In Black Hat's October Webinar on Thursday, Anton Kapela, datacenter manager at 5Nines Data, spoke about Internet-scale "man in the middle" attacks.
The talk reprised a last-minute substitution presentation he gave along with Alexander Pilosov at this year's Defcon conference in August. During the conference, the two researchers intercepted all conference Internet traffic at the Riviera Hotel in Las Vegas and ran it through their servers. According to Black Hat founder and director Jeff Moss, most attendees didn't realizing this was being done.
"This is an emergent vulnerability," said Kapela in the Webinar. "It only becomes apparent in thousands of networks, not one." He took effort to explain that this is really a condition of the Internet today. "I'm not talking about any particular failing, or vendor implementation. This is something that happens because we're using it all," he said
Both Kapela and Moss drew parallels between this flaw and Dan Kaminsky's DNS disclosure in July. Moss said that this talk in particular was representative of research being done on the bedrock foundations of the Internet. Lately researchers have been finding faults that could have enormous impact in the future.
Kapela said there is a trust issue with Border Gateway Protocol, and admitted that the hijacking part of his talk isn't new. What is new is that "any network has the ability to facilitate this attack." Kapela and his partner found a feasible return path using Autonomous System Number that provides a way to hop-scotch through an attacker's network on the way back to yours. In a newsgroup thread, Kapela summarized it as "using AS-path loop detection to selectively blackhole the hijacked route which creates a transport path back to the target."
Kapela said this method challenges the conventional thinking that traffic analysis means you have to be local. You could be in China and monitoring static networks in the U.S.
Black Hat has been hosting these Webinars since June, and offers an e-mail address (email@example.com) to subscribe for updates.