We’d like to welcome our first guest author, Gerard Creamer. He’s written an article that explains some of the security risks inherent in implementing a centralised filtering system. It’s a little more technical than most of the articles we publish; we hope you find it interesting.
Security risks of centralised filtering
The DIA’s Internet filter will introduce a very tempting attack vector for those with ill intent. When their system is compromised we’ll all be at significant risk of losing all of the money in our bank accounts. No, really, we will.
To fully understand how and why this will happen it’s important to understand a little bit about how the routing on the Internet works, how the filter will work, and the methods and mind-set of the criminals currently working on the Internet.
Routing Primer
Routing on the Internet is based on hearsay. As a provider of services I tell my neighbours the IP addresses that I look after, and that if they have packets destined for my IP addresses that they should route those packets to me. My neighbour tells their neighbours, and so on. So when someone on the far end of the Internet wants to send a packet to an IP address I am advertising they ask their neighbours if any of them know a way to get to me. One or more of their neighbours will return a path that should get to me – this path is called an AS-path, and is the crux of BGP routing. Using a set of pre-defined rules the person at the far end decides which of their neighbours to send the packets to. Once the best path is selected the packets are handed over and the neighbour then repeats the process with their neighbours.
There are only a limited number of tools that can be used to influence the path packets take. One of the most influential is how specific the advertisement is. Say I want to send some packets to an IP address and two of my neighbours say they know a way to get there. One says it knows how to get to a range of 246 IP addresses, including the intended destination, and the other says it knows how to get to a range of 512 IP addresses that also includes the intended destination. I will choose the more specific route – the one with the smallest range.
In summary, routing is based on what my neighbours tell me, which is in turn based on what their neighbours tell them, and packets always go to the most specific advertised route. I have to trust my neighbours, just as they trust what their neighbours tell them.
What could possibly go wrong?
The Internet is founded on trust, but sadly some people break trust. The easiest way to break the internet is to advertise ‘false’ routes. If you were to do this, traffic intended for someone else’s IP addresses would come to you – you just need to advertise their ranges in more specific advertisements, as packets will always choose the more specific route. This is a little bit spooky, because there would be no tell-tale signs that your packets were going the wrong way – none of the easy-to-spot phishing give-aways (malformed domain names) or slight-less-easy-to-spot-but-still-detectable DNS poisoning (an incorrect IP addresses – you all use a geo-IP tool in your browser, right?). It will appear that your packets have gone to the correct IP address, because they have gone to the correct IP address. It’s just that the IP address is on the wrong server.
Could this ever happen? It has happened. Pakistan Telecom advertised the YouTube ranges and broke YouTube for a few hours. It got into the newspaper and everything. To combat this we can assume that YouTube changed their advertised routes to be more specific. If Pakistan Telecom has been a malicious attacker they would have done the same, and then YouTube would get even more specific, and Pakistan Telecom again, etc, etc. At some point (/24 in most instances – a 256 IP address range) you can’t advertise a more specific route because your neighbour won’t accept the advertisement, because their routers would run out of memory to hold all the routes. At this point you’re at a stalemate with some data going to the legitimate place and some to the bogus place. I mention this limit as it’s important to the attack vector later.
How the DIA filter will work
Here is what NetClean say about how their WhiteBox product works: “NetClean WhiteBox server contains the URL block list of the sites to be blocked. It looks up these URLs using DNS and resolves them to their IP addresses. These addresses are propagated to the networks to be filtered via BGP. Traffic to these IP addresses from the networks is routed through the tunnels to the WhiteBox server that checks the URL against the blocking list. If a match is made, a block page is sent to the requestor. If a match is not made, the request continues to the web site and it is accessed as normal.”
In other words the DIA filter will essentially do the same thing as occured in the Pakistan vs YouTube issue, they will advertise a false route to divert traffic. The DIA filter will be a neighbour to our ISPs, advertising very specific routes (ie, single IP addresses) that are ‘IP addresses of interest’. Traffic that would normally be routed over the public internet to those IP addresses will instead be routed to DIA. The DIA filter will then inspect the data and decide what to do with it. For the purposes of this article I don’t know or care what happens to it: the data might be inspected and then passed on to the intended destination, or the packets might be discarded – what happens in the normal operation of the filter isn’t relevant to this article.
Note that the advertised route from the DIA filter is more specific than is generally considered acceptable on the Internet at large. This means that in a turf war over IP addresses the DIA filter will always win. The ISP will always send data destined for the intended recipient to the DIA filter when the filter says it wants to receive it. So the DIA filter is a centralised management system capable of controlling data flow to any single IP address as it crosses any ISP.
What bad people are doing these days
The second piece of this puzzle revolves around the way criminal activity is going on the Internet. I’m not talking about script-kiddies defacing a few web servers, but the hardened criminals who are stealing millions of dollars to fund their other activities. I was recently at NZNOG, a seriously geeky conference, and a guy named Adam Boileau spoke on security – the same talk I believe he gave at Kiwicon last year. He reminded me that serious hackers are like any business people: they want to maximise the return on their expenditure. In other words, they want the biggest bang for their buck.
I’ll take a short detour here – it’s reasonably important to realise that the underground economy of data theft is reasonably mature. There are specific roles and jobs that are carried out by different people, and they sell the results of their efforts to other people who do the next part. So there are the people who break into home PCs and build botnets, which they then sell to others who will use that botnet for, say, a distributed denial of service (DDoS) attack on the web server of some organisation they don’t like. Or one person will break into a system and steal a swag of credit card numbers which they’ll sell to a second person who will verify which ones work, and they in turn will sell those to people who will use them to buy things (which they return for a cash refund or sell for cash).
