The New Threat: Targeted Internet Traffic Misdirection

Traffic interception has certainly been a hot topic in 2013. The world has been focused on interception carried out the old fashioned way, by getting into the right buildings and listening to the right cables. But there’s actually been a significant uptick this year in a completely different kind of attack, one that can be carried out by anybody, at a distance, using Internet route hijacking.

After consultations with many of the affected parties, we’re coming forth with some details in the hope that we can make this particular vulnerability obsolete.

Understanding the Threat

At Renesys, we watch the Internet 24/7 for our enterprise customers, to help them understand and respond to Internet impairment before it affects their businesses. Many of those impairments are the result of someone else’s well-intended Internet traffic engineering. Some are accidents, like cable cuts or natural disasters, and that’s what you typically see us blog about. But a number of Internet impairments are hard to explain by blind chance or bad luck, and that’s our focus today.

For years, we’ve observed that there was potential for someone to weaponize the classic Pakistan-and-Youtube style route hijack. Why settle for simple denial of service, when you can instead steal a victim’s traffic, take a few milliseconds to inspect or modify it, and then pass it along to the intended recipient?

This year, that potential has become reality. We have actually observed live Man-In-the-Middle (MITM) hijacks on more than 60 days so far this year. About 1,500 individual IP blocks have been hijacked, in events lasting from minutes to days, by attackers working from various countries.

Simple BGP alarming is not sufficient to distinguish MITM from a generic route hijacking or fat-finger routing mistake; you have to follow up with active path measurements while the attack is underway in order to verify that traffic is being simultaneously diverted and then redelivered to the victim. We’ve done that here.

Here’s a map of 150 cities in which we’ve observed at least one victim of a validated MITM route hijacking attack so far this year (click to inspect). The victims have been diverse: financial institutions, VoIP providers, and world governments have been prominent targets. global-hijack-cities

What makes a Man-in-the-Middle routing attack different from a simple route hijack? Simply put, the traffic keeps flowing and everything looks fine to the recipient. The attackers keep at least one outbound path clean. After they receive and inspect the victim’s traffic, they release it right back onto the Internet, and the clean path delivers it to its intended destination. If the hijacker is in a plausible geographic location between the victim and its counterparties, they should not even notice the increase in latency that results from the interception. It’s possible to drag specific Internet traffic halfway around the world, inspect it, modify it if desired, and send it on its way. Who needs fiberoptic taps?

It’s even possible to see these attacks as they are occurring, if you have the right global measurement infrastructure. Renesys maintains a realtime view of the Internet from hundreds of independent BGP vantage points. We have to, because that’s how we can detect evidence of Internet impairment worldwide, even when that impairment is localized. We also maintain an active measurement infrastructure that sends out billions of measurement packets each day, crisscrossing the Internet in search of impaired or unusual paths like these. Finally, we have a distributed realtime-taskable measurement system that allows us to trigger quick measurements from all over the planet when trouble is detected in a region, so that we can immediately evaluate its significance.

Example 1: Belarusian Traffic Diversion

In February 2013, we observed a sequence of events, lasting from just a few minutes to several hours in duration, in which global traffic was redirected to Belarusian ISP GlobalOneBel. These redirections took place on an almost daily basis throughout February, with the set of victim networks changing daily. Victims whose traffic was diverted varied by day, and included major financial institutions, governments, and network service providers. Affected countries included the US, South Korea, Germany, the Czech Republic, Lithuania, Libya, and Iran.

We recorded a significant number of live traces to these hijacked networks while the attack was underway, showing traffic detouring to Belarus before continuing to its originally intended destination.

Here’s an example of a trace from Guadalajara, Mexico to Washington, DC that goes through Moscow and Minsk. Mexican provider Alestra hands it to PCCW for transit in Laredo, Texas. PCCW takes it to the Washington, DC metro area, where they would normally hand it to Qwest/Centurylink for delivery.

Instead, however, PCCW gives it to Level3 (previously Global Crossing), who is advertising a false Belarus route, having heard it from Russia’s TransTelecom, who heard it from their customer, Belarus Telecom. Level3 carries the traffic to London, where it delivers it to Transtelecom, who takes it to Moscow and on to Belarus. Beltelecom has a chance to examine the traffic, and then sends it back out on the “clean path” through Russian provider ReTN. ReTN delivers it to Frankfurt and hands it to NTT, who takes it to New York. Finally, NTT hands it off to Qwest/Centurylink in Washington DC, and the traffic is delivered.


27 February 2013: Traceroute from Guadalajara, Mexico to Washington, DC via Minsk
IP Delay (ms) Notes
201.151.31.149 15.482 pc-gdl2.alestra.net.mx (Guadalajara, MX)
201.163.102.1 17.702 pc-mty2.alestra.net.mx (Monterrey, MX)
201.151.27.230 13.851 igmty2.alestra.net.mx (Monterrey, MX)
63.218.121.49 17.064 ge3-1.cr02.lar01.pccwbtn.net (Laredo, TX)
63.218.44.78 64.012 TenGE11-1.br03.ash01.pccwbtn.net (Ashburn, VA)
64.209.109.221 84.529 GBLX-US-REGIONAL (Washington, DC)
67.17.72.21 157.641 lag1.ar9.LON3.gblx.net (London, UK)
208.178.194.170 143.344 cjs-company-transtelecom.ethernet8-4.ar9.lon3.gblx.net (London, UK)
217.150.62.234 212.869 mskn01.transtelecom.net (Moscow, RU)
217.150.62.233 228.461 BelTelecom-gw.transtelecom.net (Minsk, Belarus)
87.245.233.198 225.516 ae6-3.RT.IRX.FKT.DE.retn.net (Frankfurt, DE)
* no response
* no response
129.250.3.180 230.887 ae-3.r23.nycmny01.us.bb.gin.ntt.net (New York, NY)
129.250.4.69 232.959 ae-1.r05.nycmny01.us.bb.gin.ntt.net (New York, NY)
129.250.8.158 248.685 ae-0.centurylink.nycmny01.us.bb.gin.ntt.net (New York, NY)
* no response
63.234.113.110 238.111 63-234-113-110.dia.static.qwest.net (Washington, DC)

jim_blog_nov_2013_path1_wired-01

The recipient, perhaps sitting at home in a pleasant Virginia suburb drinking his morning coffee, has no idea that someone in Minsk has the ability to watch him surf the web. Even if he ran his own traceroute to verify connectivity to the world, the paths he’d see would be the usual ones. The reverse path, carrying content back to him from all over the world, has been invisibly tampered with.

