Evidence emerges suggesting hijacking of huge chunks of Internet traffic

// November 20th, 2013 // Hacking and Security


Renesys map of points where Internet traffic was captured and redirected

Researchers from network intelligence firm Renesys published an assessment this week that documents dozens of distinct hijacking events within the last few months where huge chunks of Internet traffic were purposefully diverted through distant service providers leading them to speculate that the traffic may have been “surreptitiously monitored or modified before being passed along to its final destination” (the map above shows points where the traffic originated from).  The hacks seem to be exploiting inherent flaws in the border gateway protocol (BGP), the typical “exterior gateway protocol” used to exchange data between large Internet service providers.  Thus far, they have seen traffic belonging to financial institutions, government agencies, and network service providers suspiciously diverted while providing virtually no signs to the users that anything is amiss (since only return traffic is being rerouted.

“The recipient, perhaps sitting at home in a pleasant Virginia suburb drinking his morning coffee, has no idea that someone in Minsk has the ability to watch him surf the Web.  Even if he ran his own traceroute to verify connectivity to the world, the paths he’d see would be the usual ones. The reverse path, carrying content back to him from all over the world, has been invisibly tampered with.”

Renesys, who maintains a realtime view of the Internet from hundreds of independent BFP vantage points, reported that they had recorded the attacks on about 1,500 IP blocks with some of the events lasting for days.  They noted that the attacker originated from various countries.

The potential attack vector has been known for a few years now.  Wired magazine penned an article laying out the technique in 2008 and hackers at Defcon demonstrated the BGP man-in-the-middle (MITM) attack at the Defcon hacker conference that same year.  BGP logs are kept for many years (everyone sees every change that is made to the routing tables).  Because of the record that is kept, nobody worried too much about BGP hacks.  If a BGP peer abuses the system, they would be quickly kicked off the network.  Now we’re not so sure.

The attack is partly possible because of an implicit trust placed in all BGP routers – anyone with control of the router can simply drop the packets (Pakistan did this in 2008 and blocked worldwide access to YouTube by accident – ooops).  In addition to dropping packets, BGP allows the router owner to monitor or even alter the traffic before sending it on to its destination.  BPG peers then share the modified route tables with each other.

Renesys provided an example of one of the events along with the illustration below which shows how one instance of traffic from Guadalajara, Mexico to Washington, DC was rerouted across the Atlantic Ocean, through Moscow, Russia, before being directed back to the recipient.


One instance of traffic from Guadalajara, Mexico to Washington, DC was rerouted across the Atlantic Ocean

“In an example of a trace from Guadalajara, Mexico to Washington, DC that goes through Moscow and Minsk. Mexican provider Alestra hands it to PCCW for transit in Laredo, Texas. PCCW takes it to the Washington, DC metro area, where they would normally hand it to Qwest/Centurylink for delivery.  Instead, however, PCCW gives it to Level3 (previously Global Crossing), who is advertising a false Belarus route, having heard it from Russia’s TransTelecom, who heard it from their customer, Belarus Telecom. Level3 carries the traffic to London, where it delivers it to Transtelecom, who takes it to Moscow and on to Belarus. Beltelecom has a chance to examine the traffic, and then sends it back out on the “clean path” through Russian provider ReTN. ReTN delivers it to Frankfurt and hands it to NTT, who takes it to New York. Finally, NTT hands it off to Qwest/Centurylink in Washington DC, and the traffic is delivered.”

Sources: Renesys
Geek wear at Ivy and Pearl Boutique

« « Previous Article: AOL’s kiss of death touches another – Winamp to shut down after 15 years     » » Next Article: VIDEO: So it IS possible to do a complete loop on a swingset!

Leave a Reply

You must be logged in to post a comment.

%d bloggers like this: