on slashdot. A large portion of slashdot’s readership then descends on the (un)lucky featured website, often with the side effect of melting holes in unprepared servers as they overheat and die of extreme traffic (some slight hyperbole here, maybe). If you spoof a BGP router you’ll similarly begin receiving massive amounts of traffic. If you drop it (or even just an abnormally large proportion of it) then people will notice and your spoof is undone. You need to be able to handle the traffic, and that’s expensive. The kind of hardware that can bear such traffic usually costs amounts conveniently referred to in scientific notation 😉 And once you can handle the traffic you need to be able to inspect it at a sufficient level of detail to get what you want out of it, a taller task then even the BGP routers themselves undertake. Assuming that you could take the heat (traffic-wise) you could perhaps “distill” the traffic that you were interested in by examining all packets shallowly (as the router must) and then selectively shunting others aside for deeper inspection. Rinse and repeat as many times as necessary to inspect or read deeper into the passing packets. Still, my original point is that it would be costly to mount that sort of attack when there are so many easier ways to be malevolent on the ‘net.
Another reason that the BGP routers have stood as well as they have against destructive attacks is that when you (an enterprising hacker) start knocking out pieces of the backbone you immediately start damaging your ability to function. You will no longer be able to effectively communicate the way the backbone enabled you to. Eventually someone will be crazy enough (or bored enough, angry enough, or payed enough) that they won’t care about the damage that taking out large chunks of backbone would cause. But such would be a terrorist act of giant proportions, causing nearly incalculable economic damage. That’s bad for everyone’s business.