May 2013: Changing of the Guard

The Belarus traffic diversions stopped in March. They restarted briefly in May, using a different customer of BelTelecom as the source, and then ended for several months. Within the same hour as the final Belarus hijack of May, however, we saw a first BGP hijack lasting only five minutes from a completely new source: Nyherji hf (AS29689), a small Icelandic provider.

Example 2: Icelandic Traffic Diversion

After this “first light” from Iceland in May, there were no more route hijacks from Iceland for more than two months. Then, at 07:36:36 UTC on July 31st 2013, Icelandic provider Opin Kerfi (AS48685) began announcing origination routes for 597 IP networks owned by one of the largest facilities-based providers of managed services in the United States, a large VoIP provider. On a normal day, Opin Kerfi normally originates only three IP networks, and has no downstream AS customers.

Opin Kerfi has two ISPs: Fjarskipti (AS 12969) and Síminn (AS 6677). The faulty routes propagated exclusively through Síminn, never through Fjarskipti. kerfi

In fact, this was one of seventeen Icelandic events, spread over the period July 31 – August 19th. And Opin Kerfi was not the only Icelandic company that appeared to announce international IP address space: in all, we saw traffic redirections from nine different Icelandic autonomous systems, all customers of (or belonging to) the national incumbent Síminn. Hijacks affected victims in several different countries during these events, following the same pattern: false routes sent to Síminn’s peers in London, leaving ‘clean paths’ to North America to carry the redirected traffic back to its intended destination.

Here’s an example in which traffic between two locations in Denver, Colorado actually ends up getting carried all the way to Iceland and back.

The Icelandic providers have hijacked a block of address space belonging to Qwest/Centurylink in Denver. Atrato receives a false peer route to this block from Siminn Iceland, so when an Atrato customer needs to send content across town, Atrato instead carries their traffic to London. There they hand it off to Siminn, who takes it to Iceland before returning it to Montreal on the clean path to Cogent via the Greenland Cable.

Cogent gamely carries the traffic back from Montreal to Chicago, and then to New York, where they hand it to Qwest/Centurytel for delivery. Centurytel brings it back across the USA through Dallas and Kansas City, and on to the intended recipient in Denver.

August 2, 2013: Traceroute from Denver, Colorado to Denver, Colorado via Iceland
IP Delay (ms) Notes
78.152.46.241 9.872 Atrato customer (Denver, CO)
78.152.34.213 26.324 eth1-7.r2.chi1.us.atrato.net (Chicago, IL)
78.152.34.138 44.58 eth1-1.r1.ash1.us.atrato.net (Ashburn, VA)
78.152.34.118 47.464 eth1-3.edge1.nyc1.us.atrato.net (New York, NY)
78.152.44.201 48.477 eth4-3.core1.nyc1.us.atrato.net (New York, NY)
78.152.44.134 123.726 eth1-5.core1.lon1.uk.atrato.net (London, UK)
78.152.44.101 121.308 eth1-3.r1.lon1.uk.atrato.net (London, UK)
195.66.225.26 203.445 siminn-linx-gw-1.isholf.is (Reykjavik, Iceland)
172.16.100.51 162.399 RFC1918
157.157.55.50 152.745 Landssimi/Siminn (Reykjavik, Iceland)
38.104.155.57 151.857 gi3-46.mag01.ymq02.atlas.cogentco.com (Montreal, CA)
154.54.82.241 151.899 te0-4-0-0.ccr21.ymq02.atlas.cogentco.com (Montreal, CA)
66.28.4.202 150.251 be2114.ccr21.ord01.atlas.cogentco.com (Chicago, IL)
154.54.44.70 150.945 be2326.ccr21.jfk04.atlas.cogentco.com (New York, NY)
154.54.11.182 150.596 qwest.jfk04.atlas.cogentco.com (New York, NY)
67.14.2.141 158.456 dal-edge-18.inet.qwest.net (Dallas, TX)
72.165.208.158 158.441 Qwest (Dallas, TX)
206.51.69.26 172.091 bb-kscbmonr-jx9-01-xe-11-1-0.core.centurytel.net (Kansas City, MO)
206.51.69.6 173.069 bb-kscbmonr-jx9-02-ae0.core.centurytel.net (Kansas City, MO)
206.51.69.201 185.738 bb-dnvtc056-jx4-02-ae2.core.centurytel.net (Denver, CO)

jim_blog_nov_2013_path2_wired-01-1

Attribution

It’s important to clarify that we base these conclusions on direct observation and active measurement. Various providers’ BGP routes were hijacked, and as a result, some portion of their Internet traffic was misdirected to flow through Belarusian and Icelandic ISPs. We have BGP routing data that show the second-by-second evolution of 21 Belarusian events in February and May 2013, and 17 Icelandic events in July-August 2013.

We have active measurements that verify that during the period when BGP routes were hijacked in each case, traffic redirection was taking place through Belarusian and Icelandic routers. These facts are not in doubt; they are well-supported by the data.

What’s not known is the exact mechanism, motivation, or actors.

We first contacted the peering team at Iceland’s Síminn in July, when their traffic redirection began in earnest, highlighting some of the erroneous routes. We received no response.

We contacted them again recently while researching this story. We were told that the problems were the result of a bug in vendor software, that the problem had gone away when patched, and that they did not believe this problem had a malicious origin. Despite repeated requests for supporting details, we received no further communication.

If this is a bug, it’s a dangerous one, capable of simulating an extremely subtle traffic redirection/interception attack that plays out in multiple episodes, with varying targets, over a period of weeks. If it’s a bug that can be exploited remotely, it needs to be discussed more widely within the global networking community and eradicated.

We believe it’s unlikely that a single router vendor bug can account for the 2013 worldwide uptick in route hijacking with traffic redirection. These Belarusian and Icelandic examples represent just two of a series of MITM attack sequences that we’ve observed playing out in the last 12 months, launched from these and other countries around the world.

