In Black Hat's October Webinar on Thursday, Anton Kapela, datacentre manager at 5Nines Data, spoke about internet-scale 'man in the middle' attacks.
The talk reprised a last-minute, substitute presentation that Kapela gave along with Alexander Pilosov at this year's Defcon conference in August.
During the conference, the two researchers intercepted all conference internet traffic at the Riviera Hotel in Las Vegas and ran it through their servers. According to Black Hat founder and director Jeff Moss, most attendees didn't realise this was being done.
"This is an emergent vulnerability," said Kapela in the Webinar. "It only becomes apparent in thousands of networks — not one."
He took effort to explain that this is really a condition of the internet today. "I'm not talking about any particular failing or vendor implementation. This is something that happens because we're using it all," he said
Both Kapela and Moss drew parallels between this flaw and Dan Kaminsky's DNS disclosure in July. Moss said that this talk in particular was representative of research being done on the bedrock foundations of the internet. Recently researchers have been finding faults that could have enormous impact in the future.
Kapela said there is a trust issue with Border Gateway Protocol and admitted that the hijacking part of his talk wasn't new. What is new, Kapela said, is that "any network has the ability to facilitate this attack".
Kapela and his partner found a feasible return path using Autonomous System Notation that provides a way to hopscotch through an attacker's network on the way back to yours. In a newsgroup thread, Kapela summarised it as "using AS-path loop detection to selectively blackhole the hijacked route which creates a transport path back to the target".
Kapela said this method challenges the conventional thinking that traffic analysis means you have to be local. You could be in China and monitoring static networks in the US, he said.
Black Hat has been hosting these Webinars since June, and offers an email address (subscribe-webcasts@blackhat.com) to subscribe for updates.