So we’ve got a bunch of bad guys who want to break into as many systems as they can in as short a time as possible, so they can earn more dollars per hour from their activities. These people are often quite smart, and they can figure out that there can be several ways to get the information they want, some more efficient than others. For example, the bad folks looking to get internet banking logins that they can sell worked out that it’s more efficient to poison DNS than to send lots of phishing emails. When you poison DNS you get a name server to return the wrong IP address when a domain name is resolved, and then the users web browser goes to the wrong server with their request. If the domain name is abc-bank.co.nz then when the user goes to their bank’s internet banking login they actually end up on the bad guys’ server, and send their login credentials to the bad guys who in turn use them to log into the real system. “Oh, but I have the fancy second factor authentication RSA dongle / battleship card / one time text system, so they won’t get me…” I hear you say. Sadly the bad guys have thought of a way around this – as you type into the fake bank screens from their server they are doing the same into the real bank screens, using your second factor authentication in real time on your real account.
DNS poisoning is tricky for a user to spot, but not impossible. You can use a GeoIP tool in your browser to check that if you’re logging in a New Zealand bank that the IP is from New Zealand. I use WorldIP for FireFox. If you use Internet Explorer do a google on something like ‘internet explorer geoip plugin‘.
The bad guy gets more bang for their buck by poisoning DNS than by phishing with email. Why spend a whole week building a botnet when you can spend an afternoon breaking into some established centralised control mechanism, like DNS?
Pulling all the pieces together
Routing over the Internet is controlled using BGP and a high level of trust. Malicious false advertisements can break routing and cause packets to go to the wrong server without any identifiable tell-tales for end users to be able to protect themselves. The DIA filter will exploit this to direct traffic from predefined IP addresses to their filter. The ISPs will believe and trust the routes advertised by the DIA filter. The bad guys find it more efficient to break into a single centralised control mechanism.
If you put this all together you get “lets make a legislated centralised (and explicitly trusted) way to divert traffic from it’s proper destination which is virtually undetectable, and then when the haxors break into that system they’ll be able to divert ABC Bank’s traffic to their own server and BE THE BANK”.
The filter system is introducing an architectural weakness into the New Zealand Internet. Not only is it a single point of failure, it is also a single point of attack. While we can expect the DIA to do their best to keep the system secure, we can hardly expect the Censorship unit to have the skills to do more than apply patches supplied by the vendor, and this will be a very tempting target for any number of malicious people.
About the author
Gerard Creamer is an Internet entrepreneur who owns several Internet based businesses, Paystation (electronic payments), Netspace (system hosting and collocation), and Face (web based system development). He is an active member of the NZ Network Operator’s Group. Gerard lives in Wellington with his wife and four children.
as mentioned in other posts all government systems and all providers systems are tempting targets to l337 haxors.
therfore your document adds nothing to the argument.
The pakistan incident was due to human error not system. Your statement the unit will only have the skill to apply patches. Let me ask you this do you only patch your http servers and leave it be after that or do you setup other systems to ensure that the entire system is safe. It would be pointless to setup a system any other way. These guys have been around for a while so I am sure they are aware of this.
you mention dns poisoning, which is used by other systems not the one the DIA are ultising.
You neglected to mention the benefits of BGP that both sides will have to limit there exposure to any potential breach, the same procedure put in place for most systems.
now to comment on the centralised statement, from my readings on this site and others the only centralised factor here is that it is the DIA that are running it. they have not commented on anything regarding the location or distribution of sites (from what I gather). so it is potentially de-centralized centralisation.
I had expected more from a NZNOG member.
” While we can expect the DIA to do their best to keep the system secure, we can hardly expect the Censorship unit to have the skills to do more than apply patches supplied by the vendor, and this will be a very tempting target for any number of malicious people.”
Are you seriously suggesting that NZ networking and security engineers are a bunch of knuckle dragging morons?
I take umbrage at that suggestion, and at your article lacking in fact or accuracy.
The BGP routing tables do not work with specific IP addresses, it works with ranges of addresses for a start, which would make a malicious redirection very visible, if they managed that at all.
If the hackers can compromise the BGP and DNS servers then you would have had the crap long ago and without any filter systems.
I really do not think that your crims have been waiting in the background for the filter system to be introduced…
I concur with Joseph.
Dipper; BGP can deal with specific addresses, and that’s exactly how it works in this instance. The government filter advertises a single address (a /32 for you networking and security engineers out there) which ISPs then redirect down a tunnel to the filter system. There are around 7000 of these host-routes being used by the filter. I doubt anyone would notice an extra route being added to that list.
Joseph – yes, the Pakistan problem was caused by human error. The DIA filter will also be run by humans.
Both Joseph and Dipper may want to consider that Gerard (and some of the people in Tech Liberty) are experienced system and network engineers who are well aware of the problems of running stable and secure IT systems.
I’m not sure why Joseph and Dipper’s points are even relevant; it’s nitpicking over the fleas on a dead dog.
In the utility calculation of filter vs. no filter, the filter option introduces a plausible and potentially very severe weakness in exchange for…what, precisely?
The feel-good sensation that comes from the nebulous “protecting the children” argument?
There is no net benefit to filtering, and in exchange you get a very real weak point in national Internet capability. That’s not a smart decision from any angle.
In addition to this excellent article, I highly suggest reading this article (plus the two subsequent parts):
http://www.banthisurl.com/2008/12/exclusive-white-hat-hacker-tears-apart-flaws-in-aussie-net-filtering-scheme/