Implications

In practical terms, this means that Man-In-the-Middle BGP route hijacking has now moved from a theoretical concern to something that happens fairly regularly, and the potential for traffic interception is very real. Everyone on the Internet — certainly the largest global carriers, certainly any bank or credit card processing company or government agency — should now be monitoring the global routing of their advertised IP prefixes.

This kind of attack should not happen. You cannot carry out this kind of hijacking without leaving permanent, visible footprints in global routing that point right back to the point of interception. We believe that people are still attempting this because they believe (correctly, in most cases) that nobody is looking.

Renesys believes that increased transparency is the best answer, exactly the kind of collective security solution that the Internet is good at delivering. For our part, we’ve taken this seriously enough that we’ve spent the last year building a new system that can address the challenge of identifying bad traffic paths for the whole Internet, everywhere on Earth, simultaneously.

Until the day when all routes are signed and secured (and that day may never fully arrive), the best way to prevent manipulation of trust-based routing will be to help people expose violations of trust, and recognize those who implement best practices. We’ll have more to say on this subject in coming months.

Additional example paths:

jim_blog_nov_2013_path3_wired-01

jim_blog_nov_2013_path4_wired_c-01

jim_blog_nov_2013_path5_wired-01

31 comments
Chris
Chris

Asking myself...

 How can the attackers be sure that - e.g. NTT in the 1st case - keeps a clean path back to the destination and not learn the bogus route to minsk? Or that the packet traverses a "infected" routingnetwork causing a loop...

mattflaschen
mattflaschen

TLS defends against this, right?  You would still have the excessively long path and bad performance, but would confidentiality and integrity be preserved?

JohnShinaberry
JohnShinaberry

I wouldn't say you can't carry out this type of hijack without leaving prints. By running across distributed nodes, even a relatively small botnet, you could make yourself much more difficult to pinpoint. At least, with any degree of certainty. The same principle that the onion router operates on, tweaked to a specific application, could keep you in play for long enough to achieve even a fairly complex objective. 

LizR
LizR

Start using secure encryption that no one can break, not even the NSA

iceland
iceland

Siminn maintains today in Icelandic news media that this was a bug and that there was no indication that this was a deliberate hijack

curiousTOKnow
curiousTOKnow

can they use rigged routers to copy all traffic and use that information for purpose of "good" well earned "money", if they can route some traffic, would that allow them to route designated traffic, aka, banks transfers, big organizations, army traffic, stock.... to benefit from that, even to decode all info would take time, but still, that would change quite alot of things in the net world....


whowho
whowho

when the redirection route is announced is the original, legitimate, announcement squashed or tampered with somehow?

penguin42
penguin42

'You cannot carry out this kind of hijacking without leaving permanent, visible footprints in global routing that point right back to the point of interception.'

Hmm - it's difficult to tell where the point of interception actually is; for example both routes ended up with the data going across the atlantic via the UK; who is to say whether the intercept was at the destination of the erroneous route or any of the hops inbetween.

dfgfdgdfgdf
dfgfdgdfgdf

VPN connection would solve this issue partially for end users.

 Even if they re-route the data before letting it to it's final destination, there's nothing they can pick up from it.

mdavids
mdavids

Are DDoS-mitigation techniques based on BGP (re)routing taken into account to avoid possible false positives?

(Or did you perhaps witnessed them as such and can you provide some statistical information about them, such as number of occurances and if that has increased over time?)

Pf
Pf

did you also observe corresponding injection of bogus route objects in IRR, followed by deletion?


heiscrazy
heiscrazy

for the "Belarusian Traffic Diversion" case, "The reverse path, carrying content back to him from all over the world, has been invisibly tampered with."

if someone does a traceroute at the starting point, won't the path be shown?

bortzmeyer1
bortzmeyer1

So, the hijackers did not use the Kapela & PIlosov tricks to evade detection (changing the TTL to make traceroute look OK)? 

DomDeVitto
DomDeVitto

If ping returns TTL expired, withdraw the route and choose other peers to announce/not-announce the route to.

Easy.... :-(

DomDeVitto
DomDeVitto

No. TLS relies on a trust model that has been proven time and time again to be broken.

TLS / HTTPS is no protection at all here.

renesys
renesys moderator

@whowho The legitimate announcement is also in circulation. The MITM isn't possible without at least some of the Internet believing the legitimate route in order to ultimately deliver the traffic on to the correct destination. If provider believes the bogus route, then the traffic is just getting black-holed and victim may notice that.

DomDeVitto
DomDeVitto

No, it's pretty obvious if you have multiple BGP sessions at diverse points globally.

It's pretty certain that there will only be one common 'evil' AS.

Even if there are more (say evil.net's direct peers) the giveaway seems to be their failure to announce to all their peers.

Simples.

bortzmeyer1
bortzmeyer1

@dfgfdgdfgdf You mean encrypted VPN? (Otherwise, it's useless.)

renesys
renesys moderator

@dfgfdgdfgdf Good point. The end points of the session are still visible to the attacker.

renesys
renesys moderator

@robachevsky I would guess that none of them are malicious. First, the type of leaks listed in Jared's tool are of a form that is a very common misconfiguration - leaking routes from one provider to another. Also, the resulting AS path will be typically twice the length of a normal path and thus very rarely selected. There are better ways of hijacking routes without trying to route traffic through 3 Tier1s. :-)

renesys
renesys moderator

@mdavids That's a great question. BGP-based DDoS-mitigation services (Prolexic, Radware, etc.) essentially perform BGP man-in-the-middle in order to attract DDoS traffic, clean the traffic and pass the cleansed traffic on to the proper destination. We also see these mechanisms activating each day and are able to filter them out.

renesys
renesys moderator

@heiscrazy In the Belarusian example, if the computer in Washington DC performed a traceroute back to the computer in Mexico during the attack, the hops to Belarus would not be visible to it because the destination IP in Mexico was not the one hijacked.

renesys
renesys moderator

@bortzmeyer1 Good question. The hijacks were different from the one presented in that presentation. It is impossible for us to be certain that TTLs weren't modified, but they weren't changed enough to hide their tracks.

