Flutterby™! : Stealing the net

Next unread comment / Catchup all unread comments User Account Info | Logout | XML/Pilot/etc versions | Long version (with comments) | Weblog archives | Site Map | | Browse Topics

Stealing the net

2013-11-21 22:05:50.396704+00 by Dan Lyke 1 comments

Lunch discussion today was about some of the ways in which misconfigured BGP and misplaced trust can result in MitM scanning of large quantities of Internet traffic. Which, apparently, someone is doing.

Renesys has the run-down on the man-in-the-middle Internet hijacking that's been throwing a lot of data through Iceland and Belarus (among others):

This year, that potential has become reality. We have actually observed live Man-In-the-Middle (MITM) hijacks on more than 60 days so far this year. About 1,500 individual IP blocks have been hijacked, in events lasting from minutes to days, by attackers working from various countries.

And various people have written run-downs on that:

The lunch conversation was with people who work with BGP (Border Gateway Protocol), and who pointed out that the routes through those countries don't necessarily mean that the sniffing was happening there, but was an artifact of that a bad route means data coming out goes into the sniffer, and then has to be dumped somewhere that doesn't have the bad route so that it can be pushed back to the real destination without creating a loop.

It was also recommended that I watch DEF CON 16 Hacking Conference Presentation By Kapela - Pilosov - Stealing the Internet - Video and Slides (YouTube) to understand this, and to see a live demonstration of it happening.

The other thing of note: If the attacker mucks with the TTL of traceroute packages, the only way to detect this is to be detecting timing differences between the traceroute packet TTL and the actual return trip, and building some heuristics based on those few milliseconds...

[ related topics: Movies Theater & Plays Work, productivity and environment Net Culture Community Video Conferences ]

comments in ascending chronological order (reverse):

#Comment Re: made: 2013-11-22 12:04:24.99874+00 by: meuon

Not sure about now.. but when I did it, BGP4 and BGP routes were mostly a matter of trust between operators. Example: Post Pensacola FL hurricane, I hauled a bunch of ISP's servers to Chattanooga, and watched BGP announcements reroute traffic to Chattanooga for a large block of IP addresses, without much more authority than we announced (added IP's and ASN to a config file) those routes were available from our network.

Again, we need more end to end encryption for stuff that matters.