MENU
iraq

Iraqi Government Tries, Fails to Shut Down Internet

thailand

Protests Lead to Outage in Thailand

November 19, 2013 Comments (229) Views: 13206 Internet, Security, Situational Awareness, Uncategorized

The New Threat: Targeted Internet Traffic Misdirection

Tweet about this on TwitterShare on FacebookShare on Google+Share on LinkedInShare on Reddit

Traffic interception has certainly been a hot topic in 2013. The world has been focused on interception carried out the old fashioned way, by getting into the right buildings and listening to the right cables. But there’s actually been a significant uptick this year in a completely different kind of attack, one that can be carried out by anybody, at a distance, using Internet route hijacking.

After consultations with many of the affected parties, we’re coming forth with some details in the hope that we can make this particular vulnerability obsolete.

Understanding the Threat

At Renesys, we watch the Internet 24/7 for our enterprise customers, to help them understand and respond to Internet impairment before it affects their businesses. Many of those impairments are the result of someone else’s well-intended Internet traffic engineering. Some are accidents, like cable cuts or natural disasters, and that’s what you typically see us blog about. But a number of Internet impairments are hard to explain by blind chance or bad luck, and that’s our focus today.

For years, we’ve observed that there was potential for someone to weaponize the classic Pakistan-and-Youtube style route hijack. Why settle for simple denial of service, when you can instead steal a victim’s traffic, take a few milliseconds to inspect or modify it, and then pass it along to the intended recipient?

This year, that potential has become reality. We have actually observed live Man-In-the-Middle (MITM) hijacks on more than 60 days so far this year. About 1,500 individual IP blocks have been hijacked, in events lasting from minutes to days, by attackers working from various countries.

Simple BGP alarming is not sufficient to distinguish MITM from a generic route hijacking or fat-finger routing mistake; you have to follow up with active path measurements while the attack is underway in order to verify that traffic is being simultaneously diverted and then redelivered to the victim. We’ve done that here.

Here’s a map of 150 cities in which we’ve observed at least one victim of a validated MITM route hijacking attack so far this year (click to inspect). The victims have been diverse: financial institutions, VoIP providers, and world governments have been prominent targets. global-hijack-cities

What makes a Man-in-the-Middle routing attack different from a simple route hijack? Simply put, the traffic keeps flowing and everything looks fine to the recipient. The attackers keep at least one outbound path clean. After they receive and inspect the victim’s traffic, they release it right back onto the Internet, and the clean path delivers it to its intended destination. If the hijacker is in a plausible geographic location between the victim and its counterparties, they should not even notice the increase in latency that results from the interception. It’s possible to drag specific Internet traffic halfway around the world, inspect it, modify it if desired, and send it on its way. Who needs fiberoptic taps?

It’s even possible to see these attacks as they are occurring, if you have the right global measurement infrastructure. Renesys maintains a realtime view of the Internet from hundreds of independent BGP vantage points. We have to, because that’s how we can detect evidence of Internet impairment worldwide, even when that impairment is localized. We also maintain an active measurement infrastructure that sends out billions of measurement packets each day, crisscrossing the Internet in search of impaired or unusual paths like these. Finally, we have a distributed realtime-taskable measurement system that allows us to trigger quick measurements from all over the planet when trouble is detected in a region, so that we can immediately evaluate its significance.

Example 1: Belarusian Traffic Diversion

In February 2013, we observed a sequence of events, lasting from just a few minutes to several hours in duration, in which global traffic was redirected to Belarusian ISP GlobalOneBel. These redirections took place on an almost daily basis throughout February, with the set of victim networks changing daily. Victims whose traffic was diverted varied by day, and included major financial institutions, governments, and network service providers. Affected countries included the US, South Korea, Germany, the Czech Republic, Lithuania, Libya, and Iran.

We recorded a significant number of live traces to these hijacked networks while the attack was underway, showing traffic detouring to Belarus before continuing to its originally intended destination.

Here’s an example of a trace from Guadalajara, Mexico to Washington, DC that goes through Moscow and Minsk. Mexican provider Alestra hands it to PCCW for transit in Laredo, Texas. PCCW takes it to the Washington, DC metro area, where they would normally hand it to Qwest/Centurylink for delivery.

Instead, however, PCCW gives it to Level3 (previously Global Crossing), who is advertising a false Belarus route, having heard it from Russia’s TransTelecom, who heard it from their customer, Belarus Telecom. Level3 carries the traffic to London, where it delivers it to Transtelecom, who takes it to Moscow and on to Belarus. Beltelecom has a chance to examine the traffic, and then sends it back out on the “clean path” through Russian provider ReTN. ReTN delivers it to Frankfurt and hands it to NTT, who takes it to New York. Finally, NTT hands it off to Qwest/Centurylink in Washington DC, and the traffic is delivered. 217.150.62.233228.461BelTelecom-gw.transtelecom.net (Minsk, Belarus)

27 February 2013: Traceroute from Guadalajara, Mexico to Washington, DC via Minsk
IP Delay (ms) Notes
201.151.31.149 15.482 pc-gdl2.alestra.net.mx (Guadalajara, MX)
201.163.102.1 17.702 pc-mty2.alestra.net.mx (Monterrey, MX)
201.151.27.230 13.851 igmty2.alestra.net.mx (Monterrey, MX)
63.218.121.49 17.064 ge3-1.cr02.lar01.pccwbtn.net (Laredo, TX)
63.218.44.78 64.012 TenGE11-1.br03.ash01.pccwbtn.net (Ashburn, VA)
64.209.109.221 84.529 GBLX-US-REGIONAL (Washington, DC)
67.17.72.21 157.641 lag1.ar9.LON3.gblx.net (London, UK)
208.178.194.170 143.344 cjs-company-transtelecom.ethernet8-4.ar9.lon3.gblx.net (London, UK)
217.150.62.234 212.869 mskn01.transtelecom.net (Moscow, RU)
87.245.233.198 225.516 ae6-3.RT.IRX.FKT.DE.retn.net (Frankfurt, DE)
* no response
* no response
129.250.3.180 230.887 ae-3.r23.nycmny01.us.bb.gin.ntt.net (New York, NY)
129.250.4.69 232.959 ae-1.r05.nycmny01.us.bb.gin.ntt.net (New York, NY)
129.250.8.158 248.685 ae-0.centurylink.nycmny01.us.bb.gin.ntt.net (New York, NY)
* no response
63.234.113.110 238.111 63-234-113-110.dia.static.qwest.net (Washington, DC)

jim_blog_nov_2013_path1_wired-01

The recipient, perhaps sitting at home in a pleasant Virginia suburb drinking his morning coffee, has no idea that someone in Minsk has the ability to watch him surf the web. Even if he ran his own traceroute to verify connectivity to the world, the paths he’d see would be the usual ones. The reverse path, carrying content back to him from all over the world, has been invisibly tampered with.