For everyone else, probably the best known and cited talk about the possibility of using BGP hijacking to eavesdrop on Internet traffic is Tony Kapela and Alex Pilosov's "Stealing The Internet" from Defcon 16 back in 2008.
http://www.defcon.org/images/defcon-16/dc16-presentations/defcon-16-pilosov-kapela.pdf

renesys
renesys moderator

@Kotikalapudi Sriram The China Telecom incident was a routing leak of over 50,000 prefixes. These are much more targeted events.

Graham Blake
Graham Blake

 @renesys I am having a hard time seeing how this differs significantly from a route leak. For some traffic to take the overseas route, while the original route still exists within global routing table for eventual delivery by the so-called "clean" path, by definition the "attacker" is relying on some networks taking a suboptimal path, because the "clean" path should still look preferable to much of the Internet. On its face, this sounds like a route leak, but possibly one where the AS path has been rewritten by the source of the leak. That sounds like the functionality that is being described here. An overseas ISP has two paths to the Internet; Over Path A it advertises the target IP block, over Path B it delivers traffic to the target IP block. Classic leak. The only difference is that the leaking ISP is possibly advertising the target IP block with its own ASN as the source (so it doesn't jump out as an obvious leak that shows up in Jared's leak detection system). This can easily be a result of a misconfiguration, or even just a bored network administrator fooling around. I buy that this could be leveraged for a MitM attack, but not reliably. An attacker will have a very hard time predicting which segments of the Internet will select the bogus version of the route, and which segments will deliver it to the correct end points, plus it will be very difficult to ensure that the multiple paths you have available to yourself will provide you with both a "clean" path as well as one to carry the bogus path. In many multi-homed configurations, your upstream peers are often peers of each other, and that's probably more likely to create a loop than an asymmetrical routing opportunity that can be exploited. I would really appreciate seeing the BGP routing table logs of these AS paths from some different views around the Internet from the time these bogus routes were propagated. Are there any specific ways in which this differs from a leaked route with a rewritten AS path that I am missing here?

kory
kory

@renesys  the Mexico site would have to run a traceroute as well.

 If the connection required some form of client connection like vpn, then I could see where developers might want to build a step in the connection process where each end of the connection verifies that its traceroute matches the other.  This could be a useful protection measure to guard the privacy of the key exchange against this kind of attack.

Kotikalapudi Sriram
Kotikalapudi Sriram

@renesys @Kotikalapudi Sriram I understood the difference in that sense, but could someone use the same trick (deliberately/maliciously) as in the China Telecom incident? Attacker announces the targeted prefixes (or subprefixes) from one router in its AS, attracts the traffic, and then routes the traffic via another router (in the same AS) back towards the legitimate destination? Could you say if that form of targeted misdirection is ruled out in the 2013 incidents you observed?  

Trackbacks

  1. […] Traffic interception has certainly been a hot topic in 2013. The world has been focused on interception carried out the old fashioned way, by getting into the right buildings and listening to the right cables.  […]

  2. […] Cowie discusses a different form of attack, in which internet traffic is redirected to get access to sensitive information. Fascinating for […]

  3. […] из компании Renesys обращают внимание, что в последнее время перенаправление по BGP все чаще […]

  4. […] from network intelligence firm Renesys made that sobering assessment in a blog post published Tuesday. Since February, they have observed 38 distinct events in which large blocks of traffic have been […]

  5. […] from network intelligence firm Renesys made that sobering assessment in a blog post published Tuesday. Since February, they have observed 38 distinct events in which large blocks of traffic have been […]

  6. […] from network intelligence firm Renesys made that sobering assessment in a blog post published Tuesday. Since February, they have observed 38 distinct events in which large blocks of traffic have been […]

  7. […] from network intelligence firm Renesys made that sobering assessment in a blog post published Tuesday. Since February, they have observed 38 distinct events in which large blocks of traffic have been […]

  8. […] from network intelligence firm Renesys made that sobering assessment in a blog post published Tuesday. Since February, they have observed 38 distinct events in which large blocks of traffic have been […]

  9. […] from network intelligence firm Renesys made that sobering assessment in a blog post published Tuesday. Since February, they have observed 38 distinct events in which large blocks of traffic have been […]

  10. […] from network intelligence firm Renesys made that sobering assessment in a blog post published Tuesday. Since February, they have observed 38 distinct events in which large blocks of traffic have been […]

  11. […] from network intelligence firm Renesys made that sobering assessment in a blog post published Tuesday. Since February, they have observed 38 distinct events in which large blocks of traffic have been […]

  12. […] from network intelligence firm Renesys made that sobering assessment in a blog post published Tuesday. Since February, they have observed 38 distinct events in which large blocks of traffic have been […]

  13. […] from network intelligence firm Renesys made that sobering assessment in a blog post published Tuesday. Since February, they have observed 38 distinct events in which large blocks of traffic have been […]

  14. […] from network intelligence firm Renesys made that sobering assessment in a blog post published Tuesday. Since February, they have observed 38 distinct events in which large blocks of traffic have been […]

  15. […] from network intelligence firm Renesys made that sobering assessment in a blog post published Tuesday. Since February, they have observed 38 distinct events in which large blocks of traffic have been […]

  16. […] from network intelligence firm Renesys made that sobering assessment in a blog post published Tuesday. Since February, they have observed 38 distinct events in which large blocks of traffic have been […]

  17. […] The New Threat: Targeted Internet Traffic Misdirection – It’s possible to misdirect Internet traffic to be grabbed by an unauthorized third party, but […]

  18. […] from network intelligence firm Renesys made that sobering assessment in a blog post published Tuesday. Since February, they have observed 38 distinct events in which large blocks of traffic have been […]

  19. […] from meshwork info concern Renesys prefabricated that sobering categorization in a blog locate publicised Tuesday. Since February, they hit observed 38 crisp events in which super blocks of reciprocation hit been […]

  20. […] from meshwork info concern Renesys prefabricated that sobering categorization in a blog locate publicised Tuesday. Since February, they hit observed 38 crisp events in which super blocks of reciprocation hit been […]

  21. […] troubling disclosure came yesterday from the research company Renesys. The firm specializes in tracking the operational health of global Internet infrastructure. When […]

