X

Internet-scale 'man in the middle' attack disclosed

A researcher has found a nearly invisible way to redirect network traffic through an attacker's network using existing network protocols.

Robert Vamosi Former Editor
As CNET's former resident security expert, Robert Vamosi has been interviewed on the BBC, CNN, MSNBC, and other outlets to share his knowledge about the latest online threats and to offer advice on personal and corporate security.
See full bio
Robert Vamosi
2 min read

In Black Hat's October Webinar on Thursday, Anton Kapela, datacenter manager at 5Nines Data, spoke about Internet-scale "man in the middle" attacks.

The talk reprised a last-minute substitution presentation he gave along with Alexander Pilosov at this year's Defcon conference in August. During the conference, the two researchers intercepted all conference Internet traffic at the Riviera Hotel in Las Vegas and ran it through their servers. According to Black Hat founder and director Jeff Moss, most attendees didn't realizing this was being done.

"This is an emergent vulnerability," said Kapela in the Webinar. "It only becomes apparent in thousands of networks, not one." He took effort to explain that this is really a condition of the Internet today. "I'm not talking about any particular failing, or vendor implementation. This is something that happens because we're using it all," he said

Both Kapela and Moss drew parallels between this flaw and Dan Kaminsky's DNS disclosure in July. Moss said that this talk in particular was representative of research being done on the bedrock foundations of the Internet. Lately researchers have been finding faults that could have enormous impact in the future.

Kapela said there is a trust issue with Border Gateway Protocol, and admitted that the hijacking part of his talk isn't new. What is new is that "any network has the ability to facilitate this attack." Kapela and his partner found a feasible return path using Autonomous System Number that provides a way to hop-scotch through an attacker's network on the way back to yours. In a newsgroup thread, Kapela summarized it as "using AS-path loop detection to selectively blackhole the hijacked route which creates a transport path back to the target."

Kapela said this method challenges the conventional thinking that traffic analysis means you have to be local. You could be in China and monitoring static networks in the U.S.

Black Hat has been hosting these Webinars since June, and offers an e-mail address (subscribe-webcasts@blackhat.com) to subscribe for updates.