The full Original Wired article is available here.
This is just a summary of that article:
In 2008, two security researchers at the DefCon hacker conference demonstrated a massive security vulnerability in the worldwide internet traffic-routing system — a vulnerability so severe that it could allow intelligence agencies, corporate spies or criminals to intercept massive amounts of data, or even tamper with it on the fly.
The traffic hijack, they showed, could be done in such a way that no one would notice because the attackers could simply re-route the traffic to a router they controlled, then forward it to its intended destination once they were done with it, leaving no one the wiser about what had occurred.
Now, five years later, this is exactly what has happened. Earlier this year, researchers say, someone mysteriously hijacked internet traffic headed to government agencies, corporate offices and other recipients in the U.S. and elsewhere and redirected it to Belarus and Iceland, before sending it on its way to its legitimate destinations. They did so repeatedly over several months. But luckily someone did notice.
And this may not be the first time it has occurred — just the first time it got caught.
BGP hijacking happens in some form or fashion every day, but it’s usually unintentional — the result of a typo in a routing announcement or some other mistake. And when it does occur, it generally results in an outage, as the traffic being routed never reaches its destination. This was the case in 2008 when Pakistan Telecom inadvertently hijacked all of the world’s YouTube traffic when it attempted to prevent just Pakistan citizens from reaching video content the government deemed objectionable. The telecom and its upstream provider mistakenly advertised to routers around the world that it was the best route through which to send all YouTube traffic, and for nearly two hours browsers attempting to reach YouTube fell into a black hole in Pakistan until the problem was corrected.
In April 2010, another outage occurred when China Telecom distributed an erroneous announcement for more than 50,000 blocks of IP addresses, and within minutes some of the traffic destined for these domains got sucked into China Telecom’s network for 20 minutes. After analyzing the details, Renesys concluded that this incident, too, was likely a mistake.
But the incidents this year have all the characteristics of an intentional intercept, Renesys says.
BGP hijacking is an “exceedingly blunt instrument” to capture traffic, and is “about as subtle as a firecracker in a funeral home,” Renesys has noted in the past.
In all the years Renesys has been monitoring internet traffic, analysts had never seen anything that looked intentional before. Generally, Madory says, mistakes look clumsy and show obvious signs of being mistakes. They also generally last minutes, not days as these did, and they also generally do not result in traffic being re-routed to its legitimate destination, as occurred in these cases.
“To achieve this thing where you can get [hijacked] traffic back to its destination, . . . you have to craft your [BGP] messages in a way that you control how far it propagates or where it propagates,” he says. “And we can see these guys experiment over time, modifying different attributes to change the propagation until they’ve achieved the one that they want. We’ve never seen anything like that, that looks very deliberate where someone is tweaking the approach.”
As Renesys warned on its blog: “We believe that people are still attempting this because they believe (correctly, in most cases) that nobody is looking.”
No comments:
Post a Comment