---BREAKAWAY CIVILIZATION ---ALTERNATIVE HISTORY---NEW BUSINESS MODELS--- ROCK & ROLL 'S STRANGE BEGINNINGS---SERIAL KILLERS---YEA AND THAT BAD WORD "CONSPIRACY"--- AMERICANS DON'T EXPLORE ANYTHING ANYMORE.WE JUST CONSUME AND DIE.---
Saturday, November 30, 2013
Repeated attacks hijack huge chunks of Internet traffic, researchers warn Man-in-the-middle attacks divert data on scale never before seen in the wild.
Huge chunks of Internet traffic belonging to financial
institutions, government agencies, and network service providers have
repeatedly been diverted to distant locations under unexplained
circumstances that are stoking suspicions the traffic may be
surreptitiously monitored or modified before being passed along to its
final destination.
Researchers from network intelligence firm Renesys made that sobering assessment in a blog post published Tuesday.
Since February, they have observed 38 distinct events in which large
blocks of traffic have been improperly redirected to routers at
Belarusian or Icelandic service providers. The hacks, which exploit
implicit trust placed in the border gateway protocol
used to exchange data between large service providers, affected "major
financial institutions, governments, and network service providers" in
the US, South Korea, Germany, the Czech Republic, Lithuania, Libya, and
Iran.
The
ease of altering or deleting authorized BGP routes, or of creating new
ones, has long been considered a potential Achilles Heel for the
Internet. Indeed, in 2008, YouTube became unreachable for virtually all Internet users
after a Pakistani ISP altered a route in a ham-fisted attempt to block
the service in just that country. Later that year, researchers at the
Defcon hacker conference showed how BGP routes could be manipulated to redirect huge swaths of Internet traffic.
By diverting it to unauthorized routers under control of hackers, they
were then free to monitor or tamper with any data that was unencrypted
before sending it to its intended recipient with little sign of what had
just taken place.
"This year, that potential has become reality," Renesys researcher
Jim Cowie wrote. "We have actually observed live man-in-the-middle
(MitM) hijacks on more than 60 days so far this year. About 1,500
individual IP blocks have been hijacked, in events lasting from minutes
to days, by attackers working from various countries."
At least one unidentified voice-over-IP provider has also been
targeted. In all, data destined for 150 cities have been intercepted.
The attacks are serious because they affect the Internet equivalents of a
US interstate that can carry data for hundreds of thousands or even
millions of people. And unlike the typical BGP glitches that arise from
time to time, the attacks observed by Renesys provide few outward signs
to users that anything is amiss.
"The recipient, perhaps sitting at home in a pleasant Virginia suburb
drinking his morning coffee, has no idea that someone in Minsk has the
ability to watch him surf the Web," Cowie wrote. "Even if he ran his own
traceroute to verify connectivity to the world, the paths he'd see
would be the usual ones. The reverse path, carrying content back to him
from all over the world, has been invisibly tampered with."
Guadalajara to Washington via Belarus
Renesys observed the first route hijacking in February when various
routes across the globe were mysteriously funneled through Belarusian
ISP GlobalOneBel before being delivered to their final destination. One
trace, traveling from Guadalajara, Mexico, to Washington, DC, normally
would have been handed from Mexican provider Alestra to US provider PCCW
in Laredo, Texas, and from there to the DC metro area and then,
finally, delivered to users through the Qwest/Centurylink service
provider. According to Cowie:
Instead, however, PCCW gives it to Level3 (previously
Global Crossing), who is advertising a false Belarus route, having heard
it from Russia’s TransTelecom, who heard it from their customer,
Belarus Telecom. Level3 carries the traffic to London, where it delivers
it to Transtelecom, who takes it to Moscow and on to Belarus.
Beltelecom has a chance to examine the traffic and then sends it back
out on the “clean path” through Russian provider ReTN (recently acquired
by Rostelecom). ReTN delivers it to Frankfurt and hands it to NTT, who
takes it to New York. Finally, NTT hands it off to Qwest/Centurylink in
Washington DC, and the traffic is delivered.
Such redirections occurred on an almost daily basis throughout
February, with the set of affected networks changing every 24 hours or
so. The diversions stopped in March. When they resumed in May, they used
a different customer of Bel Telecom as the source. In all, Renesys
researchers saw 21 redirections. Then, also during May, they saw
something completely new: a hijack lasting only five minutes diverting
traffic to Nyherji hf (also known as AS29689, short for autonomous system 29689), a small provider based in Iceland.
Renesys didn't see anything more until July 31 when redirections
through Iceland began in earnest. When they first resumed, the source
was provider Opin Kerfi (AS48685).
Cowie continued:
In fact, this was one of seventeen Icelandic events,
spread over the period July 31 to August 19. And Opin Kerfi was not the
only Icelandic company that appeared to announce international IP
address space: in all, we saw traffic redirections from nine different
Icelandic autonomous systems, all customers of (or belonging to) the
national incumbent Síminn. Hijacks affected victims in several different
countries during these events, following the same pattern: false routes
sent to Síminn's peers in London, leaving 'clean paths' to North
America to carry the redirected traffic back to its intended
destination.
In all, Renesys observed 17 redirections to Iceland. To appreciate
how circuitous some of the routes were, consider the case of traffic
passing between two locations in Denver. As the graphic below traces, it
traveled all the way to Iceland through a series of hops before finally
reaching its intended destination.
Cowie said Renesys' researchers still don't know who is carrying out
the attacks, what their motivation is, or exactly how they're pulling
them off. Members of Icelandic telecommunications company Síminn,
which provides Internet backbone services in that country, told Renesys
the redirections to Iceland were the result of a software bug and that
the problem had gone away once it was patched. They told the researchers
they didn't believe the diversions had a malicious origin.
Cowie said that explanation is "unlikely." He went on to say that
even if it does prove correct, it's nonetheless highly troubling.
"If this is a bug, it's a dangerous one, capable of simulating an
extremely subtle traffic redirection/interception attack that plays out
in multiple episodes, with varying targets, over a period of weeks," he
wrote. "If it's a bug that can be exploited remotely, it needs to be
discussed more widely within the global networking community and
eradicated."
No comments:
Post a Comment