Internet traffic 'hijacked' and routed through Belarus and Iceland - Renesys
Renesys claims that internet traffic from key cities has been deliberately re-routed several times this year
Key traffic across the internet has been "hijacked" several times this year and deliberately routed through locations in, first, Belarus and then Iceland. The hijackings - or "network interceptions" - were targeted at specific cities and are thought to have been launched with the aim of examining financial information.
That is the claim of network performance management firm Renesys, which monitors internet traffic on behalf of clients.
In a blog posting explaining the attacks, it claimed: "We have actually observed live man-in-the-middle (MITM) hijacks on more than 60 days so far this year. About 1,500 individual IP blocks have been hijacked, in events lasting from minutes to days, by attackers working from various countries."
The company has produced a map of 150 cities in which it has observed at least one victim of this man-in-the-middle attack. Two cities in the UK were also targeted - what appears to be Newcastle and Bristol, but not London - which may undermine the company's theory that the purpose of the attacks were solely financial.
The victims of the attacks have included financial institutions, providers of voice-over-IP networks and governments, claimed Renesys.
"What makes a man-in-the-middle routing attack different from a simple route hijack? Simply put, the traffic keeps flowing and everything looks fine to the recipient. The attackers keep at least one outbound path clean. After they receive and inspect the victim's traffic, they release it right back onto the internet, and the clean path delivers it to its intended destination.
"If the hijacker is in a plausible geographic location between the victim and its counter-parties, they should not even notice the increase in latency that results from the interception. It's possible to drag specific internet traffic halfway around the world, inspect it, modify it if desired, and send it on its way. Who needs fibre-optic taps?" asks Renesys.
The attacks started in February 2013, the company said, when a sequence of events lasting from a few minutes to a few hours saw particular internet traffic diverted via Belarusian internet service provider GlobalOneBel.
"These redirections took place on an almost daily basis throughout February, with the set of victim networks changing daily. Victims whose traffic was diverted varied by day, and included major financial institutions, governments, and network service providers. Affected countries included the US, South Korea, Germany, the Czech Republic, Lithuania, Libya, and Iran," claimed Renesys.
[Please turn to page 2]
Internet traffic 'hijacked' and routed through Belarus and Iceland - Renesys
Renesys claims that internet traffic from key cities has been deliberately re-routed several times this year
"We recorded a significant number of live traces to these hijacked networks while the attack was underway, showing traffic detouring to Belarus before continuing to its originally intended destination... The recipient, perhaps sitting at home in a pleasant Virginia suburb drinking his morning coffee, has no idea that someone in Minsk has the ability to watch him surf the web."
The Belarusian hijackings stopped in March, restarted briefly in May using a different customer of BelTelecom - the monopoly network provider in Belarus - before diverting to a new source in Iceland instead.
"Then, at 07:36:36 UTC on July 31st 2013, Icelandic provider Opin Kerfi (AS48685) began announcing origination routes for 597 IP networks owned by one of the largest facilities-based providers of managed services in the United States, a large VoIP provider. On a normal day, Opin Kerfi normally originates only three IP networks, and has no downstream AS customers...
"This was one of 17 Icelandic events that appeared to announce international IP address space: in all, we saw traffic redirections from nine different Icelandic autonomous systems, all customers of (or belonging to) the national incumbent Síminn.
"Hijacks affected victims in several different countries during these events, following the same pattern: false routes sent to Síminn's peers in London, leaving ‘clean paths' to North America to carry the redirected traffic back to its intended destination."
The diversions were achieved by changing the Border Gateway Protocol (BGP) that normally route internet traffic via the most efficient routes, bypassing outages and congestion. The BGP advertises routing and reachability information between network nodes.
Renesys engineers contend that the re-routing was deliberate and intended for the purpose of eavesdropping, but have not been able to explain exactly how the attacks were achieved.
Engineers at Siminn in Iceland were initially unresponsive to contacts from Renesys, but later claimed that the fault was due to a "bug in vendor software, that the problem had gone away when patched, and that they did not believe this problem had a malicious origin. Despite repeated requests for supporting details, we received no further communication".
That explanation, though, cuts no ice with Renesys engineers.
"We believe it's unlikely that a single router vendor bug can account for the 2013 worldwide uptick in route hijacking with traffic redirection. These Belarusian and Icelandic examples represent just two of a series of MITM attack sequences that we've observed playing out in the last 12 months, launched from these and other countries around the world."