BGP Security Alerts Coming to Twitter

At Black Hat, researchers from OpenDNS are expected to launch a new Twitter feed called BGP Stream that will send out alerts on possible BGP and DNS hijacking attacks.

Enterprises in the throes of a denial-of-service attack, or suspicious about the integrity of their Internet traffic, will soon have a free data feed available that cuts through the noise produced by normal Internet routing over BGP, the Border Gateway Protocol.

During next month’s Black Hat conference in Las Vegas, researchers from OpenDNS are expected to launch a new Twitter feed called BGP Stream. The feed will cull information gathered by OpenDNS’ BGPmon service, distill any anomalies from regular traffic, and tweet information to subscribers that can also be pulled via Twitter’s API for use on internal monitoring and alerting systems.

OpenDNS chief technology officer Dan Hubbard said network security analysts and administrators, ISPs and hosting providers can use the feed to validate suspicions over potential attacks.

“BGP Stream takes big events and hijacks and routing instabilities that are advertised globally and tweet them,” Hubbard said. “A user can follow the account like a traditional Twitter user, or use the API to pull the data and stream it into whatever monitoring system they have.”

BGPmon was acquired by OpenDNS earlier this year; OpenDNS has since been acquired by Cisco. It uses more than 100 probes placed at peering points around the Internet to monitor for anomalous and possibly malicious changes to BGP routing and suspicious ASN changes. The protocol is considered fundamental Internet infrastructure, and when this type of plumbing leaks, availability and security are be impacted.

“Most of the work we’re doing between now and Black Hat is tuning it,” Hubbard said. “As with anything like this, especially with a medium like Twitter, it’s important to watch over the signal-to-noise ratio and keep the information high value.”

The feed will be populated automatically, and Hubbard expects anywhere from five to 15 tweets a day. Hubbard said risk will be factored into what is tweeted out as well, differentiating between security-related tweets and informational, for example. Eventually, Hubbard said, he expects BGP Stream to evolve and add DNS monitoring data.

“A lot of people use our service; we see 75 billion [DNS] queries a day, so we see a lot of DDoS as it happens,” Hubbard said. “We know those domains, and we can announce that on the same stream.”

BGP will have center stage for a number of sessions at Black Hat, including a session called Breaking HTTPS with BGP Hacking by Artyom Gavrichenkov of QRator Lab. Gavrichenkov is expected to explain new attacks against the encryption around BGP routing that can facilitate BGP hijacking. Also, Wim Remes of Rapid7 is scheduled to deliver a talk on the state of BGP security, and how the so-called Internet of Things introduces exponentially more complexity into BGP routing.

The Hacking Team breach also threw back the covers on not only on a handful of zero day vulnerabilities and exploits at its disposal, but the lengths that spyware purveyors and nation states would go to help law enforcement and governments spy on targets, including BGP hijacking.

That nugget that emerged from the 400 Gb of stolen Hacking Team data posted online where Italian law enforcement used Hacking Team’s Remote Control System monitoring software to regain control over a number IP addresses it was watching that were already infected with Hacking Team software by hijacking BGP routes in order to redirect traffic and regain control over a target’s machines.

Suggested articles

Threatpost News Wrap, June 24, 2016

Mike Mimoso and Chris Brook recap the news of the week, including a Bitcoin phishing campaign, the Kaspersky Lab ransomware report, misconfigured email servers, and a decline in Angler exploit kit traffic.