Last month, we saw Kaminsky release details around a particularly nasty flaw in the DNS infrastructure. The tubes exploded with traffic on this flaw and security pundits beat their chests, telling the masses that they have been reporting this for years.

Well, it’s a new month, and we have a new flaw.

Slashdot has posted a story about a BGP flaw that has been around for years that could easily bring down major portions of the internet. Wired has an article here, and the PDF of the presentation by Kapela and Pilosov is here.

I was a system and network administrator in a previous life (and to date have only had one system of mine EVER hacked… that pesky IMAP flaw in 1997 taught me a TON about security), and I always marveled at how easy it was to goof up parts of the Internet with bad BGP announcements. Thankfully, we were too small to ever be a victim of such an attack, but I do remember fat fingering IP space and seeing my goofed up announcements propagate quickly across the internets. I also got a kick out of a goofed up as-path prepend statement I did once (which is exactly how part of this attack works).

Ahh, those were the good old days.

But apparently, the good old days are still around! Imagine being able to target specific users to read all of their email before they can. Or maybe launch attacks on the inside of your own company (many companies use IBGP to route internally, some use straight BGP) to learn about an impending layoff. This is a classic Man in the Middle attack (MITM), and should reinforce our beliefs that the Internet (and maybe your internal network) IS NOT to be trusted.

Kapela and Pilosov state that the only way to fix this problem is with “perfect filtering.” That will never happen. A better way is to start wrapping your traffic inside SSL or other types of encryption technologies that include assurance and integrity checks.

What will it be next month?

This post originally appeared on

Possibly Related Posts: