Providers ignore routing and DNS security: experts

The temporary re-routing of the network that hosts Google's public Domain Name System (DNS) servers shows that large parts of the internet are open to hijacking, with attackers easily being able to capture, alter and redirect traffic without users' knowledge, experts say.

Geoff Huston, chief scientist at the Asia-Pacific Network Information Centre (APNIC), called attacks on routing and DNS "the most insidious" because to end users, everything appears to be working as usual.

"The issue about this attack form is that I don't need to pervert the operation of your system - no worms, no viruses, no attacks on your system per se - what the attack relies on is your system working and instead, it distorts the infrastructure of the internet," Huston told iTnews.

He said attacks using the trust-based Border Gateway Protocol (BGP) and the related Domain Name System (DNS) that specify how traffic flows on the internet and how numeric addresses are resolved into human readable names respectively have been a long standing issue.

He said they should have been dealt with years ago, but are by and large being ignored by the industry.

"Is it serious? Of course. Do folk take it seriously? Of course not," Huston said.

"It would be good to say that the ISP industry is acutely aware of the issues here and is enthusiastically supporting initiatives to build up the level of security in the routing system and to prevent the ease with which these attacks can be undertaken.

"But it would be a lie in every respect," he said.

Huston said as a result, users were being offered a "lousy service by any reasonable metric of security and safety".

"How can ISPs get away with cutting corners with such reckless abandon? Why are we apparently learning nothing in all this and allowing the internet to become a toxic wasteland?" Huston said.

How Google lost control of its DNS

Over the weekend, traffic to Google's commonly used public DNS service was rerouted, meaning traffic with DNS resolution queries destined for Google's servers instead ended up at a Venezuelan network.

Andree Toonk of BGP monitoring service BGPmon revealed the issue began at 17:32 UTC last Saturday when the BP LATAM network in Venezuela issued a route announcement for the 8.8.8.8/32 prefix for unknown reasons.

While the announcement was withdrawn 23 minutes later, it had been picked up by a university network in Florida, United States and at least two Brazilian networks, according to Toonk.

The /32 classless inter-domain routing (CIDR) notation means just a single address was announced; Toonk said the 8.8.8.0 network is normally announced as a /24 with 254 possible addresses and 256 subnets.

"This may have been both a good and a bad thing," Toonk said.

"Many networks filter routes more specific than a /24, so a /32 route is typically not propagated very far, typically only over peering connections where filtering is a bit more relaxed.

"The bad news is that a /32 route is always selected over the 8.8.8.0/24 one that is normally announced by Google, no matter how long the Autonomous System (AS) path - a BGP metric of network routes - or any other route policies a network has in place."

He said this meant if a router learnt the /32 route, it would typically always be selected as the best path and used for packet forwarding.

While there is no evidence that the re-routing was malicious or intentional, Toonk said in theory, the traffic could have been altered or intercepted.

The re-routing shows how easy it is to steal parts of the internet. Toonk said such incidents take place several times a day.

Such incidents can have serious consequences, he said. Attackers can set up fake Secure Sockets Layer (SSL) certificate authorities so as to fake authentication and verification of traffic - for instance to financial institutions - and obtain full control over information flows assumed to be secured without users being any the wiser.

Failure to secure routing and the DNS puts users at risk

There are ways to stop accidental and intentional stealing of the internet, both Huston and Toonk said.

Toonk recommended ISPs improve their BGP filtering and also implement the Resource Public Key Infrastructure (RPKI). This sets up policies that specify which entities can announce and change certain routes.

He also suggested that when a public DNS resolver is used, end to end encryption is deployed. This prevents the interception and recording of DNS data, Toonk said. He recommended encryption tools such as the OpenDNS dnscrypt for this purpose.

Huston agreed providers must secure BGP and said they should also use the Domain Name System Security Extensions (DNSsec) to ensure queries for domains return the correct answers.

"It's there for a reason, and the reason is that you can't lie in the DNS when you use DNSsec," Huston said.

However, while DNSsec is an established security standard, Huston's research [PDF] shows it isn't commonly used. Only 10.72 percent of Australian users operate DNSsec validating resolvers, according to the research.

The numbers "are nothing to be proud of; quite the opposite," Huston said, and called for change.

"Why is this industry so incredibly stupid and lazy that we are all prepared to go "tut tut" when we hear evidence of yet another instance of an incredibly longstanding attack vector, yet do absolutely nothing about it?" he said.