The (other) infection pandemic

A couple of weeks ago a large amount of your Internet traffic was redirected to Russia, specifically Rostelecom. From there, who knows. I’m sure you are very happy to now know this and are not in the least concerned.

This is not the first time this has happened. You can read this paper on China BGP re-routes, one of the reasons that China Telecom is being asked to disconnect their US peering.

The basics behind the attaack: the Internet is largely based on trust. There is a protocol (BGP, Border Gateway Protocol) that each ISP uses to announce its routes (the IP of its customers). Since these are big fluid lists, its impossible to easily verify them. Worse, a given customer is usually available via more than one route (for redundancy). So, each ISP trusts what its neighbour says. So, if i’m a malicious (or merely incompetent) actor, I inject routes that I don’t own to my neighbours, making me the next-hop route. Profit!

As usual there is a solution, and as usual, it is not particularly widely implement. And, as usual, it uses cryptography. RFC 6480, An Infrastructure to Support Secure Internet Routing, uses a technique called Resource Public Key Infrastructure (RPKI). A more accessible writeup of the standard is available on the Cloudflare blog.

The good folks at Cloudflare, whose business relies on the safe, stable, trustworthy operation of these BGP routes between Autonomous Systems, have written a quick tool you can use to check your ISP.

Surf on over there (no information is collected from you, it takes only a couple of seconds). What they have done is create an IP range which should not be reachable. They have announced it via an insecure, hackable route. If you can reach it, boom, your ISP is not checking what they receive from their neighbours.

Once you’ve done the test, they encourage you to Tweet the result, resulting in something like:

Unfortunately, my Internet provider, @Rogers (AS812), does NOT implement BGP safely. Check out to see if your ISP implements BGP in a safe way or if it leaves the Internet vulnerable to malicious route hijacks. @Cloudflare

It seems that there will need to be some major pressure from all sides if ISP’s are to marshall the resources to implement the standard.

As with other medical-style infections, a concept of Herd Immunity willl eventually kick in. A few will implement, making it less valuable for an attacker. Then a few more. Then a few will refuse to peer with people who don’t implement RPKI. Then it will cascade and eventually ~80% will be immune, leaving a few bad-actors left.

Want to be part of this greatness? is your starting point.






2 Responses to “The (other) infection pandemic”

  1. hari

    Tried from India, Bangalore from BSNL operator… it’s not safe, thats what i could see too 🙁

  2. Alex Leyn

    Tried 3 ISPs (TekSavvy residential cable over Rogers cable infra, Rogers Wireless, and Packetworks). All failed. All tweeted.

Leave a Reply

Your email address will not be published. Required fields are marked *