May 2013: Changing of the Guard

The Belarus traffic diversions stopped in March. They restarted briefly in May, using a different customer of BelTelecom as the source, and then ended for several months. Within the same hour as the final Belarus hijack of May, however, we saw a first BGP hijack lasting only five minutes from a completely new source: Nyherji hf (AS29689), a small Icelandic provider.

Example 2: Icelandic Traffic Diversion

After this “first light” from Iceland in May, there were no more route hijacks from Iceland for more than two months. Then, at 07:36:36 UTC on July 31st 2013, Icelandic provider Opin Kerfi (AS48685) began announcing origination routes for 597 IP networks owned by one of the largest facilities-based providers of managed services in the United States, a large VoIP provider. On a normal day, Opin Kerfi normally originates only three IP networks, and has no downstream AS customers.

Opin Kerfi has two ISPs: Fjarskipti (AS 12969) and Síminn (AS 6677). The faulty routes propagated exclusively through Síminn, never through Fjarskipti. kerfi

In fact, this was one of seventeen Icelandic events, spread over the period July 31 – August 19th. And Opin Kerfi was not the only Icelandic company that appeared to announce international IP address space: in all, we saw traffic redirections from nine different Icelandic autonomous systems, all customers of (or belonging to) the national incumbent Síminn. Hijacks affected victims in several different countries during these events, following the same pattern: false routes sent to Síminn’s peers in London, leaving ‘clean paths’ to North America to carry the redirected traffic back to its intended destination.

Here’s an example in which traffic between two locations in Denver, Colorado actually ends up getting carried all the way to Iceland and back.The Icelandic providers have hijacked a block of address space belonging to Qwest/Centurylink in Denver. Atrato receives a false peer route to this block from Siminn Iceland, so when an Atrato customer needs to send content across town, Atrato instead carries their traffic to London. There they hand it off to Siminn, who takes it to Iceland before returning it to Montreal on the clean path to Cogent via the Greenland Cable.

Cogent gamely carries the traffic back from Montreal to Chicago, and then to New York, where they hand it to Qwest/Centurytel for delivery. Centurytel brings it back across the USA through Dallas and Kansas City, and on to the intended recipient in Denver.

August 2, 2013: Traceroute from Denver, Colorado to Denver, Colorado via Iceland
IP Delay (ms) Notes
78.152.46.241 9.872 Atrato customer (Denver, CO)
78.152.34.213 26.324 eth1-7.r2.chi1.us.atrato.net (Chicago, IL)
78.152.34.138 44.58 eth1-1.r1.ash1.us.atrato.net (Ashburn, VA)
78.152.34.118 47.464 eth1-3.edge1.nyc1.us.atrato.net (New York, NY)
78.152.44.201 48.477 eth4-3.core1.nyc1.us.atrato.net (New York, NY)
78.152.44.134 123.726 eth1-5.core1.lon1.uk.atrato.net (London, UK)
78.152.44.101 121.308 eth1-3.r1.lon1.uk.atrato.net (London, UK)
195.66.225.26 203.445 siminn-linx-gw-1.isholf.is (Reykjavik, Iceland)
172.16.100.51 162.399 RFC1918
157.157.55.50 152.745 Landssimi/Siminn (Reykjavik, Iceland)
38.104.155.57 151.857 gi3-46.mag01.ymq02.atlas.cogentco.com (Montreal, CA)
154.54.82.241 151.899 te0-4-0-0.ccr21.ymq02.atlas.cogentco.com (Montreal, CA)
66.28.4.202 150.251 be2114.ccr21.ord01.atlas.cogentco.com (Chicago, IL)
154.54.44.70 150.945 be2326.ccr21.jfk04.atlas.cogentco.com (New York, NY)
154.54.11.182 150.596 qwest.jfk04.atlas.cogentco.com (New York, NY)
67.14.2.141 158.456 dal-edge-18.inet.qwest.net (Dallas, TX)
72.165.208.158 158.441 Qwest (Dallas, TX)
206.51.69.26 172.091 bb-kscbmonr-jx9-01-xe-11-1-0.core.centurytel.net (Kansas City, MO)
206.51.69.6 173.069 bb-kscbmonr-jx9-02-ae0.core.centurytel.net (Kansas City, MO)
206.51.69.201 185.738 bb-dnvtc056-jx4-02-ae2.core.centurytel.net (Denver, CO)

jim_blog_nov_2013_path2_wired-01-1

Attribution

It’s important to clarify that we base these conclusions on direct observation and active measurement. Various providers’ BGP routes were hijacked, and as a result, some portion of their Internet traffic was misdirected to flow through Belarusian and Icelandic ISPs. We have BGP routing data that show the second-by-second evolution of 21 Belarusian events in February and May 2013, and 17 Icelandic events in July-August 2013.

We have active measurements that verify that during the period when BGP routes were hijacked in each case, traffic redirection was taking place through Belarusian and Icelandic routers. These facts are not in doubt; they are well-supported by the data.

What’s not known is the exact mechanism, motivation, or actors.

We first contacted the peering team at Iceland’s Síminn in July, when their traffic redirection began in earnest, highlighting some of the erroneous routes. We received no response.

We contacted them again recently while researching this story. We were told that the problems were the result of a bug in vendor software, that the problem had gone away when patched, and that they did not believe this problem had a malicious origin. Despite repeated requests for supporting details, we received no further communication.

If this is a bug, it’s a dangerous one, capable of simulating an extremely subtle traffic redirection/interception attack that plays out in multiple episodes, with varying targets, over a period of weeks. If it’s a bug that can be exploited remotely, it needs to be discussed more widely within the global networking community and eradicated.

We believe it’s unlikely that a single router vendor bug can account for the 2013 worldwide uptick in route hijacking with traffic redirection. These Belarusian and Icelandic examples represent just two of a series of MITM attack sequences that we’ve observed playing out in the last 12 months, launched from these and other countries around the world.

Implications

In practical terms, this means that Man-In-the-Middle BGP route hijacking has now moved from a theoretical concern to something that happens fairly regularly, and the potential for traffic interception is very real. Everyone on the Internet — certainly the largest global carriers, certainly any bank or credit card processing company or government agency — should now be monitoring the global routing of their advertised IP prefixes.

This kind of attack should not happen. You cannot carry out this kind of hijacking without leaving permanent, visible footprints in global routing that point right back to the point of interception. We believe that people are still attempting this because they believe (correctly, in most cases) that nobody is looking.

Renesys believes that increased transparency is the best answer, exactly the kind of collective security solution that the Internet is good at delivering. For our part, we’ve taken this seriously enough that we’ve spent the last year building a new system that can address the challenge of identifying bad traffic paths for the whole Internet, everywhere on Earth, simultaneously.

