Imagine being able to disconnect or redirect Internet traffic destined for some of the world’s largest companies – just by spoofing an email. Such is the nature of the threat vector that was recently removed by the Fortune 500 company that operates one of the largest fundamental pillars of the Internet.
Based in Monroe, Los Angeles, Lumen Technologies Inc. [NYSE: LUMN] (Previously Centurylink) is one of more than twenty entities that operate what is known as the Internet Routing Registry (IRR). IRRs maintain routing databases that network operators use to record the network resources assigned to them – that is, the Internet addresses that have been assigned to their organization.
The data held by the IRR helps keep track of which organizations have the right to access the Internet address space in the global routing system. Collectively, information voluntarily submitted to IRRs constitutes a distributed database of Internet routing instructions that help to connect a wide variety of individual networks.
There are around 70,000 premium networks on the Internet today, ranging from huge broadband providers like AT&TAnd the Comcast And the Verizon To the many thousands of companies that connect to the edges of the Internet to gain access. Each of these “autonomous systems” (ASes) make their own decisions about how and with whom to connect to the larger Internet.
No matter how they connect to the Internet, each operator uses the same language to determine the ranges of Internet IP addresses they control: it is called Gateway Protocolor bgp. With BGP, an AS tells its directly connected neighbor AS(s) which addresses it can access. This neighbor, in turn, passes the information to its neighbors, etc., so that the information is spread everywhere .
The main function of BGP data held by IRR is to prevent fraudulent network operators from claiming other network addresses and hijacking their traffic. Essentially, an organization can use the IRR to declare to the rest of the Internet, “These specific Internet address ranges are ours, and should only originate from our network, and you should ignore any other networks trying to claim these address ranges.”
In the early days of the internet, when organizations wanted to update their records using an internal internal rate of return (IRR), changes usually involved some amount of human interaction—someone often manually editing the new coordinates to a primary internet router. But over the years, various IRRs have made it easy to automate this process via email.
For a long time, any changes to an organization’s routing information can be processed with an IRR via email as long as one of the following authentication methods is successfully used:
– Crete- PW: A password is added to the body of the email to the IRR containing the record they wish to add, change, or delete (the IRR then compares that password to the password hash);
-PGPKEY: The applicant signs the email containing the update with an encryption key recognized by the IRR;
-mail from: The applicant sends the record changes in an email to the IRR, and the authentication is based only on the From: header of the email.
Among these, MAIL-FROM has long been considered insecure, for the simple reason that it is not difficult to spoof the return address of an email. He said nearly all IRRs have banned their use since at least 2012 Adam Korapa network engineer and security researcher based in Houston.
All but Level 3 Communications, a major internet provider acquired by Lumen/CenturyLink.
“Level 3 is the last IRR operator to allow this method to be used, although they have discouraged its use since at least 2012,” Korab told KrebsOnSecurity. “Other IRR operators have completely discontinued MAIL-FROM.”
Most importantly, the name and email address of the official contact for each independent system for making updates with IRRs is public information.
Korab submitted a vulnerability report to Lumen outlining how a simple phishing email can be used to disrupt the internet service of banks, telecoms companies, and even government entities.
“If such an attack is successful, it will filter and drop client IP addresses, making them unreachable from some or all of the global internet,” Korap said., indicating that it has found that more than 2,000 Lumen customers have been affected. “This will effectively cut off Internet access to block the affected IP addresses.”
The last break that took FacebookAnd the Instagram And the The WhatsApp Offline for most of the day was caused by a wrong BGP update sent by Facebook. This update removed the map that tells the world’s computers how to find their various properties online.
Now consider the chaos that would occur if someone spoofed IRRs to remove or change routing entries for multiple e-commerce providers, banks, and telecom companies at the same time.
“Depending on the scope of the attack, this may affect individual customers, or geographical market areas, or is likely to affect [Lumen] Follow Korap. “This attack is trivial to exploit, and has a hard time recovering. Our guess is that any affected Lumen blocks or client IP address blocks will be offline for 24-48 hours. In the worst case scenario, this could extend much longer.”
Lumen told KrebsOnSecurity that it continued to offer mail authentication from: because many of its customers still rely on it due to legacy systems. However, after receiving Corap’s report, the company decided that the wisest course of action would be to disable MAIL-FROM: authentication altogether.
“We recently received a notification of a known insecure configuration with our path history,” reads the statement shared with Lumen with KrebsOnSecurity. “We have already had mitigating controls in place and to date have not identified any additional issues. As part of our normal cybersecurity protocol, we have carefully considered this notice and have taken steps to further mitigate any potential risks the vulnerability may have caused to our customers or our systems.” .
KC Clavi He is the founder and director of the Center for Applied Internet Data Analysis (CAIDA), and a resident research scientist at the San Diego Supercomputer Center at the University of California, San Diego. Clavey said there is little public evidence that the actor is using the vulnerability now fixed by Lumen to hijack Internet routes.
“People often go unnoticed, and a malicious actor is definitely working to make it happen,” Clavey said in an email to KrebsOnSecurity. “But also, if a victim notices, they generally won’t reveal details of their kidnapping. That is why we need to report such abuses,” Dan Gere has said for years.
But there are plenty of examples of cybercriminals hijacking blocks of IP addresses after the domain name associated with an email address in the IRR record expires. In these cases, thieves simply register the expired domain and then email it to the IRR to identify any changes to the path.
While it’s good that Lumen is no longer the weakest link in the IRR chain, the remaining authentication mechanisms aren’t great. After years of controversy over approaches to improving routing security, the operator community has published an alternative known as the Resource Public Key Infrastructure (RPKI), Clavey said.
“The RPKI includes encrypted authentication of records, including expiration dates, with each RIR operating as a ‘root’ of trust,” Clavey and two other UCSD researchers wrote in a paper still subject to peer review. Similar to IRR, operators can use RPKI to discard routing messages that do not pass the origin validation checks.
However, researchers have found that the additional integration that RPKI brings also comes with a fair amount of complexity and additional cost.
The study notes that “the operational and legal implications of potential malfunctions have limited RPKI registration and use” (link added). In response, some networks have redoubled their efforts to improve the accuracy of IRR recording data. These two technologies now work in parallel, along with the option to do nothing at all to validate the paths.”
I have borrowed some descriptive text in paragraphs 5 and 6 of the draft CAIDA/UCSD paper – IRR Hygiene in the RPKI Era (PDF).
Zones of Trust: A Path to a Safer Internet Infrastructure (PDF).
Historic Internet Vulnerability Review: Why isn’t BGP more secure and what can we do about it? (PDF)