A Word of Caution on Fraudulent Routing
If you've read TaoSecurity Blog for a while, you remember me being a fan of companies like Renesys (now part of Dyn Research) and BGPmon. These organizations monitor Internet-wide routing by scrutinizing BGP announcements, plus other techniques. (I first posted on the topic almost 12 years ago.)
I am well aware that an organization, from its own Internet viewpoint, cannot be absolutely sure that the other end of a conversation truly represents the IP address that it seems to be. The counterparty may be suffering a BPG hijack.
An attacker may have temporarily positioned itself in BGP routing tables such that the legitimate IP address owner is not the preferred route. There have been many examples of this, and on Thursday Dyn Research posted a great new blog titled The Vast World of Fraudulent Routing that describes six recent examples.
A Tweet by Space Rogue about Dyn's post caught my attention. He said:
You really want to tell me that an IP Address is enough for attribution?
Then he linked to the Dyn blog post.
There are several problems with this statement.
First, no one in their right mind says "an IP address is enough for attribution." If you want to comfort yourself by standing up a straw man that's easy to knock down, have fun with that.
I fear Tweets like this are swipes against the Update on Sony Investigation FBI statement, which includes this section:
The FBI also observed significant overlap between the infrastructure used in this attack and other malicious cyber activity the U.S. government has previously linked directly to North Korea. For example, the FBI discovered that several Internet protocol (IP) addresses associated with known North Korean infrastructure communicated with IP addresses that were hardcoded into the data deletion malware used in this attack.
The straw-man-building critics neglect the qualifier that precedes this statement:
While the need to protect sensitive sources and methods precludes us from sharing all of this information, our conclusion is based, in part, on the following...
For those who can't decode this statement, or aren't familiar with the phrasing, the text means:
"We have other information that isn't worth disclosing in order to convince critics. Our ability to detect and respond to future attacks, thanks to the sources and methods we preserve by keeping them our of the spotlight, is more important than publicizing sensitive intelligence."
Furthermore, the FBI statement includes other reasons for attribution, which you can read in the original document.
Second, and most importantly, the Dyn post demonstrates that it is possible, and routine, to identify when IP addresses are being hijacked.
Let me say that again. Once you step outside your organization's view of the Internet, by using a service like Dyn/Renesys, you can tell when IP addresses are being abused by BGP hijackers.
Services such as Dyn/Renesys and BGPmon provide alerts when they detect hijacking of an organization's IP address space. I know commercial customers who pay attention to these notifications, as well as other sources, to identify when odd activity is happening on the Internet.
Third, and finally, there is a difference between seeing an IP address in the logs of a victim organization, and having direct observation of intruder infrastructure. You can read the excellent New York Times piece N.S.A. Breached North Korean Networks Before Sony Attack for details on that angle.
Some critics, at least those with history in the field, should know better. It would be more productive to talk about serious issues, rather than straw men and incomplete arguments.
Update: I amended the post to make it clear that law enforcement is not a customer of Dyn/Renesys.
Tweet
I am well aware that an organization, from its own Internet viewpoint, cannot be absolutely sure that the other end of a conversation truly represents the IP address that it seems to be. The counterparty may be suffering a BPG hijack.
An attacker may have temporarily positioned itself in BGP routing tables such that the legitimate IP address owner is not the preferred route. There have been many examples of this, and on Thursday Dyn Research posted a great new blog titled The Vast World of Fraudulent Routing that describes six recent examples.
A Tweet by Space Rogue about Dyn's post caught my attention. He said:
You really want to tell me that an IP Address is enough for attribution?
Then he linked to the Dyn blog post.
There are several problems with this statement.
First, no one in their right mind says "an IP address is enough for attribution." If you want to comfort yourself by standing up a straw man that's easy to knock down, have fun with that.
I fear Tweets like this are swipes against the Update on Sony Investigation FBI statement, which includes this section:
The FBI also observed significant overlap between the infrastructure used in this attack and other malicious cyber activity the U.S. government has previously linked directly to North Korea. For example, the FBI discovered that several Internet protocol (IP) addresses associated with known North Korean infrastructure communicated with IP addresses that were hardcoded into the data deletion malware used in this attack.
The straw-man-building critics neglect the qualifier that precedes this statement:
While the need to protect sensitive sources and methods precludes us from sharing all of this information, our conclusion is based, in part, on the following...
For those who can't decode this statement, or aren't familiar with the phrasing, the text means:
"We have other information that isn't worth disclosing in order to convince critics. Our ability to detect and respond to future attacks, thanks to the sources and methods we preserve by keeping them our of the spotlight, is more important than publicizing sensitive intelligence."
Furthermore, the FBI statement includes other reasons for attribution, which you can read in the original document.
Second, and most importantly, the Dyn post demonstrates that it is possible, and routine, to identify when IP addresses are being hijacked.
Let me say that again. Once you step outside your organization's view of the Internet, by using a service like Dyn/Renesys, you can tell when IP addresses are being abused by BGP hijackers.
Services such as Dyn/Renesys and BGPmon provide alerts when they detect hijacking of an organization's IP address space. I know commercial customers who pay attention to these notifications, as well as other sources, to identify when odd activity is happening on the Internet.
Third, and finally, there is a difference between seeing an IP address in the logs of a victim organization, and having direct observation of intruder infrastructure. You can read the excellent New York Times piece N.S.A. Breached North Korean Networks Before Sony Attack for details on that angle.
Some critics, at least those with history in the field, should know better. It would be more productive to talk about serious issues, rather than straw men and incomplete arguments.
Update: I amended the post to make it clear that law enforcement is not a customer of Dyn/Renesys.
Tweet
Comments
It is widely known in many BGP operator groups such as #nanog that denial and deception through intermediaries in both non-Internet (e.g., fraudulent businesses) and Internet (e.g., GRE or IP-in-IP tunnels) means can confuse BGP sensors.
There is a lot more you can do besides ASN and prefix hijacking, as well. Most is monitoring by Dyn but, again, it is not perfect.
Perhaps it is a rant against the Sony attribution situation, but the argument does stand on its own. I, for one (as you know Richard), trust the FBI to deliver the right information. I do not feel that they or anyone in the USG must or should reveal their sources. However, if this post-Sony breach activity involves an element of counterintelligence, then I'd like to hear more if more information does become accessible to the public. For example, CI campaigns typically last 4 to 6 months -- so new information could become available as early as March. Let's hold off until the summer before we pass full judgement?