Internet visualization made using network routing data. Image: Barrett Lyon, opte.org.
Imagine that just by spoofing e-mail, you can disconnect or redirect Internet traffic to some of the largest companies in the world. This is the nature of the threat vector that was recently removed by a Fortune 500 company that operates one of the largest Internet backbones.
Headquartered in Monroe, Louisiana, Lumen Technologies [NYSE: LUMN] (before 21Vianet) Is one of the so-called more than 20 entities operating Internet routing registration (IRR). These IRRs maintain a routing database that network operators use to register their allocated network resources (that is, the Internet addresses that have been allocated to their organizations).
The data maintained by IRR helps to track which organizations have access to which Internet address spaces in the global routing system. The information voluntarily submitted to the IRR together constitutes a distributed database of Internet routing instructions, helping to connect a large number of individual networks.
There are approximately 70,000 different networks on the Internet today, from huge broadband providers such as American Telephone and Telegraph Company, Comcast with Verizon Thousands of businesses connected to the edge of the Internet for access. Each of these so-called “autonomous systems” (ASes) decides how and with whom to connect to the larger Internet.
Regardless of how they access the Internet, each AS uses the same language to specify the range of Internet IP addresses they control: it is called Border Gateway Protocol, Or BGP. With BGP, the AS tells its directly connected neighbors the reachable addresses of the AS.The neighbor passes information to its neighbors in turn, and so on, until the information spreads everywhere [1].
A key function of BGP data maintained by IRR is to prevent rogue network operators from claiming the address of another network and hijacking their traffic. In essence, organizations can use IRR to declare to the rest of the Internet, “These specific Internet address ranges are ours and should only originate from our network. You should ignore any other networks that attempt to declare these address ranges.”
In the early days of the Internet, when organizations wanted to use IRR to update their records, these changes usually involved a certain amount of human interaction-usually someone manually edited the new coordinates into the Internet backbone router. But over the years, various IRRs have made it easier to automate this process via email.
For a long time, as long as one of the following authentication methods is successfully used, any changes to the routing information of an organization with IRR can be processed via email:
-CRYPT-PW: Add the password to the email text of the IRR, which contains the records they wish to add, change or delete (then the IRR compares the password with the hash value of the password);
-PGPKEY: The requester uses the encryption key identified by the IRR to sign the email containing the update;
-Mail-From: The requester sends the record changes to the IRR via email, and authentication is based only on the email’s “From:” header.
Among them, MAIL-FROM has long been considered insecure for a simple reason, that is, it is not difficult to spoof the return address of an email.Since at least 2012, almost all IRRs have banned its use, saying Adam Kolab, A network engineer and security researcher based in Houston.
All except Level 3 communication, A major Internet backbone provider acquired by Lumen/CenturyLink.
“Level 3 is the last IRR operator allowed to use this method, although they have discouraged its use since at least 2012,” Korab told KrebsOnSecurity. “Other IRR operators have completely abandoned MAIL-FROM.”
It is important that the name and email address of the official contact person used by each autonomous system to update the IRR is public information.
Korab submitted a vulnerability report to Lumen, demonstrating how to use simple spoofed emails to disrupt the Internet services of banks, telecommunications companies, and even government entities.
Korab said: “If this type of attack is successful, it will result in client IP address blocks being filtered and discarded, making them inaccessible from part or all of the global Internet.”, And pointed out that he found that more than 2,000 Lumen customers may be affected. “This will effectively cut off Internet access to the affected IP address block.”
Recent power outage Facebook, Instagram with WeChat Most of the day is offline due to incorrect BGP updates submitted by Facebook. The update cancels the map that tells the world computer how to find its various online assets.
Now consider the confusion that would be caused if someone tricked the IRR update to delete or change the routing entries of multiple e-commerce providers, banks, and telecommunications companies at the same time.
“Depending on the scope of the attack, this may affect individual customers, geographic market areas, or potential [Lumen] Backbone,” Kolab continued. “This kind of attack is easy to exploit, and it’s hard to recover. Our speculation is that any affected Lumen or customer IP address blocks will be offline for 24-48 hours. In the worst case, this situation may last longer. “
Lumen told KrebsOnSecurity that it continues to provide MAIL-FROM: authentication because many customers still rely on it due to the legacy system. Nevertheless, after receiving Korab’s report, the company decided that the most sensible approach was to completely disable MAIL-FROM: Identity Verification.
A statement shared by Lumen and KrebsOnSecurity read: “We recently received a notification about our Route Registry’s known insecure configuration.” “We have taken mitigation measures and we have not found any other issues so far. As part of our normal network security agreement, we have carefully considered this notice and have taken steps to further reduce any potential risks that this vulnerability may bring to our customers or systems.”
Level3 is now part of Lumen and has long urged customers to avoid using “Mail From” for identity verification, but until recently they still allowed it.
KC Claffey Is the founder and director of the company Applied Internet Data Analysis Center (CAIDA), and a resident research scientist at the San Diego Supercomputer Center at the University of California, San Diego. Claffy said that there is very little public evidence that threat actors use the weaknesses that Lumen is now fixing to hijack Internet routing.
“People usually don’t notice that malicious actors will definitely work hard to achieve this goal,” KrebsOnSecurity said in an email to KrebsOnSecurity. “However, if the victim does notice, they usually do not disclose the details of their hijacking. This is why we need to force the reporting of such violations, because Tangier Have been saying for years. “
However, there are many examples of cybercriminals hijacking IP address blocks after the domain name associated with the email address in the IRR record expires. In these cases, the thief only needs to register the expired domain, and then send an email from it to the IRR that specifies any routing changes.
Although Lumen is no longer the weakest link in the IRR chain, it is good, but the rest of the authentication mechanism is not good. Claffy said that after years of debate on ways to improve routing security, the operator community has deployed an alternative solution called Resource public key infrastructure (RPKI).
“RPKI includes the encrypted proof of record, including the expiration date, and each regional Internet registry (RIR) operates as the’root’ of trust,” Claffey and two other researchers from the University of California, San Diego are still accepting in an article Writes in the peer-reviewed paper. “Similar to IRR, operators can use RPKI to discard routing messages that fail the source verification check.”
However, the researchers found that the additional integrity brought by RPKI also brought considerable complexity and cost.
“Operation and Legal impact of potential failures The registration and use of RPKI is limited,” the study observed (add link). “In response, some networks have doubled their efforts to improve the accuracy of IRR registration data. The two technologies are now running in parallel, and you can choose to do nothing to verify the route. “
[1]: I borrowed some descriptive text from paragraphs 5 and 6 of a draft CAIDA/UCSD—— IRR hygiene in the RPKI era (PDF).
Further reading:
Trust zone: the path to a safer Internet infrastructure (PDF).
