BGP “Poor Man’s NSA” Attacks On The Rise (and JYA/NSA)

I’ve been covering the danger of BGP attacks here quite a bit. And it looks like attackers have taken notice of this little trick…

According to the ‘net watchers at Renesys, BGP attacks were on the rise throughout this year. Attackers have used them to re-route traffic from financial services companies, network providers, and government agencies… sending the traffic through Iceland and Belarus.

(Is it the NSA? Another government? Internet crooks? Hacktivists? A “hacker intelligence agency”? The world may never know.)

Notably, the attackers here were quite clever. They redirected only small portions of traffic in order to avoid detection… targeting just a small sliver of the Internet, instead of having to handle all traffic bound for that destination.

I covered the theoretical underpinnings of doing just that a long time ago… this was demonstrated at DEFCON in 2008! (

JYA/NSA: JYA has been a big proponent of the following sentiment. I partially agree — I would like to see more technical details, and I think it’s important people get a taste of the degree of what’s possible, not just a realization that major actors really do use the academic attacks people pooh-pooh as “nobody would ever bother”… but even beyond.

Yet I also partially disagree. It’s fairly clear that anything Snowden could have accessed is not going to tell anyone about the full depth of the NSA’s capability. Relying on that data to design defenses is just going to produce inadequade defenses.

Instead, security designers need to be thinking about defending against the unknown, thinking about what COULD be possible, based on the mindset and “style” of the NSA and intelligence agenies in general. The technical details will leak sooner or later, but you can never trust them to be complete or accurate. Building-in a dependency on leaked technical data for effective security is a recipe for disaster… just like depending on FOIA’ed documents for building your own SCIF or whatever.

(Depending on information from the other side is, I suspect, one of the things that brought down the Soviet Union. You can never win if everything you do is a reaction to the opposition.)

“It is really impossible to defend our privacy without knowing more of the operational attack details — this drip, drip, drip of policy documents, often with gratuitous self-censoring by the journalists themselves, is not helping the public secure their phones or computers.”

“Unknown attackers have successfully hijacked and redirected Internet traffic belonging to financial services companies, VoIP providers and governments many times over the past year.

Internet monitoring firm Renesys says it’s observed such hijacked traffic during at least 60 days in 2013.

A total of about 1,500 individual IP blocks from 150 cities around the world have been intercepted, inspected and possibly compromised in incidents lasting from a few minutes to several days, the company said today.

Throughout February, for instance, online traffic at numerous financial services companies, network service providers and government agencies in the U.S. South Korea, Germany, the Czech Republic, Iran and other countries was redirected to an Internet Service Provider in Belarus.

Similarly, in May and again in July, Internet traffic from a large U.S. providers of managed network services was hijacked and routed through IP addresses owned by an Icelandic ISP.

In these and other cases, the intercepts were enabled through so-called ” Man-in-the-Middle” attacks, when traffic flowing between two points is briefly rerouted to another location and then released back its original path. Such redirections allow attackers to surreptitiously inspect and modify traffic.

If the hijacked traffic is rerouted to a point close to the original destination, the entire caper can be carried with no noticeable lag in traffic time.

The attacks show in practical terms that Border Gateway Protocol (BGP) hijacking in not theoretical, it poses real problems, said Doug Madory, an analyst at Renesys.

BGP routers, which direct traffic between autonomous systems on the Internet, can be accessed by hackers to spoof the IP address of another entity to misdirect traffic there, Madory said. It’s difficult to determine that the activity is criminal because such misdirection often occurs due to human error — such as transposing the digits in an Internet address space. In most cases, such inadvertent misdirection is quickly caught and remedied.

Madory said it’s likely the misdirection to the Iceland and Belarus ISPs found by Renesys earlier this year was deliberate. It is likely that people with access to BGP routers at these ISPs created the spurious routes unbeknownst to the ISPs or the victims, he added.

The attackers appear to have found a way to redirect only small portions of traffic bound for a specific destination to avoid being detected, Madory said.

“What’s novel here is making just a small percent of the Internet believe the bogus route so they have a way to get traffic to that destination,” without notice, Madory said. “If you announced the address space of somebody else and everyone else believed it, then all traffic (for the destination) will be routed to you.””

%d bloggers like this: