There’s something happening here. What it is ain’t exactly clear.
By John Leyden
Posted in Security, 22nd November 2013 13:58 GMT
Tons of internet traffic is being deliberately diverted through locations including Belarus and Iceland, and intercepted by crooks or worse, security experts fear.
Network intelligence firm Renesys warns that victims including financial institutions, VoIP providers, and governments have been targeted by the man-in-the-middle attacks. It reckons the diversions are malicious, and probably pulled off by manipulating BGP routing tables.
BGP (Border Gateway Protocol) is a core routing protocol that maps out the connections for internet traffic to flow through, from source to destination. As things stand, BGP has no built-in security. Routers may accept dodgy connection routes advertised by peers, internet exchanges or transit suppliers.
These suspect routes, once accepted, can have local, regional or global effects. Routers look for the shortest logical path (the least number of hops, in other words) and place blind trust in any path that’s advertised. And the shortest logical path can take weird and wonderful physical geographical routes.
In 2008, changes by Pakistan Telecom intended to restrict access to YouTube solely within the country had the affect of briefly diverting ALL YouTube traffic into a global blackhole, rendering the site unreachable for hours. Two years later, China Telecom rerouted up to 15 per cent of the world’s internet destinations on two brief occasions, after advertising false BGP route information that directed traffic through its networks.
The Pakistan YouTube hijack was accidental, but security researchers have since demonstrated how the same techniques might be used to highjack or otherwise interfere with internet traffic. Renesys reckons this is just what’s been happening in cases it has monitored this year:
For years, we’ve observed that there was potential for someone to weaponize the classic Pakistan-and-YouTube-style route hijack. Why settle for simple denial of service, when you can instead steal a victim’s traffic, take a few milliseconds to inspect or modify it, and then pass it along to the intended recipient?This year, that potential has become reality. We have actually observed live Man-In-the-Middle (MITM) hijacks on more than 60 days so far this year. About 1,500 individual IP blocks have been hijacked, in events lasting from minutes to days, by attackers working from various countries.
Categories: Cyber Security