Until the day when all routes are signed and secured (and that day may never fully arrive), the best way to prevent manipulation of trust-based routing will be to help people expose violations of trust, and recognize those who implement best practices. We’ll have more to say on this subject in coming months.

Additional example paths:

jim_blog_nov_2013_path3_wired-01

jim_blog_nov_2013_path4_wired_c-01

jim_blog_nov_2013_path5_wired-01

Tags: , , ,

229 Responses to The New Threat: Targeted Internet Traffic Misdirection

  1. Kotikalapudi Sriram says:

    It wasn’t clear from the report, if this was a case of the Pilosov-Kapela attack, or 
    were there similarities to what happened in the case of the China Telecom (ASN 23724) incident
    (“China’s 18-Minute Mystery”,
    18 Nov, 2010, By Jim Cowie).
    Sriram

  2. bortzmeyer1 says:

    So, the hijackers did not use the Kapela & PIlosov tricks to evade detection (changing the TTL to make traceroute look OK)?

  3. renesys says:

    bortzmeyer1 Good question. The hijacks were different from the one presented in that presentation. It is impossible for us to be certain that TTLs weren’t modified, but they weren’t changed enough to hide their tracks.For everyone else, probably the best known and cited talk about the possibility of using BGP hijacking to eavesdrop on Internet traffic is Tony Kapela and Alex Pilosov’s “Stealing The Internet” from Defcon 16 back in 2008.

  4. renesys says:

    Kotikalapudi Sriram The China Telecom incident was a routing leak of over 50,000 prefixes. These are much more targeted events.

  5. TimCreswick says:

    You mention that “About 1,500 individual IP blocks have been hijacked” – are you ale to share this list of prefixes and dates that the hijackings were observed?

  6. Kotikalapudi Sriram says:

    renesys Kotikalapudi Sriram I understood the difference in that sense, but could someone use the same trick (deliberately/maliciously) as in the China Telecom incident? Attacker announces the targeted prefixes (or subprefixes) from one router in its AS, attracts the traffic, and then routes the traffic via another router (in the same AS) back towards the legitimate destination? Could you say if that form of targeted misdirection is ruled out in the 2013 incidents you observed?

  7. heiscrazy says:

    for the “Belarusian Traffic Diversion” case, “The reverse path, carrying content back to him from all over the world, has been invisibly tampered with.”
    if someone does a traceroute at the starting point, won’t the path be shown?

  8. Pf says:

    did you also observe corresponding injection of bogus route objects in IRR, followed by deletion?

  9. […] Traffic interception has certainly been a hot topic in 2013. The world has been focused on interception carried out the old fashioned way, by getting into the right buildings and listening to the right cables.  […]

  10. mdavids says:

    Are DDoS-mitigation techniques based on BGP (re)routing taken into account to avoid possible false positives?
    (Or did you perhaps witnessed them as such and can you provide some statistical information about them, such as number of occurances and if that has increased over time?)

  11. robachevsky says:

    Can similar effect be achieved with “route leaks”, without exposing a
    prefix hijack? Jared Mauch is tracking the leaks
    (http://puck.nether.net/bgp/leakinfo.cg) and I wonder how many of those
    are deliberate attacks.

  12. […] Cowie discusses a different form of attack, in which internet traffic is redirected to get access to sensitive information. Fascinating for […]

  13. […] из компании Renesys обращают внимание, что в последнее время перенаправление по BGP все чаще […]

  14. dfgfdgdfgdf says:

    VPN connection would solve this issue partially for end users.
     Even if they re-route the data before letting it to it’s final destination, there’s nothing they can pick up from it.

  15. […] from network intelligence firm Renesys made that sobering assessment in a blog post published Tuesday. Since February, they have observed 38 distinct events in which large blocks of traffic have been […]

  16. […] from network intelligence firm Renesys made that sobering assessment in a blog post published Tuesday. Since February, they have observed 38 distinct events in which large blocks of traffic have been […]

  17. […] from network intelligence firm Renesys made that sobering assessment in a blog post published Tuesday. Since February, they have observed 38 distinct events in which large blocks of traffic have been […]

  18. […] from network intelligence firm Renesys made that sobering assessment in a blog post published Tuesday. Since February, they have observed 38 distinct events in which large blocks of traffic have been […]

  19. […] from network intelligence firm Renesys made that sobering assessment in a blog post published Tuesday. Since February, they have observed 38 distinct events in which large blocks of traffic have been […]

  20. […] from network intelligence firm Renesys made that sobering assessment in a blog post published Tuesday. Since February, they have observed 38 distinct events in which large blocks of traffic have been […]

  21. […] from network intelligence firm Renesys made that sobering assessment in a blog post published Tuesday. Since February, they have observed 38 distinct events in which large blocks of traffic have been […]

  22. […] from network intelligence firm Renesys made that sobering assessment in a blog post published Tuesday. Since February, they have observed 38 distinct events in which large blocks of traffic have been […]

  23. […] from network intelligence firm Renesys made that sobering assessment in a blog post published Tuesday. Since February, they have observed 38 distinct events in which large blocks of traffic have been […]

  24. […] from network intelligence firm Renesys made that sobering assessment in a blog post published Tuesday. Since February, they have observed 38 distinct events in which large blocks of traffic have been […]

  25. […] from network intelligence firm Renesys made that sobering assessment in a blog post published Tuesday. Since February, they have observed 38 distinct events in which large blocks of traffic have been […]

  26. […] from network intelligence firm Renesys made that sobering assessment in a blog post published Tuesday. Since February, they have observed 38 distinct events in which large blocks of traffic have been […]

  27. […] from network intelligence firm Renesys made that sobering assessment in a blog post published Tuesday. Since February, they have observed 38 distinct events in which large blocks of traffic have been […]

  28. bo67192 says:

    renesys bortzmeyer1  This is a very interesting post! Until I read the comments I assumed this was an instance of the Kapela/Pilosov MitM attack. Would you guys be willing to provide a technical explanation of how you think these attacks are occurring if it’s not similar to that method?

  29. renesys says:

    mdavids That’s a great question. BGP-based DDoS-mitigation services (Prolexic, Radware, etc.) essentially perform BGP man-in-the-middle in order to attract DDoS traffic, clean the traffic and pass the cleansed traffic on to the proper destination. We also see these mechanisms activating each day and are able to filter them out.

  30. renesys says:

    @dfgfdgdfgdf Good point. The end points of the session are still visible to the attacker.

  31. renesys says:

    robachevsky I would guess that none of them are malicious. First, the type of leaks listed in Jared’s tool are of a form that is a very common misconfiguration – leaking routes from one provider to another. Also, the resulting AS path will be typically twice the length of a normal path and thus very rarely selected. There are better ways of hijacking routes without trying to route traffic through 3 Tier1s. :-)

  32. renesys says:

    @heiscrazy In the Belarusian example, if the computer in Washington DC performed a traceroute back to the computer in Mexico during the attack, the hops to Belarus would not be visible to it because it was the destination IP in Mexico was not the one hijacked.

