Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

China Telecom debacle exposes Internet's biggest vulnerability

Roger Grimes | Nov. 29, 2010
Shortcomings in Border Gateway Protocol enabled sensitive data to be rerouted to China, yet no changes will likely be made.

Last April 8, for 18 minutes, a significant portion of Internet traffic, including that of U.S. government and military sites, was misrouted to China. Early estimates indicated 15 percent of all traffic was sent in the wrong direction, but that figure was misreported from the source document; rather, traffic from 15 percent of Internet sites was affected, which doesn't correlate to 15 percent of all Net traffic. (Craig Libovitz of Arbor Networks and both have good summary analyses of what happened.)

Whether it was 15 or only one percent of all traffic that was misrouted, the incident lays bare a huge Internet security vulnerability in BGP (Border Gateway Protocol), a routing protocol used by ISPs to direct backbone traffic around the Internet. BGP routing tables are used in a nearly fully meshed network among all ISPs in the world. It's not hyperbole to say this is the way the Internet works.

I used to think Dan Kaminsky's DNS flaw discoveries represented the No. 1 Internet security vulnerability of all time, but this BGP vulnerability essentially tops those. BGP is lower down in the OSI networking model, which means it has a greater chance to be used for evil.

Over the past two decades, we've seen a handful of major BGP routing snafus, most of which were attributed to human mistakes that were corrected when found. But as with previous threats involving China, no one knows if this rerouting was intentional or if the Chinese government was involved. Also, you have to think that if a government player was involved, the attack would be less obvious and more focused. Then again, the Stuxnet worm (which is highly likely to be city-state sponsored) quickly kills that argument as definitive.

We'd like to think that all the important and confidential information rerouted to China for those 18 minutes was protected in VPNs and secure tunnels. Unfortunately, confidential and important data is often sent out unprotected, and many VPNs and private tunnels aren't as secure as assumed. The most common VPN protocol (SSL/TLS) isn't. If the routing mistake wasn't accidental, there's a good chance the aggressors got access to a lot of information that people would rather they not.

My biggest concern about the BGP routing mishap is that it can easily happen again. There are steps each ISP can take to limit the impact of an unintentional (or intentional) routing change, but any plan that requires manual intervention isn't likely to be very effective.

Older protocols, including BGP, were built with the primary focus on getting multiple, disparate parties to communicate. The idea of implementing strong security wasn't high on the priority list. Retrofitting older protocols with improved security is a big task as well. To put it in perspective, it's taken two decades to win international approval to improve the underlying IPv4 to IPv6 and the infamously insecure DNS to DNSSec. We may have to wait yet another decade before they're widely deployed.


1  2  Next Page 

Sign up for Computerworld eNewsletters.