  22. […] troubling disclosure came yesterday from the research company Renesys. The firm specializes in tracking the operational health of global Internet infrastructure. When […]

  23. […] troubling revealing came yesterday from the research consort Renesys. The concern specializes in chase the effective upbeat of orbicular cyberspace infrastructure. When […]

  24. […] troubling revealing came yesterday from the research consort Renesys. The concern specializes in chase the effective upbeat of orbicular cyberspace infrastructure. When […]

  25. […] Internet intelligence company Renesys has detected close to 1,500 IP address blocks that have been hijacked on more than 60 days this year, a disturbing trend that indicates attackers could finally have an increased interest in weaknesses inherent in core Internet infrastructure. […]

  26. […] troubling disclosure came yesterday from the research company Renesys. The firm specializes in tracking the operational health of global Internet infrastructure. When […]

  27. […] from network intelligence firm Renesys made that sobering assessment in a blog post published Tuesday. Since February, they have observed 38 distinct events in which large blocks of traffic have been […]

  28. […] wtorek firma Renesys opublikowała raport, opisujący podobne incydenty, które miały miejsce w roku 2013. Renesys, dzięki globalnej sieci […]

  29. […] The New Threat: Targeted Internet Traffic Misdirection, http://www.renesys.com […]

  30. […] Internet intelligence company Renesys has detected close to 1,500 IP address blocks that have been hijacked on more than 60 days this year, a disturbing trend that indicates attackers could finally have an increased interest in weaknesses inherent in core Internet infrastructure. […]

  31. […] troubling disclosure came yesterday from the research company Renesys. The firm specializes in tracking the operational health of global Internet infrastructure. When […]

  32. […] from network intelligence firm Renesys made that sobering assessment in a blog post published Tuesday. Since February, they have observed 38 distinct events in which large blocks of traffic have been […]

  33. […] from network intelligence firm Renesys made that sobering assessment in a blog post published Tuesday. Since February, they have observed 38 distinct events in which large blocks of traffic have been […]

  34. […] Research free this week has revealed digit more cases in which misconfigurations re-routed reciprocation farther from their witting destination. For example, in digit of the attacks, reciprocation motion from Mexico to the United States took a indirect and unreasonable line to Belarus. […]

  35. […] Research free this week has revealed digit more cases in which misconfigurations re-routed reciprocation farther from their witting destination. For example, in digit of the attacks, reciprocation motion from Mexico to the United States took a indirect and unreasonable line to Belarus. […]

  36. […] Internet intelligence company Renesys has detected close to 1,500 IP address blocks that have been hijacked on more than 60 days this year, a disturbing trend that indicates attackers could finally have an increased interest in weaknesses inherent in core Internet infrastructure. […]

  37. […] from network intelligence firm Renesys made that sobering assessment in a blog post published Tuesday. Since February, they have observed 38 distinct events in which large blocks of traffic have been […]

  38. […] from network intelligence firm Renesys made that sobering assessment in a blog post published Tuesday. Since February, they have observed 38 distinct events in which large blocks of traffic have been […]

  39. […] troubling disclosure came yesterday from the research company Renesys. The firm specializes in tracking the operational health of global Internet infrastructure. When […]

  40. […] 互联网流量监测公司Renesys的研究人员报告,他们从今年2月开始,观察到了38起流量被错误定向到白俄罗斯或冰岛ISP路由器的事件。攻击利用了对边界网关协议(BGP)的绝对信任,影响了美国、韩国、德国、捷克、立陶宛、利比亚和伊朗的大型金融机构、政府和ISP网络的流量。 […]

  41. […] Doch es ist mglich, dass Angreifer Server in der Transportkette manipulieren und den durchlaufenden Datenstrom umleiten. Derartige Ereignisse fielen den Renesys-Analytikern in diesem Jahr gehuft auf. Nachdem sie einige mgliche Ursachen fr lokale Schwankungen im Datenstrom wie Kabelbrche oder Naturkatastrophen ausgeschlossen hatten, analysierten sie die zielgerichtete Umleitung vieler Datenstrme auf. 2013 verzeichnete Renesys derartige Ereignisse an 60 Tagen. Ihre Dauer schwankte zwischen wenigen Minuten bis zu mehreren Tagen. […]

  42. […] toimintaa seuraava Renesys-yhtiö on julkaissut yksityiskohtaisen kirjoituksen uudesta ilmiöstä. Yhtiö kertoo, että jo vuosia on tiedetty uudenlaisen hyökkäystekniikan […]

  43. MITM says:

    […] The New Threat: Targeted Internet Traffic Misdirection – Renesys […]

  44. […] 互联网流量监测公司Renesys的研究人员报告,他们从今年2月开始,观察到了38起流量被错误定向到白俄罗斯或冰岛ISP路由器的事件。攻击利用了对边界网关协议(BGP)的绝对信任,影响了美国、韩国、德国、捷克、立陶宛、利比亚和伊朗的大型金融机构、政府和ISP网络的流量。 […]

  45. 火书 says:

    […] 互联网流量监测公司Renesys的研究人员报告,他们从今年2月开始,观察到了38起流量被错误定向到白俄罗斯或冰岛ISP路由器的事件。攻击利用了对边界网关协议(BGP)的绝对信任,影响了美国、韩国、德国、捷克、立陶宛、利比亚和伊朗的大型金融机构、政府和ISP网络的流量。 […]

  46. […] на мониторинге работы глобальной сети, зафиксировала успешные попытки проведения атаки, направленной на […]

  47. […] from network intelligence firm Renesys made that sobering assessment in a blog post published Tuesday. Since February, they have observed 38 distinct events in which large blocks of traffic have been […]

  48. […] said it had uncovered the mass hijackings as part of its day-to-day monitoring of global net […]

  49. […] said it had uncovered the mass hijackings as part of its day-to-day monitoring of global net […]

  50. […] said it had uncovered the mass hijackings as part of its day-to-day monitoring of global net […]

  51. […] said it had uncovered the mass hijackings as part of its day-to-day monitoring of global net […]

  52. […] said it had uncovered the mass hijackings as part of its day-to-day monitoring of global net […]

  53. […] said it had uncovered the mass hijackings as part of its day-to-day monitoring of global net […]

