Internet is linked to Spit & Baling Wire – Krebs on Security


An Internet visualization made using network routing data. Image: Barrett Lyon,

Imagine being able to disconnect or redirect Internet traffic destined for some of the world’s largest businesses, just by spoofing an email. It’s the nature of a threat vector recently removed by a Fortune 500 company that operates one of the Internet’s largest backbones.

Based in Monroe, Louisiana, Lumen Technologies Inc. [NYSE: LUMN] (Previously CenturyLink) is one of more than two dozen entities that operate what is known as an Internet Routing Registry (IRR). These IRRs maintain routing databases used by network operators to record the network resources assigned to them, that is, the Internet addresses that have been assigned to their organization.

The data held by IRRs helps to know which organizations have the right to access which Internet address space in the global routing system. Collectively, the information voluntarily submitted to IRRs forms a distributed database of Internet routing instructions that connects a wide variety of individual networks.

Today there are approximately 70,000 separate networks on the Internet, ranging from huge broadband providers like AT&T, Comcast and Verizon to thousands of businesses that connect to the edge of the Internet to access it. Each of these so-called “autonomous systems” (AS) makes their own decisions about how and with whom they will connect to the greater Internet.

Regardless of how they connect, each AS uses the same language to specify the ranges of Internet IP addresses it controls: Border Gateway Protocol, or BGP. Using BGP, an AS tells its directly connected neighbor ASs which addresses it can reach. This neighbor in turn transmits the information to his neighbors, and so on, until the information has spread everywhere [1].

A key function of the BGP data held by IRRs is to prevent malicious network operators from claiming addresses from another network and diverting their traffic. Essentially, an organization can use IRRs to declare to the rest of the Internet, “These specific Internet address ranges are ours, must be from our network only, and you must ignore any other network trying to claim these address ranges.” “.

In the early days of the Internet, when organizations wanted to update their records with an IRR, the changes usually involved a certain amount of human interaction – often someone manually editing the new contact details in an Internet router. But over the years, different IRRs have made it easier to automate this process through email.

For a long time, any change to an organization’s routing information with an IRR could be handled by email as long as one of the following authentication methods was used successfully:

-CRYPT-PW: A password is appended to the text of an email to the IRR containing the record they wish to add, modify, or delete (the IRR then compares this password to a hash of the password);

– PGP KEY: The requestor signs the e-mail containing the update with an encryption key recognized by the IRR;

– MAIL FROM: The requestor sends the record changes in an email to the IRR, and authentication is based only on the “From:” header of the email.

Of these, MAIL-FROM has long been considered insecure, for the simple reason that it is not difficult to spoof the return address of an email. And virtually all IRRs have banned its use since at least 2012, said Adam korab, network engineer and security researcher based in Houston.

All except Level 3 Communications, a major Internet backbone provider acquired by Lumen / CenturyLink.

“LEVEL 3 is the latest IRR operator to allow the use of this method, although they have discouraged its use since at least 2012,” Korab told KrebsOnSecurity. “Other IRR operators have completely deprecated MAIL-FROM. “

It is important to note that the name and e-mail address of the official contact for each Autonomous System to perform updates with IRRs is public information.

Korab has filed a vulnerability report with Lumen demonstrating how a simple spoofed email could be used to disrupt the internet service of banks, telecommunications companies, and even government entities.

“If such an attack were successful, it would filter and remove client IP address blocks, making them inaccessible from all or part of the global Internet,” Korab said., noting that he discovered that more than 2,000 Lumen customers were potentially affected. “This would effectively cut off Internet access for the affected blocks of IP addresses. “

The recent blackout that took Facebook, Instagram and WhatsApp offline for much of the day was caused by a bogus BGP update submitted by Facebook. This update took away the map telling computers around the world how to find its various properties online.

Now consider the chaos that would ensue if someone spoofed IRR updates to remove or change routing entries for multiple ecommerce vendors, banks, and telecom companies at the same time.

“Depending on the extent of an attack, this could impact individual customers, geographic areas of the market or potentially the [Lumen] spine, ”Korab continued. “This attack is trivial to exploit and has a tough recovery. Our guess is that any impacted Lumen IP address block or client would be offline for 24-48 hours. In the worst case, it could take much longer. “

Lumen told KrebsOnSecurity that it continues to offer MAIL-FROM authentication: because many of its customers still rely on it due to existing systems. Nonetheless, after receiving Korab’s report, the company decided that the wisest course of action was to completely disable MAIL-FROM: authentication.

“We recently received a notification regarding a known insecure configuration with our routes registry,” read a statement that Lumen shared with KrebsOnSecurity. “We already had mitigating controls in place and to date we have not identified any additional issues. As part of our normal cybersecurity protocol, we have carefully reviewed this advisory and taken steps to further mitigate any potential risks the vulnerability may have created for our customers or our systems. “

Level3, now part of Lumen, has long urged customers to avoid using “Mail From” for authentication, but until very recently they still allowed it.

KC Claffy is the founder and director of the Center for Applied Internet Data Analysis (CAIDA) and resident researcher at the San Diego Supercomputer Center at the University of California, San Diego. Claffy said there is little public evidence of a malicious actor using the weakness now corrected by Lumen to hijack internet routes.

“People often don’t notice it, and a malicious actor is certainly working to make it happen,” Claffy said in an email to KrebsOnSecurity. “But also, if a victim notices, they usually won’t disclose the details that they’ve been hijacked. This is why we need mandatory reporting of such violations, as Dan Geer has said for years. “

But there are plenty of examples of cybercriminals hijacking blocks of IP addresses after a domain name associated with an email address in an IRR record expires. In these cases, the thieves simply register the expired domain and then send an email from it to an IRR specifying any rerouting.

While it’s great that Lumen is no longer the weakest link in the IRR chain, the remaining authentication mechanisms aren’t great. Claffy said that after years of debate on approaches to improve routing security, the operator community has deployed an alternative known as resource public key infrastructure (RPKI).

“The RPKI includes cryptographic attestation of registrations, including expiration dates, with each Regional Internet Registry (RIR) functioning as a ‘root’ of trust,” Claffy and two other UC San Diego researchers wrote in a report. article which is still under peer review. “As with IRR, operators can use RPKI to eliminate routing messages that do not pass the original validation checks. “

However, the additional integrity that RPKI brings also comes with additional complexity and cost, the researchers said.

“The operational and legal implications of the potential malfunctions limited the registration and use of RPKI,” the study observed (link added). “In response, some networks have redoubled their efforts to improve the accuracy of IRR recording data. These two technologies now work in parallel, with the possibility of doing nothing at all to validate the routes.

[1]: I borrowed a descriptive text in the 5th and 6th paragraphs of a draft document CAIDA / UCSD – IRR Hygiene in the RPKI Era (PDF).

Further reading:

Trusted Zones: A Path to a More Secure Internet Infrastructure (PDF).

Examining a Historic Internet Vulnerability: Why Isn’t BGP More Secure and What Can We Do About It? (PDF)


Comments are closed.