dslreports logo
spacer

spacer
 
   
spc
story category
Somebody is Hijacking Massive Amounts of Data Via Iceland
by Karl Bode 04:36PM Friday Nov 22 2013
Security research firm Renesys has authored an interesting blog post noting how they're seeing a significant uptick in the number of large-scale man in the middle attacks. What's more, insists the firm, these attacks are increasingly gobbling up a larger and larger share of overall Internet traffic without most people bothering to notice.

Click for full size
Since February, the firm states they have observed 38 distinct events in which significant blocks of Internet traffic have been covertly redirected to routers at Icelandic or Belarusian service providers. Renesys provides one such example of a trace from Guadalajara, Mexico to Washington, DC that goes through Moscow and Minsk:
quote:
Mexican provider Alestra hands it to PCCW for transit in Laredo, Texas. PCCW takes it to the Washington, DC metro area, where they would normally hand it to Qwest/Centurylink for delivery.

Instead, however, PCCW gives it to Level3 (previously Global Crossing), who is advertising a false Belarus route, having heard it from Russia’s TransTelecom, who heard it from their customer, Belarus Telecom. Level3 carries the traffic to London, where it delivers it to Transtelecom, who takes it to Moscow and on to Belarus. Beltelecom has a chance to examine the traffic, and then sends it back out on the “clean path” through Russian provider ReTN. ReTN delivers it to Frankfurt and hands it to NTT, who takes it to New York. Finally, NTT hands it off to Qwest/Centurylink in Washington DC, and the traffic is delivered.
They offer up a few other interesting examples, including an instance where traffic that should have simply traveled between two locations in Denver, Colorado actually wound up getting bounced all the way to Iceland and back. This scale of man in the middle hijacking (involving deleting altering or even creating authorized BGP routes) was largely a worrisome theory until earlier this year, when someone made it a reality. The hijacking is largely imperceptible to regular users.

Why is this happening? Renesys says they don't have a clear understanding of the "exact mechanism, motivation, or actors," though most assume this is either intelligence or criminal in nature. Renesys goes on to note that these attacks leave a visible trail to be followed, but that most communications providers don't appear too concerned with tracking or thwarting the efforts.

"In practical terms, this means that Man-In-the-Middle BGP route hijacking has now moved from a theoretical concern to something that happens fairly regularly, and the potential for traffic interception is very real," notes the firm. "Everyone on the Internet — certainly the largest global carriers, certainly any bank or credit card processing company or government agency — should now be monitoring the global routing of their advertised IP prefixes."

view:
topics flat nest 
zed260
Premium
join:2011-11-11
Cleveland, TN

not suprised

probably a new way for the nsa to get acess to the data without needing to be subject to us laws and regulations
Skippy25

join:2000-09-13
Hazelwood, MO

Re: not suprised

That would be my first guess.
Rojo

join:2009-04-14
New York, NY
kudos:1

Re: not suprised

yup
elefante72

join:2010-12-03
East Amherst, NY
Yeah, SIGINT through Greenland or Iceland. Popular ECHELON stuff.
The fact that TLS is a mess, makes it easy for governments or criminals to decrypt web traffic..

meeeeeeeeee

join:2003-07-13
Newburgh, NY

Re: not suprised

said by elefante72:

for governments or criminals

There's a difference or were you just being redundant?
zed260
Premium
join:2011-11-11
Cleveland, TN
Reviews:
·Charter

Re: not suprised

said by meeeeeeeeee:

said by elefante72:

for governments or criminals

There's a difference or were you just being redundant?

diffrence criminals are mostly "90 percent anyway"are common folk trying to feed family etc

the goverments on the other hand are after everything about you and are dishonest
Rojo

join:2009-04-14
New York, NY
kudos:1

1 recommendation

Re: not suprised

"criminals . . .common folk trying to feed family"


Good grief.
zed260
Premium
join:2011-11-11
Cleveland, TN
Reviews:
·Charter

Re: not suprised

said by Rojo:

"criminals . . .common folk trying to feed family"


Good grief.

thats mostly true there more honest then goverment
Expand your moderator at work

meeeeeeeeee

join:2003-07-13
Newburgh, NY
I suppose you have a point. 90% of most criminals ARE more honorable than governments.

vpoko
Premium
join:2003-07-03
Boston, MA

Re: not suprised

Look, what the US government has been doing is wrong, but what you're saying is New York Post-style sensationalism. Criminals in the business of stealing data really honorable at all. A comparison of how honorable they are versus the US government is meaningless because it's not well defined.

vpoko
Premium
join:2003-07-03
Boston, MA

1 recommendation

Lol, okay. Truth is, they're both mighty shady and need to be reigned in. Common folk trying to feed their family get jobs, like all the common folk that I know.

meeeeeeeeee

join:2003-07-13
Newburgh, NY

Re: not suprised

So should those that suck off the Public teat... aka Government Workers. Maybe if they learned to do something productive, they wouldn't have time to be so devious and self serving... like us common folk.

