“For years, we’ve observed that there was potential for someone to weaponize the classic Pakistan-and-Youtube style route hijack. Why settle for simple denial of service, when you can instead steal a victim’s traffic, take a few milliseconds to inspect or modify it, and then pass it along to the intended recipient?” he notes.
“This year, that potential has become reality. We have actually observed live Man-In-the-Middle hijacks on more than 60 days so far this year. About 1,500 individual IP blocks have been hijacked, in events lasting from minutes to days, by attackers working from various countries.”
The company is capable of monitoring BGP (Border Gateway Protocol) connections in realtime from “hundreds of independent BGP vantage points,” and this is how they discovered several instances in which traffic that should have passed to a couple of pretty straightforward hops has gone around the world and back.
“In February 2013, we observed a sequence of events, lasting from just a few minutes to several hours in duration, in which global traffic was redirected to Belarusian ISP GlobalOneBel. These redirections took place on an almost daily basis throughout February, with the set of victim networks changing daily. Victims whose traffic was diverted varied by day, and included major financial institutions, governments, and network service providers. Affected countries included the US, South Korea, Germany, the Czech Republic, Lithuania, Libya, and Iran,” Cowie recounts.
“The recipient, perhaps sitting at home in a pleasant Virginia suburb drinking his morning coffee, has no idea that someone in Minsk has the ability to watch him surf the web. Even if he ran his own traceroute to verify connectivity to the world, the paths he’d see would be the usual ones. The reverse path, carrying content back to him from all over the world, has been invisibly tampered with.”
These traffic diversions stopped in March, says Cowie, but restarted briefly in May. Practically simultaneously, a new and extremely short (a few minutes) BGP hijack came from a small Icelandic provider.
A few months later, another Icelandic provider started announcing origination routes for 597 IP networks owned by a large US VoIP provider. In the months that followed, a number of Icelandic companies began to do the same, and the traffic was rerouted through peers of Icelandic telecom Siminn in London.
When contacted, the company claimed (and still does) that the redirections were due to a remotely exploitable bug in vendor software, which they have since patched, and that they don’t believe that it was exploited by malicious actors.
“This kind of attack should not happen,” says Cowie. “You cannot carry out this kind of hijacking without leaving permanent, visible footprints in global routing that point right back to the point of interception. We believe that people are still attempting this because they believe (correctly, in most cases) that nobody is looking.”
In these particular cases, someone was. Renesys has been monitoring the situation, and has notified affected parties: financial institutions, VoIP providers, and world governments, among many.