  54. […] Cowie fra netværksfirmaet Renesys skriver i et blogindlæg, at selskabet har observeret mindst 1.500 IP-blokke, som er blevet omdirigeret via hackede […]

  55. […] said it had uncovered the mass hijackings as part of its day-to-day monitoring of global net […]

  56. […] said it had uncovered the mass hijackings as part of its day-to-day monitoring of global net […]

  57. […] Research released this week has revealed two more cases in which misconfigurations re-routed traffic far from their intended destination. For example, in one of the attacks, traffic traveling from Mexico to the United States took a circuitous and illogical route to Belarus. […]

  58. […] is reporting that Internet traffic is being manipulatively rerouted, presumably for eavesdropping purposes. The […]

  59. […] said it had uncovered the mass hijackings as part of its day-to-day monitoring of global net […]

  60. […] Research released this week has revealed two more cases in which misconfigurations re-routed traffic far from their intended destination. For example, in one of the attacks, traffic traveling from Mexico to the United States took a circuitous and illogical route to Belarus. […]

  61. […] The New Threat: Targeted Internet Traffic Misdirection, http://www.renesys.com […]

  62. […] said it had uncovered the mass hijackings as part of its day-to-day monitoring of global net […]

  63. […] report from Renesys presents more evidence from the subsequent attack that routed traffic over Iceland. […]

  64. […] said it had uncovered the mass hijackings as part of its day-to-day monitoring of global net […]

  65. […] world through networks in Belarus and Iceland. The troubling disclosure came yesterday from the research company Renesys. The firm specializes in tracking the operational health of global Internet infrastructure. When […]

  66. […] might have seen a recent analysis by Renesys of some sophisticated prefix hijacking increasingly happening in the Internet. I think many of us […]

  67. […] said it had uncovered the mass hijackings as part of its day-to-day monitoring of global net […]

  68. […] is reporting that Internet traffic is being manipulatively rerouted, presumably for eavesdropping purposes. The […]

  69. […] attack happens? Apparently cyber attacks are quite common — according to Techdirt. According to recent reports NSA has inserted a virtual vacuum between two points — diverted the data and copied it and […]

  70. […] said it had uncovered the mass hijackings as part of its day-to-day monitoring of global net […]

  71. […] Research released this week has revealed two more cases in which misconfigurations re-routed traffic far from their intended destination. For example, in one of the attacks, traffic traveling from Mexico to the United States took a circuitous and illogical route to Belarus. […]

  72. […] a report released my security firm Renesys this Thursday, it has been discovered that nearly 80% of all […]

  73. […] said it had uncovered the mass hijackings as part of its day-to-day monitoring of global net […]

  74. […] said it had uncovered the mass hijackings as part of its day-to-day monitoring of global net […]

  75. […] Renesys нашли много подтверждений тому, что целевой перехват трафика в Интернете реализуется […]

  76. […] to be inspected or modified before getting passed on to its intended recipients, are on the rise according to a blog posted by Internet monitoring company Renesys. The company reported numerous cases in 2013 where traffic was routed through ISPs in Belarus or […]

  77. […] is an interesting article about Internet traffic manipulation…well at least to someone like me who works in the […]

  78. […] Renesys has reported that for more than 60 days in 2013, its clients were victims of internet traffic hijacking caused by Man-In-the Middle (MITM) attacks. The attacker rerouted the inbound traffic of the victim to own servers and after inspecting (or even modifying) it re-sends it to the intended addressee. In such a case the victim may only notice increased latency if the packets have to travel longer distance to the attackers server and back. Renesys claims that they observed governments, VoIP providers and financial institutions being targeted by this type of attack during the last year. Renesys mentions two examples when Belorussian and Icelandic ISPs propagated false Border Gateway Protocol (BGP) routes redirecting a lot of traffic though themselves. The involved Icelandic ISP however claims that the rerouting was a consequence of mistake of a software vendor. Renesys believes that BGP rerouting as a result of software error is not probable and the observed events may have been intended attacks. […]

  79. […] Společnost Renesys informovala, že po více než 60 dní v roce 2013 byli někteří její klienti obětí přesměrování internetového provozu. V případě takového útoku útočník propaguje IP adresní rozsah jako svůj vlastní což mu umožní zachytávat příchozí pakety určené oběti. Útočník pak může tuto komunikaci sledovat nebo dokonce pozměnit. Oběť má možnost takový útok bez provedení analýzy zaznamenat pouze v případě, kdy jsou servery útočníka geograficky vzdáleny, což výrazně prodlouží latenci spojení. […]

  80. […] intelligence firm Renesys warns that victims including financial institutions, VoIP providers, and governments have been targeted […]

  81. […] investigate concern Renesys has sounded the alarm over what it believes to be a massive robbery and redirection of cyberspace traffic. What’s […]

  82. […] research firm Renesys has sounded the alarm over what it believes to be a massive hijacking and redirection of Internet traffic. What’s […]

  83. […] Research released this week has revealed two more cases in which misconfigurations re-routed traffic far from their intended destination. For example, in one of the attacks, traffic traveling from Mexico to the United States took a circuitous and illogical route to Belarus. […]

  84. […] Renesys warns of BGP-based Internet Man-in-the-Middle (MitM) attacks - Renesys […]

  85. […] “It’s possible to drag specific Internet traffic halfway around the world, inspect it, modify it if desired, and send it on its way,” Renesys technology head Jim Cowie wrote in a blog post. […]

  86. […] Renesys warns of BGP-based Internet Man-in-the-Middle (MitM) attacks - Renesys […]

  87. […] intelligence firm Renesys warns that victims including financial institutions, VoIP providers, and governments have been targeted […]

  88. […] intelligence firm Renesys warns that victims including financial institutions, VoIP providers, and governments have been targeted […]

  89. […] New Threat: Targeted Internet Traffic Misdirection [renesys] […]

  90. […] research firm Renesys has authored an interesting blog post noting how they’re seeing a significant uptick in the number of large-scale man in the middle […]

  91. […] The New Threat: Targeted Internet Traffic Misdirection Ars Technica […]

  92. […] 계속 일어날 위험성이 높아졌다는 의미라고 경고했다. 관련 내용 원문은 이곳에서 볼 수 […]

