Bah. Real simple cure for this nonsense. Too bad it's unlikely to happen.<p>Back when Usenet mattered, there used to be something called a "Usenet Death Penalty". What we need here is an "Autonomous System Death Penalty".<p>BGP works between "Autonomous Systems" (aka AS). ISPs almost invariably are. Bigger companies usually are. Anyone who wants to be independent of their upstream IP connection gets an AS number. The only way some ISP in Belarus can interfere with your IP packets is to announce over BGP that packets should be sent to their AS.<p>So anyone who was affected by some rogue ISP in Belarus should simply tell their BGP routers to totally ignore anything from that AS. Forever. And if they're a govt agency they simply tell Comcast, Verizon, AT&T, etc to drop any and all packets from that AS. To anywhere! And if it's a govt agency making this "request", there's a good chance that the Tier 1 IP providers will comply.<p>Done. That podunk ISP in Belarus has now been disconnected from a large part of the Internet. And good luck with them trying to get Verizon etc to undo that.<p>So, what the death penalty means is "you get to intentionally mess around with routing just once, then you go away forever". Now that podunk ISP can either go out of business or it can go begging IANA for a new AS number. And since ICANN (which operates IANA) answers (at least for now) to the US Dept of Commerce, it might not be too easy to get a new AS.<p>Yes I know the propeller-head nerds who operate the "technical" Internet would immediately think my proposal is much too harsh. But, ultimately, nerds need to understand that sometimes things are done for "political" rather than "technical" reasons. And the managers who sign the nerds' paychecks are political creatures; they almost invariably aren't nerds.
Here's the post at Renesys upon which this article is based: <a href="http://www.renesys.com/2013/11/mitm-internet-hijacking/" rel="nofollow">http://www.renesys.com/2013/11/mitm-internet-hijacking/</a><p>FWIW, I found the renesys post more informative than the Wired article (though on a standalone basis it is pretty good too).
Let's assess the damage. Says the article:<p>"The stakes are potentially enormous, since once data is hijacked, the perpetrator can copy and then comb through any unencrypted data freely"<p>Apparently then, the harm amounts to:<p>H1. The method is a little stealthier than the NSA's other modus operandi, the badge + "national security letter" + secrecy order, and similar conduct of other state actors.<p>H2. The reach extends surveillance capabilities outside the attacker's territory.<p>On the other hand:<p>M1. There is no new MITM that was not possible before. Well-encrypted traffic is still opaque, and plaintext traffic is still vulnerable, regardless whether it is hijacked BGP-wise or by the on-premises tactics.<p>M2. This does not go unnoticed, there is no way to force affected parties to shut up about it, and like the other wiretapping, this will bring on countermeasures. It's self-limiting.
Related discussion <a href="https://news.ycombinator.com/item?id=6773889" rel="nofollow">https://news.ycombinator.com/item?id=6773889</a>
Very interesting - is BGP fundamentally vulnerable to this attack? Is there a way to put the equivalent of a certificate revocation list on top of BGP?
Someone or the NSA? If I was them I would hijack some poor country ISP and siphon everything through them. At this point assuming it's the NSA should be the default assumption. Remember that Snowden's encrypted data (assuming it's real) includes everything not yet public. So likely we only know a fraction. Thus assuming NSA is probably safe.
Off-topic: I alwyas liked the idea of like loose source routing. And the original netcat supports it. Does your kernel support it? Would you use it if you could?