http://arstechnica.com/news.ars/post/20080827-inherent-security-flaw-poses-risk-to-internet-users.html

Quote :

"For all the viruses, malware, and exploits that crawl around the web, fundamental flaws in the system are supposed to be few and far between, but the last two months have proven to be an exception to the rule. In July, Dan Kaminsky revealed his discovery of a DNS flaw that could be exploited to direct unwitting users to malicious web addresses, Now, practically on the heels of that announcement, a hacker team that presented at DEFCON has demonstrated how a fundamental design error in the Internet's border gateway protocol (BGP) can be used to invisibly eavesdrop on all traffic originating from a particular set of IP blocks."

8/29/2008 1:33:53 PM

The responsibility to stop this from happening rests on the shoulders of providers.

There are plenty of tools available within bgp as it currently exists which allow a provider to block its customers from advertising prefixes it does not own.

If every provider conformed to these standards, then this vulnerability would not exist.

Even if some of the major ISPs were to create some manageable borders in their networks where they could isolate the potential reach of such a hack, the ability to do this successfully would be severely hampered.

8/29/2008 2:14:51 PM

Hey, BGP is pretty good for something that was drawn up on a napkin in a restaurant

8/29/2008 3:12:38 PM

wait what

8/29/2008 3:25:25 PM

http://www.youtube.com/watch?v=HAOVNYSnL7k

Dr. Rekhter gave that talk while I was at the Goog. Very awesome, and definitely worth a watch! He's quite a humble guy, considering the impact that he's had on the networking world.

I hadn't read anything about this 'flaw', but just figured I'd throw that in given the two previous comments.

8/29/2008 6:31:09 PM

Another article that provides a bit more depth:
http://blog.wired.com/27bstroke6/2008/08/revealed-the-in.html

robster hit the nail on the head. I don't agree with labeling this as a "fundamental design error" in BGP. IMHO I don't see this as anything new, just another mitm with a touch of bgp traffic engineering.

8/29/2008 6:53:25 PM

the problem is that this isn't really seen as a huge security risk so not all providers allocate the resources to fixing the problem. and some providers are small and incompetent and/or dont have the skills to manage their networks properly. for example, youtube accidental blockage earlier this year when a government isp null-routed youtube on their network.

8/29/2008 10:39:48 PM