Peculiar traffic routes suggest hijacking headaches

December 8, 2013 by Nancy Owano weblog
Partial map of the Internet based on the January 15, 2005 data found on opte.org. Each line is drawn between two nodes, representing two IP addresses. Image: Wikimedia Commons.

(Phys.org) —Findings from Internet intelligence company Renesys sound an alert to a hijacking practice in the form of traffic misdirection on the Internet. A November 19 blog on the Renesys site has since caught the attention of a wider press: "Who is sending Internet traffic on long, strange trips?" asked a headline in The Christian Science Monitor earlier this month. The Renesys blog author, Jim Cowie, Chief Technology Officer, said that "We have actually observed live Man-In-the-Middle (MITM) hijacks on more than 60 days so far this year." He said about 1,500 individual IP blocks have been hijacked in events lasting from minutes to days by attackers working from various countries. Simply put, data to and from finance firms, net phone services and governments was re-routed in several attacks this year. As Michael Mimoso of Theatpost noted, "Attackers are accessing routers running on the border gateway protocol (BGP) and injecting additional hops that redirect large blocks of Internet traffic to locations where it can be monitored and even manipulated before being sent to its intended destination."

As a result of the BGP routes hijacked, a portion of Internet traffic was misdirected to flow through Belarus and Iceland. The nature of this type of traffic crime is that it can happen again and again without the victim taking any notice. The traffic would just keep flowing. A user may log on each morning and work thinking nothing is unusual while it would be possible that the same traffic was being inspected and then released right back into the Internet and on its way to the user's desired destination. "It's possible to drag specific Internet traffic halfway around the world, inspect it, modify it if desired, and send it on its way," he said.

In February this year, security watchers at Renesys found that global traffic was being rerouted to Belarus. The Belarus traffic diversions stopped in March. They restarted briefly in May. Traffic diversions to Iceland were also seen this year. What's not known is the exact mechanism, motivation, or actors during these events, said Cowie. "These Belarusian and Icelandic examples represent just two of a series of MITM attack sequences that we've observed playing out in the last 12 months, launched from these and other countries around the world." MITM refers to "man-in-the-middle" attack.

Cowie said large global carriers, bank and credit card processing companies, and government agencies should be monitoring the global routing of their advertised IP prefixes. Not that this kind of warning is entirely new. In 2008, two security researchers at the DefCon hacker conference demonstrated a security vulnerability where Internet traffic could be intercepted with the use of a tactic that exploits the Border Gateway Protocol. (Renesys, in explaining on its site what the BGP contributes to the life of the Internet, notes that the BGP routers' role "is to exchange routing information messages with one another so that they can properly direct traffic, hop by hop from one AS [Autonomous System] to another, until it reaches its final destination. Without such a global routing infrastructure, there simply would be no Internet as we know it.")

Explore further: Last Internet provider in Egypt goes dark

More information: www.csmonitor.com/World/Security-Watch/2013/1203/Cyber-security-puzzle-Who-is-sending-Internet-traffic-on-long-strange-trips
www.renesys.com/2013/11/mitm-internet-hijacking/
www.renesys.com/bgp-routing/

Related Stories

Answers to your questions about massive cyberattack

March 29, 2013

Here are some answers to questions about perhaps the biggest cyberattack ever, which recently targeted Spamhaus, an anti-spam group based in Geneva and London. It ended up slowing down or blocking access to numerous Internet ...

Internet traffic rise needs infrastructure upgrade

June 21, 2013

Australian internet traffic will increase by more than five times to hit one exabyte (one billion gigabytes) of data a month by 2016, a University of Adelaide mathematician and internet researcher has predicted.

Recommended for you

Netherlands bank customers can get vocal on payments

August 1, 2015

Are some people fed up with remembering and using passwords and PINs to make it though the day? Those who have had enough would prefer to do without them. For mobile tasks that involve banking, though, it is obvious that ...

Power grid forecasting tool reduces costly errors

July 30, 2015

Accurately forecasting future electricity needs is tricky, with sudden weather changes and other variables impacting projections minute by minute. Errors can have grave repercussions, from blackouts to high market costs. ...

Microsoft describes hard-to-mimic authentication gesture

August 1, 2015

Photos. Messages. Bank account codes. And so much more—sit on a person's mobile device, and the question is, how to secure them without having to depend on lengthy password codes of letters and numbers. Vendors promoting ...

1 comment

Adjust slider to filter visible comments by rank

Display comments: newest first

alfie_null
not rated yet Dec 09, 2013
BGP, like DNS, was designed back in the days when domains and ASs could trust one another. Now, we're kind-of stuck with it. And, as an end-user, I don't know how much I am inclined to trust the competent administration of either my endpoint's network, or that of the peer with whom I am communicating.

Please sign in to add a comment. Registration is free, and takes less than a minute. Read more

Click here to reset your password.
Sign in to get notified via email when new comments are made.