Wednesday, November 20, 2013
Dan Goodin, Ars Technica, 20 Nov 2013
Man-in-the-middle attacks divert data on scale never before seen in the wild.
http://arstechnica.com/security/2013/11/repeated-attacks-hijack-huge-chunks-of-internet-traffic-researchers-warn/
Huge chunks of Internet traffic belonging to financial institutions, government agencies, and network service providers have repeatedly been diverted to distant locations under unexplained circumstances that are stoking suspicions the traffic may be surreptitiously monitored or modified before being passed along to its final destination.
Researchers from network intelligence firm Renesys made that sobering
assessment in a blog post published Tuesday. Since February, they have
observed 38 distinct events in which large blocks of traffic have been
improperly redirected to routers at Belarusian or Icelandic service
providers. The hacks, which exploit implicit trust placed in the border
gateway protocol used to exchange data between large service providers,
affected "major financial institutions, governments, and network service
providers" in the US, South Korea, Germany, the Czech Republic, Lithuania,
Libya, and Iran.
The ease of altering or deleting authorized BGP routes, or of creating new
ones, has long been considered a potential Achilles Heel for the Internet.
Indeed, in 2008, YouTube became unreachable for virtually all Internet
users after a Pakistani ISP altered a route in a ham-fisted attempt to block
the service in just that country. Later that year, researchers at the Defcon
hacker conference showed how BGP routes could be manipulated to redirect
huge swaths of Internet traffic. By diverting it to unauthorized routers
under control of hackers, they were then free to monitor or tamper with any
data that was unencrypted before sending it to its intended recipient with
little sign of what had just taken place.
"This year, that potential has become reality," Renesys researcher Jim Cowie wrote. "We have actually observed live man-in-the-middle (MitM) hijacks on more than 60 days so far this year. About 1,500 individual IP blocks have been hijacked, in events lasting from minutes to days, by attackers working from various countries."
At least one unidentified voice-over-IP provider has also been targeted. In all, data destined for 150 cities have been intercepted. The attacks are serious because they affect the Internet equivalents of a US interstate that can carry data for hundreds of thousands or even millions of people. And unlike the typical BGP glitches that arise from time to time, the attacks observed by Renesys provide few outward signs to users that anything is amiss.
"The recipient, perhaps sitting at home in a pleasant Virginia suburb drinking his morning coffee, has no idea that someone in Minsk has the ability to watch him surf the Web," Cowie wrote. "Even if he ran his own traceroute to verify connectivity to the world, the paths he'd see would be the usual ones. The reverse path, carrying content back to him from all over the world, has been invisibly tampered with."
Guadalajara to Washington via Belarus
Renesys observed the first route hijacking in February when various routes
across the globe were mysteriously funneled through Belarusian ISP
GlobalOneBel before being delivered to their final destination. One trace,
traveling from Guadalajara, Mexico, to Washington, DC, normally would have
been handed from Mexican provider Alestra to US provider PCCW in Laredo,
Texas, and from there to the DC metro area and then, finally, delivered to
users through the Qwest/Centurylink service provider. According to Cowie:
Instead, however, PCCW gives it to Level3 (previously Global Crossing), who
is advertising a false Belarus route, having heard it from Russia's
TransTelecom, who heard it from their customer, Belarus Telecom. Level3
carries the traffic to London, where it delivers it to Transtelecom, who
takes it to Moscow and on to Belarus. Beltelecom has a chance to examine the
traffic and then sends it back out on the `clean path' through Russian
provider ReTN (recently acquired by Rostelecom). ReTN delivers it to
Frankfurt and hands it to NTT, who takes it to New York. Finally, NTT hands
it off to Qwest/Centurylink in Washington DC, and the traffic is delivered.