  33. […] The New Threat: Targeted Internet Traffic Misdirection – It’s possible to misdirect Internet traffic to be grabbed by an unauthorized third party, but […]

  34. […] from network intelligence firm Renesys made that sobering assessment in a blog post published Tuesday. Since February, they have observed 38 distinct events in which large blocks of traffic have been […]

  35. […] from meshwork info concern Renesys prefabricated that sobering categorization in a blog locate publicised Tuesday. Since February, they hit observed 38 crisp events in which super blocks of reciprocation hit been […]

  36. […] from meshwork info concern Renesys prefabricated that sobering categorization in a blog locate publicised Tuesday. Since February, they hit observed 38 crisp events in which super blocks of reciprocation hit been […]

  37. kory says:

    renesys  the Mexico site would have to run a traceroute as well.
     If the connection required some form of client connection like vpn, then I could see where developers might want to build a step in the connection process where each end of the connection verifies that its traceroute matches the other.  This could be a useful protection measure to guard the privacy of the key exchange against this kind of attack.

  38. […] troubling disclosure came yesterday from the research company Renesys. The firm specializes in tracking the operational health of global Internet infrastructure. When […]

  39. […] troubling disclosure came yesterday from the research company Renesys. The firm specializes in tracking the operational health of global Internet infrastructure. When […]

  40. penguin42 says:

    ‘You cannot carry out this kind of hijacking without leaving permanent,
    visible footprints in global routing that point right back to the point
    of interception.’
    Hmm – it’s difficult to tell where the point of interception actually is; for example both routes ended up with the data going across the atlantic via the UK; who is to say whether the intercept was at the destination of the erroneous route or any of the hops inbetween.

  41. […] troubling revealing came yesterday from the research consort Renesys. The concern specializes in chase the effective upbeat of orbicular cyberspace infrastructure. When […]

  42. […] troubling revealing came yesterday from the research consort Renesys. The concern specializes in chase the effective upbeat of orbicular cyberspace infrastructure. When […]

  43. […] Internet intelligence company Renesys has detected close to 1,500 IP address blocks that have been hijacked on more than 60 days this year, a disturbing trend that indicates attackers could finally have an increased interest in weaknesses inherent in core Internet infrastructure. […]

  44. […] troubling disclosure came yesterday from the research company Renesys. The firm specializes in tracking the operational health of global Internet infrastructure. When […]

  45. bortzmeyer1 says:

    @dfgfdgdfgdf You mean encrypted VPN? (Otherwise, it’s useless.)

  46. DomDeVitto says:

    It’s a good job that the security of HTTPS websites is impossible to break….. ….NOT  :-(
    http://convergence.io/
    Dom De Vitto

  47. whowho says:

    when the redirection route is announced is the original, legitimate, announcement squashed or tampered with somehow?

  48. […] from network intelligence firm Renesys made that sobering assessment in a blog post published Tuesday. Since February, they have observed 38 distinct events in which large blocks of traffic have been […]

  49. […] wtorek firma Renesys opublikowała raport, opisujący podobne incydenty, które miały miejsce w roku 2013. Renesys, dzięki globalnej sieci […]

  50. […] The New Threat: Targeted Internet Traffic Misdirection, http://www.renesys.com […]

  51. […] Internet intelligence company Renesys has detected close to 1,500 IP address blocks that have been hijacked on more than 60 days this year, a disturbing trend that indicates attackers could finally have an increased interest in weaknesses inherent in core Internet infrastructure. […]

  52. […] troubling disclosure came yesterday from the research company Renesys. The firm specializes in tracking the operational health of global Internet infrastructure. When […]

  53. […] from network intelligence firm Renesys made that sobering assessment in a blog post published Tuesday. Since February, they have observed 38 distinct events in which large blocks of traffic have been […]

  54. […] from network intelligence firm Renesys made that sobering assessment in a blog post published Tuesday. Since February, they have observed 38 distinct events in which large blocks of traffic have been […]

  55. renesys says:

    @whowho The legitimate announcement is also in circulation. The MITM isn’t possible without at least some of the Internet believing the legitimate route in order to ultimately deliver the traffic on to the correct destination. If provider believes the bogus route, then the traffic is just getting black-holed and victim may notice that.

  56. […] Research free this week has revealed digit more cases in which misconfigurations re-routed reciprocation farther from their witting destination. For example, in digit of the attacks, reciprocation motion from Mexico to the United States took a indirect and unreasonable line to Belarus. […]

  57. […] Research free this week has revealed digit more cases in which misconfigurations re-routed reciprocation farther from their witting destination. For example, in digit of the attacks, reciprocation motion from Mexico to the United States took a indirect and unreasonable line to Belarus. […]

  58. […] Internet intelligence company Renesys has detected close to 1,500 IP address blocks that have been hijacked on more than 60 days this year, a disturbing trend that indicates attackers could finally have an increased interest in weaknesses inherent in core Internet infrastructure. […]

  59. […] from network intelligence firm Renesys made that sobering assessment in a blog post published Tuesday. Since February, they have observed 38 distinct events in which large blocks of traffic have been […]

  60. […] from network intelligence firm Renesys made that sobering assessment in a blog post published Tuesday. Since February, they have observed 38 distinct events in which large blocks of traffic have been […]

  61. DomDeVitto says:

    No, it’s pretty obvious if you have multiple BGP sessions at diverse points globally.
    It’s pretty certain that there will only be one common ‘evil’ AS.
    Even if there are more (say evil.net’s direct peers) the giveaway seems to be their failure to announce to all their peers.
    Simples.

  62. […] troubling disclosure came yesterday from the research company Renesys. The firm specializes in tracking the operational health of global Internet infrastructure. When […]

  63. […] 互联网流量监测公司Renesys的研究人员报告,他们从今年2月开始,观察到了38起流量被错误定向到白俄罗斯或冰岛ISP路由器的事件。攻击利用了对边界网关协议(BGP)的绝对信任,影响了美国、韩国、德国、捷克、立陶宛、利比亚和伊朗的大型金融机构、政府和ISP网络的流量。 […]

  64. […] Doch es ist mglich, dass Angreifer Server in der Transportkette manipulieren und den durchlaufenden Datenstrom umleiten. Derartige Ereignisse fielen den Renesys-Analytikern in diesem Jahr gehuft auf. Nachdem sie einige mgliche Ursachen fr lokale Schwankungen im Datenstrom wie Kabelbrche oder Naturkatastrophen ausgeschlossen hatten, analysierten sie die zielgerichtete Umleitung vieler Datenstrme auf. 2013 verzeichnete Renesys derartige Ereignisse an 60 Tagen. Ihre Dauer schwankte zwischen wenigen Minuten bis zu mehreren Tagen. […]

