Targeted Internet Traffic Misdirection

peterw · Nov 26, 2013

The New Threat: Targeted Internet Traffic Misdirection

Traffic interception has certainly been a hot topic in 2013.
The world has been focused on interception carried out the old fashioned way,
by getting into the right buildings and listening to the right cables.
But there’s actually been a significant uptick this year in a completely different kind of attack,
one that can be carried out by anybody, at a distance, using Internet route hijacking.

After consultations with many of the affected parties, we’re coming forth with some details in
the hope that we can make this particular vulnerability obsolete.

Example 2: Icelandic Traffic Diversion

After this “first light” from Iceland in May, there were
no more route hijacks from Iceland for more than two months.
Then, at 07:36:36 UTC on July 31st 2013, Icelandic provider
Opin Kerfi (AS48685) began announcing origination routes for 597 IP networks
owned by one of the largest facilities-based providers of managed services
in the United States, a large VoIP provider. On a normal day,
Opin Kerfi normally originates only three IP networks, and has no downstream AS customers.

Implications

In practical terms, this means that Man-In-the-Middle BGP route hijacking
has now moved from a theoretical concern to something that happens fairly regularly,
and the potential for traffic interception is very real. Everyone on the Internet —
certainly the largest global carriers, certainly any bank or credit card processing
company or government agency —
should now be monitoring the global routing of their advertised IP prefixes.

True words. Can't believe that this is happening and nobody cares.

KuJoe · Nov 26, 2013

This happened to us earlier this year. The problem is with upstream providers (i.e. Level3, Cogent, HE, etc...) that don't confirm ownership of IPs and even worse some allow clients to announce IPs without any human intervention. Announcing only /24s is the best method to prevent it but not 100% effective.

I'm pretty sure that's why BGPMon changed their pricing earlier this year also (the owner was awesome enough to contact us after our BGP hijack to discuss the details although I didn't have much to provide).

drmike · Nov 26, 2013

I wonder who the providers/facilities involved in this illustration are...

peterw · Nov 26, 2013

drmike said:
I wonder who the providers/facilities involved in this illustration are...

Belarusian ISP GlobalOneBel (AS 28849)
Opin Kerfi (AS 48685)
Síminn (AS 6677)

We contacted them again recently while researching this story.

We were told that the problems were the result of a bug in vendor software,

that the problem had gone away when patched, and that they did not believe

this problem had a malicious origin.

Despite repeated requests for supporting details, we received no further communication.

Mun · Nov 26, 2013

Yeah that looks like routing protocols when they can't find the next hop in there databanks.

Mun

wlanboy · Nov 27, 2013

If that is true the second chain of trust is broken.

SSL CAs
Autonomous System owners

Targeted Internet Traffic Misdirection

peterw

New Member

KuJoe

Well-Known Member

drmike

100% Tier-1 Gogent

peterw

New Member

Mun

Never Forget

wlanboy

Content Contributer