By the way, what they are doing is not shady. It's WAY passed that, it's downright dark.
--
"when the people have suffered many abuses under the control of a totalitarian leader, they not only have the right but the duty to overthrow that government." - The U.S. Declaration of Independence

vpoko
Premium
join:2003-07-03
Boston, MA

Re: not suprised

A lot of government workers are necessary. A lot aren't. But the people working at the DMV have nothing to do with government policy, which is where our government-related problems lie.

And obviously, none of that has anything to do with data-stealing criminals being or not being fantastic people. They aren't. I don't mean the Private Mannings of the world, I mean the ones who do it for profit.

meeeeeeeeee

join:2003-07-13
Newburgh, NY

Re: not suprised

The guy at DMV with his four assistants that empties the three wastebaskets, making 5 times what his job is worth, with full benefits, outrageous pension and life time medical is just as much a part of the problem as the jackals in Washington.
--
"when the people have suffered many abuses under the control of a totalitarian leader, they not only have the right but the duty to overthrow that government." - The U.S. Declaration of Independence
Secyurityet
Premium
join:2012-01-07
untied state

Re: not suprised

So, vote for someone who's trying to whittle down the size and scope of government next time.

But don't be back here complaining when you have to stand in line 3 hours to get your dog tag renewed.

Also don't complain that someone's trying to bust another union protecting those trash-can-emptiers' jobs.

meeeeeeeeee

join:2003-07-13
Newburgh, NY

Re: not suprised

said by Secyurityet:

Also don't complain that someone's trying to bust another union protecting those trash-can-emptiers' jobs.

I will be first on line to CHEER when someone busts the unions protecting those trash-can-emptier's jobs!! We cannot go on paying FIVE people GREAT SALARIES and STUPENDOUS BENEFITS to do the work of ONE. We can't AFFORD it, NO ONE CAN!
--
"when the people have suffered many abuses under the control of a totalitarian leader, they not only have the right but the duty to overthrow that government." - The U.S. Declaration of Independence
WhatNow
Premium
join:2009-05-06
Charlotte, NC
Reviews:
·Time Warner Cable

1 recommendation

Re: not suprised

Just like the millionaire farmers that get $10k farm payments. I is interesting the Red states get more money per person then the blue states. Be careful what you wish for.
By the way I don't have much use for Unions and lately most upper management.

kerchunk

@embarqhsd.net

Re: not suprised

I know a lot red state farmers...none are anywhere near millionaires but many do have million dollar cash flow. And by cash flow they deal with a lot of revenue that produces very little profit in the end - like $20-50k.
we're getting waaay off topic here...
LTE4LIFE

join:2013-02-28

2 recommendations

If voting actually worked, they would make it illegal...

mikerichards

@comcast.net

4 recommendations

I'll pay you $10,000 to provide definitive proof that such a "guy" exists at any DMV in the United States. Seriously, have you ever actually reviewed the salary and benefits that an average state employee receives? My mom was a nurse surveyor for the Texas Department of Aging and Disability Services. A registered nurse, someone who went to college. She received a below-industry average salary (for an RN), no pension, and for the duration of her employment (NOT "life time"), Blue Cross health insurance. On occasion she had to travel to a rural county overnight. The state paid for such luxurious accommodations as a Best Western and $15 per diem, which barely worked as long as you only ate crackers for lunch. So seriously, shut up.
Expand your moderator at work

vpoko
Premium
join:2003-07-03
Boston, MA

1 recommendation

I have yet to see any front-line people at the DMV who have any assistants or makes even a comfortable salary. Since their pay is public record, I'm sure you'll set me straight with some facts instead of unsubstantiated dreck.

vpoko
Premium
join:2003-07-03
Boston, MA

2 recommendations

Re: not suprised

Just looking at my own state, Massachusetts, for example, an RMV (we call it the Registry of Motor Vehicles in this state) accountant makes between approximately 43K and 56K per year. That's significantly below what a private sector accountant makes.