  65. […] toimintaa seuraava Renesys-yhtiö on julkaissut yksityiskohtaisen kirjoituksen uudesta ilmiöstä. Yhtiö kertoo, että jo vuosia on tiedetty uudenlaisen hyökkäystekniikan […]

  66. MITM says:

    […] The New Threat: Targeted Internet Traffic Misdirection – Renesys […]

  67. […] 互联网流量监测公司Renesys的研究人员报告,他们从今年2月开始,观察到了38起流量被错误定向到白俄罗斯或冰岛ISP路由器的事件。攻击利用了对边界网关协议(BGP)的绝对信任,影响了美国、韩国、德国、捷克、立陶宛、利比亚和伊朗的大型金融机构、政府和ISP网络的流量。 […]

  68. curiousTOKnow says:

    can they use rigged routers to copy all traffic and use that information for purpose of “good” well earned “money”, if they can route some traffic, would that allow them to route designated traffic, aka, banks transfers, big organizations, army traffic, stock…. to benefit from that, even to decode all info would take time, but still, that would change quite alot of things in the net world….

  69. 火书 says:

    […] 互联网流量监测公司Renesys的研究人员报告,他们从今年2月开始,观察到了38起流量被错误定向到白俄罗斯或冰岛ISP路由器的事件。攻击利用了对边界网关协议(BGP)的绝对信任,影响了美国、韩国、德国、捷克、立陶宛、利比亚和伊朗的大型金融机构、政府和ISP网络的流量。 […]

  70. […] на мониторинге работы глобальной сети, зафиксировала успешные попытки проведения атаки, направленной на […]

  71. […] from network intelligence firm Renesys made that sobering assessment in a blog post published Tuesday. Since February, they have observed 38 distinct events in which large blocks of traffic have been […]

  72. […] said it had uncovered the mass hijackings as part of its day-to-day monitoring of global net […]

  73. […] said it had uncovered the mass hijackings as part of its day-to-day monitoring of global net […]

  74. […] said it had uncovered the mass hijackings as part of its day-to-day monitoring of global net […]

  75. […] said it had uncovered the mass hijackings as part of its day-to-day monitoring of global net […]

  76. […] said it had uncovered the mass hijackings as part of its day-to-day monitoring of global net […]

  77. […] said it had uncovered the mass hijackings as part of its day-to-day monitoring of global net […]

  78. renesys says:

    Kotikalapudi Sriram renesys Targeted misdirection isn’t ruled out in the 2013 incidents. It is precisely what we believe is occurring.

  79. […] Cowie fra netværksfirmaet Renesys skriver i et blogindlæg, at selskabet har observeret mindst 1.500 IP-blokke, som er blevet omdirigeret via hackede […]

  80. iceland says:

    Siminn maintains today in Icelandic news media that this was a bug and that there was no indication that this was a deliberate hijack

  81. […] said it had uncovered the mass hijackings as part of its day-to-day monitoring of global net […]

  82. […] said it had uncovered the mass hijackings as part of its day-to-day monitoring of global net […]

  83. […] Research released this week has revealed two more cases in which misconfigurations re-routed traffic far from their intended destination. For example, in one of the attacks, traffic traveling from Mexico to the United States took a circuitous and illogical route to Belarus. […]

  84. […] is reporting that Internet traffic is being manipulatively rerouted, presumably for eavesdropping purposes. The […]

  85. […] said it had uncovered the mass hijackings as part of its day-to-day monitoring of global net […]

  86. […] Research released this week has revealed two more cases in which misconfigurations re-routed traffic far from their intended destination. For example, in one of the attacks, traffic traveling from Mexico to the United States took a circuitous and illogical route to Belarus. […]

  87. […] The New Threat: Targeted Internet Traffic Misdirection, http://www.renesys.com […]

  88. […] said it had uncovered the mass hijackings as part of its day-to-day monitoring of global net […]

  89. […] report from Renesys presents more evidence from the subsequent attack that routed traffic over Iceland. […]

  90. […] said it had uncovered the mass hijackings as part of its day-to-day monitoring of global net […]

  91. LizR says:

    Start using secure encryption that no one can break, not even the NSA

  92. […] world through networks in Belarus and Iceland. The troubling disclosure came yesterday from the research company Renesys. The firm specializes in tracking the operational health of global Internet infrastructure. When […]

  93. […] might have seen a recent analysis by Renesys of some sophisticated prefix hijacking increasingly happening in the Internet. I think many of us […]

  94. […] said it had uncovered the mass hijackings as part of its day-to-day monitoring of global net […]

  95. […] is reporting that Internet traffic is being manipulatively rerouted, presumably for eavesdropping purposes. The […]

  96. […] attack happens? Apparently cyber attacks are quite common — according to Techdirt. According to recent reports NSA has inserted a virtual vacuum between two points — diverted the data and copied it and […]

  97. […] said it had uncovered the mass hijackings as part of its day-to-day monitoring of global net […]

  98. […] Research released this week has revealed two more cases in which misconfigurations re-routed traffic far from their intended destination. For example, in one of the attacks, traffic traveling from Mexico to the United States took a circuitous and illogical route to Belarus. […]

  99. […] a report released my security firm Renesys this Thursday, it has been discovered that nearly 80% of all […]

  100. […] said it had uncovered the mass hijackings as part of its day-to-day monitoring of global net […]

  101. […] said it had uncovered the mass hijackings as part of its day-to-day monitoring of global net […]

  102. […] Renesys нашли много подтверждений тому, что целевой перехват трафика в Интернете реализуется […]

  103. JohnShinaberry says:

    I wouldn’t say you can’t carry out this type of hijack without leaving prints. By running across distributed nodes, even a relatively small botnet, you could make yourself much more difficult to pinpoint. At least, with any degree of certainty. The same principle that the onion router operates on, tweaked to a specific application, could keep you in play for long enough to achieve even a fairly complex objective.

