海角大神

The Border Gateway Protocol is as important to the Internet as it is completely unrecognizable by most people that use it. But that鈥檚 starting to change.

Though most people have heard of HTML, it鈥檚 possible to use the Internet without it. Most people have never heard of BGP, but it affects all Internet traffic. And while huge movements of experts have moved to bring default security to the Web by increasing use of HTTPS encrypted communications, relatively few have campaigned for securing BGP 鈥� a protocol that鈥檚 been known to lack basic defenses since it was introduced 25 years ago.

It's even relatively anonymous in the security community.听From 2007 to 2014, a total of two talks at the听venerable Black Hat security conference dealt with BGP. This year's conference, which just concluded this year in Las Vegas, there were three.

"There has been a big movement around HTTPS, maybe there will be a movement around BGP next," says Wim Remes, a strategic services manager at the security firm Rapid7. He gave one of this year's BGP talks titled "Internet Plumbing for Security Professionals: The State of BGP Security." He delivered it to a packed room.

BGP is the听protocol that routes traffic on the Internet. It was invented in 1989 and almost immediately outed as entirely unsecure. People have been trying to fix it since the 1990s. So far, no efforts have made a dent.

But now, with BGP increasingly being used as an attack vector, the security industry is beginning to look more seriously at how it can fix this long-ailing part of the Internet's infrastructure.听

鈥淲hen we鈥檝e been talking BGP in the past, all the events that caused damage were misconfigurations. In the past two years, it鈥檚 actually gotten malicious,鈥� says听Sharon Goldberg, an听associate professor of computer science at Boston University.

In听2014, hackers used BGP to hijack a distributed Bitcoin mining operation, netting $80,000 in the process. 听Even the notorious Italian spyware supplier Hacking Team, the subject of much scrutiny听after its source code was leaked online, is听reported to have used a BGP for digital attacks.

When the Internet was coming of age, it was often described as the "information superhighway." But it鈥檚 really more like the airways than roadways. Like air travel,听Internet traffic requires multiple connections听to get where it鈥檚 going, passing through a series of routers owned by corporations or countries that don鈥檛 necessarily allow direct links.听BGP is the protocol that determines the best path is for data to find its destination.

With thousands of groups that have routers, getting the broad consensus needed for change is incredibly tough. Even so, many experts say that shouldn't be an excuse for not changing BGP. Currently, it has no mechanism to authenticate whether or not a router has access to a specific IP. And without authentication, it鈥檚 possible to reroute traffic to the wrong place, allowing an attacker to eliminate access to sites, or impersonate them.

BGP attacks require access to routers 鈥� it's not something angsty teenagers can do from their bedroom. But hacking threats have become better organized, and sometimes even state-sponsored, hackers are beginning to clear the听very high bar for entry for this attack vector.

Even though attackers have only recently begun using BGP as a weapon, researchers have had solutions ready for nearly 20 years. "The problem is in adopting a solution," says Mr. Remes of Rapid7. 鈥淭here are no incentives to adopt RPKI technology.鈥�

The Resource Public Key Infrastructure (RPKI) is one of the most popular solutions. It allows the same organization that grants IP addresses to grant Route Origin Authorizations, which are secure certificates to authenticate proper access.

Fewer than 7听percent of websites can currently be verified with RPKI, including 3.5听percent of the Alexa top 500 sites, a ranking of the world's most popular websites. Remes estimates in a white paper that accompanied his talk that, at the current rate, it will take until 2020 for even half of IPs to be verifiable.

He hopes that, as soon as a few routers adopt RPKI, they will penalize peers who don鈥檛 with longer routing times and less access. Still, he says, it will be an even greater battle to get routers to incorporate RPKI checking services.听

鈥淯ntil something is on fire, you don鈥檛 necessarily feel like you need to do anything,鈥� says Jaeson Schultz, technical leader of Cisco鈥檚 Talos Security Intelligence and Research Group.听

Mr. Schultz is particularly excited about a major Black Hat announcement from the security network OpenDNS, which will start announcing BGP outages on Twitter (鈥淏efore us, no one announced large scale hijacks or outages,鈥� says Dan Hubbard, chief technology officer of OpenDNS).

Schultz says he hopes the move will increase visibility of the problem, and ultimately shame those who control the backbone of the Internet into making a change.听"We鈥檙e at this stage where other protocols are being worked on," Schultz says. 鈥淏GP never got the same love."

听