  93. […] troubling disclosure came yesterday from the research company Renesys. The firm specializes in tracking the operational health of global Internet infrastructure. When […]

  94. […] said it had uncovered the mass hijackings as part of its day-to-day monitoring of global net […]

  95. […] said it had uncovered the mass hijackings as part of its day-to-day monitoring of global net […]

  96. […] said it had uncovered the mass hijackings as part of its day-to-day monitoring of global net […]

  97. […] announced that they have detected man-in-the-middle BGP route hijacking in the wild. The piece is definitely worth a […]

  98. […] This is really a disturbing news. Renesys has announced that this year there have been many cases of traffic redirection via BGP which look suspicious at the least. […]

  99. […] The Internet monitors have observed such attacks taking place on more than 60 days this year, according to its recently released report. […]

  100. […] Internet route hijacking: Renesys published a blog post about ‘Targeted Internet Traffic Misdirection’. […]

  101. […] the place through which they redirected traffic from Belarus to Iceland in May. (All Things D)(Renesys) […]

  102. […] Renesys: Internet hijacking […]

  103. […] In practical terms, this means that Man-In-the-Middle BGP route hijacking has now moved from a theoretical concern to something that happens fairly regularly, and the potential for traffic interception is very real. Everyone on the Internet — certainly the largest global carriers, certainly any bank or credit card processing company or government agency — should now be monitoring the global routing of their advertised IP prefixes. This kind of attack should not happen. You cannot carry out this kind of hijacking without leaving permanent, visible footprints in global routing that point right back to the point of interception. We believe that people are still attempting this because they believe (correctly, in most cases) that nobody is looking. Renesys believes that increased transparency is the best answer, exactly the kind of collective security solution that the Internet is good at delivering. For our part, we’ve taken this seriously enough that we’ve spent the last year building a new system that can address the challenge of identifying bad traffic paths for the whole Internet, everywhere on Earth, simultaneously. Until the day when all routes are signed and secured (and that day may never fully arrive), the best way to prevent manipulation of trust-based routing will be to help people expose violations of trust, and recognize those who implement best practices. We’ll have more to say on this subject in coming months.   Source: Renesys […]

  104. […] details in the hope that we can make this particular vulnerability obsolete. (…).» Source : http://www.renesys.com/2013/11/mitm-internet-hijacking/ Billets en relation : 20/11/2013. Internet Traffic Following Malicious Detours Via Route Injection […]

  105. […] The New Threat: Targeted Internet Traffic Misdirection – did you know that internet traffic to any site can be made to go through a particular server without anybody noticing? This has been observed repeatedly in the wild, for banks and other sites. Rather make sure you use strong encryption (NSA-approved, of course ). […]

  106. […] from network intelligence firm Renesys made that sobering assessment in a blog post published Tuesday. Since February, they have observed 38 distinct events in which large blocks of traffic have been […]

  107. […] via The New Threat: Targeted Internet Traffic Misdirection – Renesys. […]

  108. […] Someone’s been MiTMing the internets… Bruce Schnier thinks Ars Technica had an okay write up about it… And more reporting on Renesys’s original research on it. (and a little more) […]

  109. […] from network intelligence firm Renesys made that sobering assessment in a blog post published Tuesday. Since February, they have observed 38 distinct events in which large blocks of traffic have been […]

  110. […] Simply put, the traffic keeps flowing and everything looks fine to the recipient,…” Renesys wrote in a blog post about the hijacks. “It’s possible to drag specific internet traffic halfway around the world, inspect it, modify […]

  111. […] Simply put, the traffic keeps flowing and everything looks fine to the recipient,…” Renesys wrote in a blog post about the hijacks. “It’s possible to drag specific internet traffic halfway around the world, inspect it, modify […]

  112. […] put, the reciprocation keeps liquid and everything looks dustlike to the recipient,…” Renesys wrote in a journal place most the hijacks. “It’s doable to inspire limited internet reciprocation central around the world, inspect it, […]

  113. […] put, the reciprocation keeps liquid and everything looks dustlike to the recipient,…” Renesys wrote in a journal place most the hijacks. “It’s doable to inspire limited internet reciprocation central around the world, inspect it, […]

  114. […] Simply put, the traffic keeps flowing and everything looks fine to the recipient,…” Renesys wrote in a blog post about the hijacks. “It’s possible to drag specific internet traffic halfway around the world, inspect it, modify […]

  115. […] incidents described in a report released by Renesys last month, the firm claims that web data from major financial institutions, […]

  116. […] incidents described in a report released by Renesys last month, the firm claims that web data from major financial institutions, […]

  117. […] hijack? Simply put, a trade keeps issuing and all looks excellent to a recipient,…” Renesys wrote in a blog post about a hijacks. “It’s probable to drag specific internet trade median around a world, check it, cgange it if […]

  118. […] incidents described in a report released by Renesys last month, the firm claims that web data from major financial institutions, […]

  119. […] incidents described in a report released by Renesys last month, the firm claims that web data from major financial institutions, […]

  120. […] incidents described in a report released by Renesys last month, the firm claims that web data from major financial institutions, […]

  121. […] incidents described in a report released by Renesys last month, the firm claims that web data from major financial institutions, […]

  122. […] incidents described in a report released by Renesys last month, the firm claims that web data from major financial institutions, […]

  123. […] with the set of victim networks changing daily,” Renesys chief technology officer Jim Cowie wrote in a post about some of the hijacking activity last month. “Victims whose traffic was […]

  124. […] with the set of victim networks changing daily,” Renesys chief technology officer Jim Cowie wrote in a post about some of the hijacking activity last month. “Victims whose traffic was […]

  125. […] with the set of victim networks changing daily,” Renesys chief technology officer Jim Cowie wrote in a post about some of the hijacking activity last month. “Victims whose traffic was […]

  126. […] with the set of victim networks changing daily,” Renesys chief technology officer Jim Cowie wrote in a post about some of the hijacking activity last month. “Victims whose traffic was […]

  127. […] with the set of victim networks changing daily," Renesys chief technology officer Jim Cowie wrote in a post about some of the hijacking activity last month. "Victims whose traffic was diverted […]