  104. […] to be inspected or modified before getting passed on to its intended recipients, are on the rise according to a blog posted by Internet monitoring company Renesys. The company reported numerous cases in 2013 where traffic was routed through ISPs in Belarus or […]

  105. […] is an interesting article about Internet traffic manipulation…well at least to someone like me who works in the […]

  106. […] Renesys has reported that for more than 60 days in 2013, its clients were victims of internet traffic hijacking caused by Man-In-the Middle (MITM) attacks. The attacker rerouted the inbound traffic of the victim to own servers and after inspecting (or even modifying) it re-sends it to the intended addressee. In such a case the victim may only notice increased latency if the packets have to travel longer distance to the attackers server and back. Renesys claims that they observed governments, VoIP providers and financial institutions being targeted by this type of attack during the last year. Renesys mentions two examples when Belorussian and Icelandic ISPs propagated false Border Gateway Protocol (BGP) routes redirecting a lot of traffic though themselves. The involved Icelandic ISP however claims that the rerouting was a consequence of mistake of a software vendor. Renesys believes that BGP rerouting as a result of software error is not probable and the observed events may have been intended attacks. […]

  107. […] Společnost Renesys informovala, že po více než 60 dní v roce 2013 byli někteří její klienti obětí přesměrování internetového provozu. V případě takového útoku útočník propaguje IP adresní rozsah jako svůj vlastní což mu umožní zachytávat příchozí pakety určené oběti. Útočník pak může tuto komunikaci sledovat nebo dokonce pozměnit. Oběť má možnost takový útok bez provedení analýzy zaznamenat pouze v případě, kdy jsou servery útočníka geograficky vzdáleny, což výrazně prodlouží latenci spojení. […]

  108. […] intelligence firm Renesys warns that victims including financial institutions, VoIP providers, and governments have been targeted […]

  109. […] investigate concern Renesys has sounded the alarm over what it believes to be a massive robbery and redirection of cyberspace traffic. What’s […]

  110. […] research firm Renesys has sounded the alarm over what it believes to be a massive hijacking and redirection of Internet traffic. What’s […]

  111. […] Research released this week has revealed two more cases in which misconfigurations re-routed traffic far from their intended destination. For example, in one of the attacks, traffic traveling from Mexico to the United States took a circuitous and illogical route to Belarus. […]

  112. […] Renesys warns of BGP-based Internet Man-in-the-Middle (MitM) attacks – Renesys […]

  113. […] “It’s possible to drag specific Internet traffic halfway around the world, inspect it, modify it if desired, and send it on its way,” Renesys technology head Jim Cowie wrote in a blog post. […]

  114. Graham Blake says:

    @renesys I am having a hard time seeing how this differs significantly from a route leak. For some traffic to take the overseas route, while the original route still exists within global routing table for eventual delivery by the so-called “clean” path, by definition the “attacker” is relying on some networks taking a suboptimal path, because the “clean” path should still look preferable to much of the Internet. On its face, this sounds like a route leak, but possibly one where the AS path has been rewritten by the source of the leak. That sounds like the functionality that is being described here. An overseas ISP has two paths to the Internet; Over Path A it advertises the target IP block, over Path B it delivers traffic to the target IP block. Classic leak. The only difference is that the leaking ISP is possibly advertising the target IP block with its own ASN as the source (so it doesn’t jump out as an obvious leak that shows up in Jared’s leak detection system). This can easily be a result of a misconfiguration, or even just a bored network administrator fooling around. I buy that this could be leveraged for a MitM attack, but not reliably. An attacker will have a very hard time predicting which segments of the Internet will select the bogus version of the route, and which segments will deliver it to the correct end points, plus it will be very difficult to ensure that the multiple paths you have available to yourself will provide you with both a “clean” path as well as one to carry the bogus path. In many multi-homed configurations, your upstream peers are often peers of each other, and that’s probably more likely to create a loop than an asymmetrical routing opportunity that can be exploited. I would really appreciate seeing the BGP routing table logs of these AS paths from some different views around the Internet from the time these bogus routes were propagated. Are there any specific ways in which this differs from a leaked route with a rewritten AS path that I am missing here?

  115. […] Renesys warns of BGP-based Internet Man-in-the-Middle (MitM) attacks – Renesys […]

  116. […] intelligence firm Renesys warns that victims including financial institutions, VoIP providers, and governments have been targeted […]

  117. […] intelligence firm Renesys warns that victims including financial institutions, VoIP providers, and governments have been targeted […]

  118. […] New Threat: Targeted Internet Traffic Misdirection [renesys] […]

  119. […] research firm Renesys has authored an interesting blog post noting how they’re seeing a significant uptick in the number of large-scale man in the middle […]

  120. […] The New Threat: Targeted Internet Traffic Misdirection Ars Technica […]

  121. […] 계속 일어날 위험성이 높아졌다는 의미라고 경고했다. 관련 내용 원문은 이곳에서 볼 수 […]

  122. mattflaschen says:

    TLS defends against this, right?  You would still have the excessively long path and bad performance, but would confidentiality and integrity be preserved?

  123. […] troubling disclosure came yesterday from the research company Renesys. The firm specializes in tracking the operational health of global Internet infrastructure. When […]

  124. […] said it had uncovered the mass hijackings as part of its day-to-day monitoring of global net […]

  125. […] said it had uncovered the mass hijackings as part of its day-to-day monitoring of global net […]

  126. […] said it had uncovered the mass hijackings as part of its day-to-day monitoring of global net […]

  127. […] announced that they have detected man-in-the-middle BGP route hijacking in the wild. The piece is definitely worth a […]

  128. […] This is really a disturbing news. Renesys has announced that this year there have been many cases of traffic redirection via BGP which look suspicious at the least. […]

  129. […] The Internet monitors have observed such attacks taking place on more than 60 days this year, according to its recently released report. […]

  130. […] Internet route hijacking: Renesys published a blog post about ‘Targeted Internet Traffic Misdirection’. […]

  131. […] the place through which they redirected traffic from Belarus to Iceland in May. (All Things D)(Renesys) […]

  132. Chris says:

    Asking myself…
     How can the attackers be sure that – e.g. NTT in the 1st case – keeps a clean path back to the destination and not learn the bogus route to minsk? Or that the packet traverses a “infected” routingnetwork causing a loop…

  133. […] Renesys: Internet hijacking […]

  134. DomDeVitto says:

    No. TLS relies on a trust model that has been proven time and time again to be broken.
    TLS / HTTPS is no protection at all here.

  135. DomDeVitto says:

    If ping returns TTL expired, withdraw the route and choose other peers to announce/not-announce the route to.
    Easy…. :-(

  136. […] In practical terms, this means that Man-In-the-Middle BGP route hijacking has now moved from a theoretical concern to something that happens fairly regularly, and the potential for traffic interception is very real. Everyone on the Internet — certainly the largest global carriers, certainly any bank or credit card processing company or government agency — should now be monitoring the global routing of their advertised IP prefixes. This kind of attack should not happen. You cannot carry out this kind of hijacking without leaving permanent, visible footprints in global routing that point right back to the point of interception. We believe that people are still attempting this because they believe (correctly, in most cases) that nobody is looking. Renesys believes that increased transparency is the best answer, exactly the kind of collective security solution that the Internet is good at delivering. For our part, we’ve taken this seriously enough that we’ve spent the last year building a new system that can address the challenge of identifying bad traffic paths for the whole Internet, everywhere on Earth, simultaneously. Until the day when all routes are signed and secured (and that day may never fully arrive), the best way to prevent manipulation of trust-based routing will be to help people expose violations of trust, and recognize those who implement best practices. We’ll have more to say on this subject in coming months.   Source: Renesys […]