The head of the RMV makes $133K. That's what a middle-manager makes in the private sector. Someone who heads up an entire department (SVP level) would be making $100K more than that.

I'm not saying there isn't government waste, there's tons of it, but it's not because run-of-the-mill (non-politically connected) government workers are getting rich.

anonome

@verizon.net
"either intelligence or criminal in nature"

The difference these days: it's "legal" when the govt. does it ('cause they make the laws... and break them when they feel like it).

("Legal" doesn't mean "right", and "illegal" doesn't mean "wrong". It's just one, smaller group telling every other, larger group what they're allowed to do--even with their own lives and property. As such, "criminal" sometimes means nothing more than one exercising one's God-given rights to live one's own life as one sees fit.)
dra6o0n

join:2011-08-15
Mississauga, ON

Re: not suprised

"Nothing is true. Everything is permitted."

A video game summed that up easily.
iknow_t

join:2012-05-03
said by elefante72:

Yeah, SIGINT through Greenland or Iceland. Popular ECHELON stuff.
The fact that TLS is a mess, makes it easy for governments or criminals to decrypt web traffic..

that would be odd, since neither of those 2 countries are part of ECHELON!
ISurfTooMuch

join:2007-04-23
Tuscaloosa, AL
That was my first thought as well, but I'm not sure. The NSA probably has enough compromised points in major routes that they don't need to redirect any traffic to get to it. However, it's unlikely that the Russians or Belarusians have that same level of access. For them, it's easier to reroute the data so they can look at it at points where they do have access.
cramer
Premium
join:2007-04-10
Raleigh, NC
kudos:9

Re: not suprised

The NSA doesn't redirect traffic. They tap the lines where you cannot tell they're doing it. (or have the providers do it for them)

neochu

join:2008-12-12
Windsor, ON

Re: not suprised

Tap and duplicate at the hard points in exchange areas. No need to be so blantant your siphoning that way.
Warez_Zealot

join:2006-04-19
Vancouver

1 edit
I'm actually surprised. This is pretty noticeable if you do a traceroute and anyone who is running latency sensitive services would see this in a second. Basically they are sending traffic from WDC to the opposite end of the world then back.

If Level 3 is involved, they are a pretty large tier 1 backbone provider. This means that companies such as PCCW (not sure who this is) and the smaller ISP's would be paying a fortune in upstream fees and would fix this in a second.

So if this is the case, this must mean that PCCW and the other ISP's are complacent (not getting billed) and in on it with Level 3 (big defense conglomerate) and the NSA/US defense complex.

I would like a bit more information since ISP's do have some ability to change their BGP preferencing.(take a look at a route-views and do a "show ip bgp to see the available routes So if they really wanted to, they could play around with alternate routes to see if their traffic is being redirected overseas un-purpose or not.
--
"You're not supposed to be so blind with patriotism that you can't face reality. Wrong is wrong, no matter who says it."-Malcolm X


•••

tempnexusawa

@verizon.net
Neah, it's a perfect time for any other massive nation (Russia, China) to attempt more overt practices since they know that US and NSA is on the radar of everyone.
BiggA

join:2005-11-23
EARTH

In Soviet Russia...

...data download YOU!
semaj81

join:2002-08-12
Marietta, OH

Scary...

This worries me more form some reason than the NSA news did.. What is this?

seaman
Premium
join:2000-12-08
Seattle, WA

Re: Scary...

No worries. This is only a Level 3 incident.

1 I can do it without getting caught
2 I can do it without being seen
3 I can do it
4 I can't do it
WhatNow
Premium
join:2009-05-06
Charlotte, NC

money

I wonder if they may be doing it to get paid for the traffic.
The sad part is the big ISPs don't seem to care and a fix is easy.

yaplej
Premium
join:2001-02-10
White City, OR

BGP Validation

If this starts to become a problem I would expect that some network engineers would develop some solution to validate the authenticity of an injected route. Similar to what we now have for email with SPF and DKIM. Not everyone uses these technologies though.

Seems like some people smarter than me could develop something to facilitate route origination validation.

Maybe it would involve using public/private keys and some type of as-path chain. Not sure how it would work but it seems like something could be done to prevent injection of bogus routes into the Internet.
--
sk_buff what?

Open Source Network Accelerators
»www.trafficsqueezer.org
»www.opennop.org

iknow_t

join:2012-05-03

Not new

according to this. it has started in 1997 »en.wikipedia.org/wiki/IP_hijacki ··· ijacking