  128. […] Simply put, the traffic keeps flowing and everything looks fine to the recipient,…” Renesys wrote in a blog post about the hijacks. “It’s possible to drag specific internet traffic halfway around the world, inspect it, […]

  129. […] with the set of victim networks changing daily,” Renesys chief technology officer Jim Cowie wrote in a post about some of the hijacking activity last month. “Victims whose traffic was […]

  130. […] incidents described in a report released by Renesys last month, the firm claims that web data from major financial institutions, […]

  131. […] with the set of victim networks changing daily,” Renesys chief technology officer Jim Cowie wrote in a post about some of the hijacking activity last month. “Victims whose traffic was […]

  132. […] with the set of victim networks changing daily,” Renesys chief technology officer Jim Cowie wrote in a post about some of the hijacking activity last month. “Victims whose traffic […]

  133. […] with the set of victim networks changing daily,” Renesys chief technology officer Jim Cowie wrote in a post about some of the hijacking activity last month. “Victims whose traffic was […]

  134. […] incidents described in a report released by Renesys last month, the firm claims that web data from major financial institutions, […]

  135. […] incidents described in a report released by Renesys last month, the firm claims that web data from major financial institutions, […]

  136. […] incidents described in a report released by Renesys last month, the firm claims that web data from major financial institutions, […]

  137. […] with the set of victim networks changing daily,” Renesys chief technology officer Jim Cowie wrote in a post about some of the hijacking activity last month. “Victims whose traffic was […]

  138. […] incidents described in a report released by Renesys last month, the firm claims that web data from major financial institutions, […]

  139. […] incidents described in a report released by Renesys last month, the firm claims that web data from major financial institutions, […]

  140. […] incidents described in a report released by Renesys last month, the firm claims that web data from major financial institutions, […]

  141. […] from network intelligence firm Renesys made that sobering assessment in a blog post published Tuesday. Since February, they have observed 38 distinct events in which large blocks of traffic have been […]

  142. […] incidents described in a report released by Renesys last month, the firm claims that web data from major financial institutions, […]

  143. […] Simply put, the traffic keeps flowing and everything looks fine to the recipient,…” Renesys wrote in a blog post about the hijacks. “It’s possible to drag specific internet traffic halfway around the world, inspect it, modify […]

  144. […] put, the traffic keeps flowing and everything looks fine to the recipient,…” Renesys wrote in a blog post about the hijacks. “It’s possible to drag specific internet traffic halfway around the world, inspect it, […]

  145. […] incidents described in a report released by Renesys last month, the firm claims that web data from major financial institutions, […]

  146. […] incidents described in a report released by Renesys last month, the firm claims that web data from major financial institutions, […]

  147. […] incidents described in a report released by Renesys last month, the firm claims that web data from major financial institutions, […]

  148. […] à prouver qu’elle est désormais exploitée de manière active… et inquiétante. Dans un article de blog datant de novembre, la société Renesys, spécialisée dans l’analyse réseau, a montré pour la […]

  149. […] só a NSA que está de olho na rede mundial. Analistas da empresa de monitoramento e segurança Renesys encontraram um caso raro e perigoso na internet: um sequestro de dados quase imperceptível que […]

  150. […] incidents described in a report released by Renesys last month, the firm claims that web data from major financial […]

  151. […] Simply put, the traffic keeps flowing and everything looks fine to the recipient,…” Renesys wrote in a blog post about the hijacks. “It’s possible to drag specific internet traffic halfway around the world, inspect it, modify […]

  152. […] à prouver qu’elle est désormais exploitée de manière active… et inquiétante. Dans un article de blog datant de novembre, la société Renesys, spécialisée dans l’analyse réseau, a montré pour la […]

  153. […] incidents described in a report released by Renesys last month, the firm claims that web data from major financial institutions, […]

  154. […] op vertrouwen, actief misbruikt wordt voor het uitvoeren van man-in-the-middle-aanvallen. Renesys: The New Threat: Targeted Internet Traffic Misdirection Een voorspelling uit 2008: Revealed: The Internet’s Biggest Security Hole (Defcon / […]

  155. […] à prouver qu’elle est désormais exploitée de manière active… et inquiétante. Dans un article de blog datant de novembre, la société Renesys, spécialisée dans l’analyse réseau, a montré pour […]

  156. […] à prouver qu’elle est désormais exploitée de manière active… et inquiétante. Dans un article de blog datant de novembre, la société Renesys, spécialisée dans l’analyse réseau, a montré pour la […]

  157. […] “For years, we’ve observed that there was potential for someone to weaponize the classic Pakistan-and-Youtube style route hijack. Why settle for simple denial of service, when you can instead steal a victim’s traffic, take a few milliseconds to inspect or modify it, and then pass it along to the intended recipient?   This year, that potential has become reality. We have actually observed live Man-In-the-Middle (MITM) hijacks on more than 60 days so far this year. About 1,500 individual IP blocks have been hijacked, in events lasting from minutes to days, by attackers working from various countries.” http://www.renesys.com/2013/11/mitm-internet-hijacking/ […]

  158. […] this exploit particularly disturbing is that no one may ever even know that it occurred. In a blog post by Renesys cited by Zetter, the firm warns: “What makes a man-in-the-middle routing attack different […]

  159. […] provider of specialist Internet monitoring systems, Renesys, has published research which claims to show that large chunks of Internet traffic was diverted several times during the […]

  160. […] à Renesys, une société spécialisée dans l’analyse réseau, que nous devons cette étude dans laquelle deux attaques datées respectivement de février et de mai 2013 sont observées. Il […]

  161. […] attacks. And with good reason. The average user shouldn’t need to know how easy it is to redirect traffic with BGP, how DNS cache poisoning works, nor how cross-site scripting attacks can be used […]

  162. […] a Huge Security Hole in the Internet“, or the corresponding post on the Renesys blog, “The New Threat: Targeted Internet Traffic Misdirection“.   The key point is that attackers are abusing BGP to hijack the routing of traffic off to […]

  163. […] à Renesys, une société spécialisée dans l’analyse réseau, que nous devons cette étude dans laquelle deux attaques datées respectivement de février et de mai 2013 sont observées. Il […]

  164. […] from network intelligence firm Renesys observed 38 distinct events in which huge blocks of traffic have been improperly redirected to routers at […]