  137. […] details in the hope that we can make this particular vulnerability obsolete. (…).» Source : http://www.renesys.com/2013/11/mitm-internet-hijacking/ Billets en relation : 20/11/2013. Internet Traffic Following Malicious Detours Via Route Injection […]

  138. […] The New Threat: Targeted Internet Traffic Misdirection – did you know that internet traffic to any site can be made to go through a particular server without anybody noticing? This has been observed repeatedly in the wild, for banks and other sites. Rather make sure you use strong encryption (NSA-approved, of course ). […]

  139. […] from network intelligence firm Renesys made that sobering assessment in a blog post published Tuesday. Since February, they have observed 38 distinct events in which large blocks of traffic have been […]

  140. […] via The New Threat: Targeted Internet Traffic Misdirection – Renesys. […]

  141. […] Someone’s been MiTMing the internets… Bruce Schnier thinks Ars Technica had an okay write up about it… And more reporting on Renesys’s original research on it. (and a little more) […]

  142. […] from network intelligence firm Renesys made that sobering assessment in a blog post published Tuesday. Since February, they have observed 38 distinct events in which large blocks of traffic have been […]

  143. […] Simply put, the traffic keeps flowing and everything looks fine to the recipient,…” Renesys wrote in a blog post about the hijacks. “It’s possible to drag specific internet traffic halfway around the world, inspect it, modify […]

  144. […] Simply put, the traffic keeps flowing and everything looks fine to the recipient,…” Renesys wrote in a blog post about the hijacks. “It’s possible to drag specific internet traffic halfway around the world, inspect it, modify […]

  145. […] put, the reciprocation keeps liquid and everything looks dustlike to the recipient,…” Renesys wrote in a journal place most the hijacks. “It’s doable to inspire limited internet reciprocation central around the world, inspect it, […]

  146. […] put, the reciprocation keeps liquid and everything looks dustlike to the recipient,…” Renesys wrote in a journal place most the hijacks. “It’s doable to inspire limited internet reciprocation central around the world, inspect it, […]

  147. […] Simply put, the traffic keeps flowing and everything looks fine to the recipient,…” Renesys wrote in a blog post about the hijacks. “It’s possible to drag specific internet traffic halfway around the world, inspect it, modify […]

  148. […] incidents described in a report released by Renesys last month, the firm claims that web data from major financial institutions, […]

  149. […] incidents described in a report released by Renesys last month, the firm claims that web data from major financial institutions, […]

  150. […] hijack? Simply put, a trade keeps issuing and all looks excellent to a recipient,…” Renesys wrote in a blog post about a hijacks. “It’s probable to drag specific internet trade median around a world, check it, cgange it if […]

  151. […] incidents described in a report released by Renesys last month, the firm claims that web data from major financial institutions, […]

  152. […] incidents described in a report released by Renesys last month, the firm claims that web data from major financial institutions, […]

  153. […] incidents described in a report released by Renesys last month, the firm claims that web data from major financial institutions, […]

  154. […] incidents described in a report released by Renesys last month, the firm claims that web data from major financial institutions, […]

  155. […] incidents described in a report released by Renesys last month, the firm claims that web data from major financial institutions, […]

  156. […] with the set of victim networks changing daily,” Renesys chief technology officer Jim Cowie wrote in a post about some of the hijacking activity last month. “Victims whose traffic was […]

  157. […] with the set of victim networks changing daily,” Renesys chief technology officer Jim Cowie wrote in a post about some of the hijacking activity last month. “Victims whose traffic was […]

  158. […] with the set of victim networks changing daily,” Renesys chief technology officer Jim Cowie wrote in a post about some of the hijacking activity last month. “Victims whose traffic was […]

  159. […] with the set of victim networks changing daily,” Renesys chief technology officer Jim Cowie wrote in a post about some of the hijacking activity last month. “Victims whose traffic was […]

  160. […] with the set of victim networks changing daily," Renesys chief technology officer Jim Cowie wrote in a post about some of the hijacking activity last month. "Victims whose traffic was diverted […]

  161. […] Simply put, the traffic keeps flowing and everything looks fine to the recipient,…” Renesys wrote in a blog post about the hijacks. “It’s possible to drag specific internet traffic halfway around the world, inspect it, […]

  162. […] with the set of victim networks changing daily,” Renesys chief technology officer Jim Cowie wrote in a post about some of the hijacking activity last month. “Victims whose traffic was […]

  163. […] incidents described in a report released by Renesys last month, the firm claims that web data from major financial institutions, […]

  164. […] with the set of victim networks changing daily,” Renesys chief technology officer Jim Cowie wrote in a post about some of the hijacking activity last month. “Victims whose traffic was […]

  165. […] with the set of victim networks changing daily,” Renesys chief technology officer Jim Cowie wrote in a post about some of the hijacking activity last month. “Victims whose traffic […]

  166. […] with the set of victim networks changing daily,” Renesys chief technology officer Jim Cowie wrote in a post about some of the hijacking activity last month. “Victims whose traffic was […]

  167. […] incidents described in a report released by Renesys last month, the firm claims that web data from major financial institutions, […]

  168. […] incidents described in a report released by Renesys last month, the firm claims that web data from major financial institutions, […]

  169. […] incidents described in a report released by Renesys last month, the firm claims that web data from major financial institutions, […]

  170. […] with the set of victim networks changing daily,” Renesys chief technology officer Jim Cowie wrote in a post about some of the hijacking activity last month. “Victims whose traffic was […]

  171. […] incidents described in a report released by Renesys last month, the firm claims that web data from major financial institutions, […]

  172. […] incidents described in a report released by Renesys last month, the firm claims that web data from major financial institutions, […]

  173. […] incidents described in a report released by Renesys last month, the firm claims that web data from major financial institutions, […]

  174. […] from network intelligence firm Renesys made that sobering assessment in a blog post published Tuesday. Since February, they have observed 38 distinct events in which large blocks of traffic have been […]

  175. […] incidents described in a report released by Renesys last month, the firm claims that web data from major financial institutions, […]

  176. […] Simply put, the traffic keeps flowing and everything looks fine to the recipient,…” Renesys wrote in a blog post about the hijacks. “It’s possible to drag specific internet traffic halfway around the world, inspect it, modify […]

  177. […] put, the traffic keeps flowing and everything looks fine to the recipient,…” Renesys wrote in a blog post about the hijacks. “It’s possible to drag specific internet traffic halfway around the world, inspect it, […]

  178. […] incidents described in a report released by Renesys last month, the firm claims that web data from major financial institutions, […]

  179. […] incidents described in a report released by Renesys last month, the firm claims that web data from major financial institutions, […]

  180. […] incidents described in a report released by Renesys last month, the firm claims that web data from major financial institutions, […]

  181. […] à prouver qu’elle est désormais exploitée de manière active… et inquiétante. Dans un article de blog datant de novembre, la société Renesys, spécialisée dans l’analyse réseau, a montré pour la […]

  182. […] só a NSA que está de olho na rede mundial. Analistas da empresa de monitoramento e segurança Renesys encontraram um caso raro e perigoso na internet: um sequestro de dados quase imperceptível que […]

  183. […] incidents described in a report released by Renesys last month, the firm claims that web data from major financial […]

  184. […] Simply put, the traffic keeps flowing and everything looks fine to the recipient,…” Renesys wrote in a blog post about the hijacks. “It’s possible to drag specific internet traffic halfway around the world, inspect it, modify […]

  185. […] à prouver qu’elle est désormais exploitée de manière active… et inquiétante. Dans un article de blog datant de novembre, la société Renesys, spécialisée dans l’analyse réseau, a montré pour la […]

  186. […] incidents described in a report released by Renesys last month, the firm claims that web data from major financial institutions, […]

  187. […] op vertrouwen, actief misbruikt wordt voor het uitvoeren van man-in-the-middle-aanvallen. Renesys: The New Threat: Targeted Internet Traffic Misdirection Een voorspelling uit 2008: Revealed: The Internet’s Biggest Security Hole (Defcon / […]

  188. […] à prouver qu’elle est désormais exploitée de manière active… et inquiétante. Dans un article de blog datant de novembre, la société Renesys, spécialisée dans l’analyse réseau, a montré pour […]

  189. […] à prouver qu’elle est désormais exploitée de manière active… et inquiétante. Dans un article de blog datant de novembre, la société Renesys, spécialisée dans l’analyse réseau, a montré pour la […]

  190. […] “For years, we’ve observed that there was potential for someone to weaponize the classic Pakistan-and-Youtube style route hijack. Why settle for simple denial of service, when you can instead steal a victim’s traffic, take a few milliseconds to inspect or modify it, and then pass it along to the intended recipient?   This year, that potential has become reality. We have actually observed live Man-In-the-Middle (MITM) hijacks on more than 60 days so far this year. About 1,500 individual IP blocks have been hijacked, in events lasting from minutes to days, by attackers working from various countries.” http://www.renesys.com/2013/11/mitm-internet-hijacking/ […]

  191. […] this exploit particularly disturbing is that no one may ever even know that it occurred. In a blog post by Renesys cited by Zetter, the firm warns: “What makes a man-in-the-middle routing attack different […]

  192. […] provider of specialist Internet monitoring systems, Renesys, has published research which claims to show that large chunks of Internet traffic was diverted several times during the […]

  193. […] à Renesys, une société spécialisée dans l’analyse réseau, que nous devons cette étude dans laquelle deux attaques datées respectivement de février et de mai 2013 sont observées. Il […]

  194. […] attacks. And with good reason. The average user shouldn’t need to know how easy it is to redirect traffic with BGP, how DNS cache poisoning works, nor how cross-site scripting attacks can be used […]

  195. […] a Huge Security Hole in the Internet“, or the corresponding post on the Renesys blog, “The New Threat: Targeted Internet Traffic Misdirection“.   The key point is that attackers are abusing BGP to hijack the routing of traffic off to […]

  196. […] à Renesys, une société spécialisée dans l’analyse réseau, que nous devons cette étude dans laquelle deux attaques datées respectivement de février et de mai 2013 sont observées. Il […]

  197. […] from network intelligence firm Renesys observed 38 distinct events in which huge blocks of traffic have been improperly redirected to routers at […]

  198. […] Scritto da Hermes Visto che sai, spiega. Inizierei da qui: The New Threat: Targeted Internet Traffic Misdirection – Renesys Rispondi […]

  199. […] Admin: BGP Hacking Millions of Android users ‘deceived’ by flashlight app that shares location with […]

  200. […] The Internet monitors have observed such attacks taking place on more than 60 days this year, according to its recently released report. […]

  201. […] But the 2008 research showed that BGP hijackers could actually limit the distribution of their fake routing announcements to be received by only a few routers and could then use the unaffected routers to send the intercepted traffic on to its rightful destination. This was the tactic that was used last year to intercept traffic sent to U.S. government agencies and corporations and redirect it through Belarus and Iceland, according to work done by network monitoring company Renesys. […]

  202. […] But the 2008 research showed that BGP hijackers could actually limit the distribution of their fake routing announcements to be received by only a few routers and could then use the unaffected routers to send the intercepted traffic on to its rightful destination. This was the tactic that was used last year to intercept traffic sent to U.S. government agencies and corporations and redirect it through Belarus and Iceland, according to work done by network monitoring company Renesys. […]

  203. […] But the 2008 research showed that BGP hijackers could actually limit the distribution of their fake routing announcements to be received by only a few routers and could then use the unaffected routers to send the intercepted traffic on to its rightful destination. This was the tactic that was used last year to intercept traffic sent to U.S. government agencies and corporations and redirect it through Belarus and Iceland, according to work done by network monitoring company Renesys. […]

  204. Phil2AK48Germany says:

    Hi, im pretty aure this is Happening to me. My traceroute searches are like path 5 but its Not always Frankfurt ometimes its Nuremburg . Sometimes there’s an accompanying “virus” but not av recognizes it. If u fight it it gets worse. I have an odd file appear in windows program files called “catroot” and it will just get there as soon as i use either an old USB drive/stick or connect to the internet. Any and I mean ANY av software suite or standalone firewall gets a handful of exceptions added to allow FTP vnc remote viewing via windows built in prog. And similar programs. If I say, who cares; no problem. If I start trying to stop it, close the ports delete the exceptions or remove the dodgy files all hell breaks loose, 20 windows open “device manager” admins are made I’m suddenly a server with 20 users it’s ugly. All I can do is wipe the drive reboot and pretend it’s not there :S note the file isn’t always there I still go through Frankfurt and often end in Washington or Virginia sometimes connect to comcast before packets return, ISP ? Telekom Telekom = comcast. I’m unsure wether the virus and routing are 100% connected but weirdly avast, norton security, lkaspersky pure 3.0 and ESET all fail to find any bad programs. Spy bot search and destroy finds something it can’t handle can’t really get them all deleted, if I use their proxy and scan all users even offline (under advanced) watch out mozilla and I.e add proxies directly. Telekom. Says they can’t help, they don’t know what the cause is. I think it’s data collection, maybe the NSA why Washington? Why Comcast and Telekom servers? best solution for me directly block certain ports at the router, forget android, use two step authentication but not codes to android use a “dumb phone” leave out a reset email address. Spy to s&d proxy advanced all users scan shred the files use non admin account use ios windows sucks why would I ask a friend? That’s their favorite point of entry.

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>