Attackers are accessing routers running on the border gateway protocol (BGP) and injecting additional hops that redirect large blocks of Internet traffic to locations where it can be monitored and even manipulated before being sent to its intended destination.
Internet intelligence company Renesys has detected close to 1,500 IP address blocks that have been hijacked on more than 60 days this year, a disturbing trend that indicates attackers could finally have an increased interest in weaknesses inherent in core Internet infrastructure.
It is unknown how the attackers are accessing the affected routers, whether they have physical access or whether the router is exposed to the Internet, but that’s the easy part. The route injection is merely a few tweaks to the router’s configuration.
“It’s actually making a BGP-speaking router do exactly what it is intended to do. All you’re doing is changing the configuration on the router,” said Renesys CTO and cofounder Jim Cowie. “A normal border router would have normal configuration entries for all the networks you have access to—all your customers. This just adds extra lines to a configuration. They can announce these routes to my peers and let them know I can reach this even though it’s fiction. As long as you have access to a border router at an important service provider and you’ve chosen the right place to do this, there’s no software [malware] required.”
The hard part is knowing where to insert the route injection attack, Cowie said, adding that some of the victims Renesys has observed—and contacted—include financial services organizations, voice over IP providers, government agencies and other large enterprises. Attacks take place at the level of the BGP route where blocks of IP addresses, in some cases targeting specific organizations, are misdirected.
“On one hand, we’ve seen people hijacking blocks of addresses that belong to DSL pools, groups of customers not very specific somewhere in the country. And we’ve seen networks hijacked that belong to very specific organizations; they’re not a big pool of generic users, but somebody’s business,” Cowie said.
Cowie said the attackers are using the routing system much in the same way a network engineer would.
“There is some sophistication in the choice of place where you inject these routes from,” Cowie said. “You want to be able to evade whatever filters people have in place to prevent the spread of bad routing. And you want to hijack a place that has influential status who are going to propoagate to the people whose traffic you want. Most of sophistication in the attack is in the choice of the point where you actually do route injection.”
The attackers, meanwhile, can pull of this type of redirection and traffic inspection without much in terms of latency to either end of the web request. Also, unlike traditional man-in-the middle attacks where the bad guy is within physical proximity of the victim, here the attacker could just as easily be halfway around the world. And should the traffic in question be unencrypted, plenty of sensitive business or personal data would be at risk.
“[The attacker is] getting one side of conversation only,” Cowie said. “If they were to hijack the addresses belonging to the webserver, you’re seeing users requests—all the pages they want. If they hijack the IP addresses belonging to the desktop, then they’re seeing all the content flowing back from webservers toward those desktops. Hopefully by this point everyone is using encryption.”
Renesys provided two examples of redirection attacks. The first took place every day in February with a new set of victims in the U.S., South Korea, Germany, the Czech Republic, Lithuania, Libya and Iran, being redirected daily to an ISP in Belarus.
“We recorded a significant number of live traces to these hijacked networks while the attack was underway, showing traffic detouring to Belarus before continuing to its originally intended destination,” the company said on its blog. The hop starting in Guadalajara, Mexico and ending in Washington, D.C., included hops through London, Moscow and Minsk before it’s handed off to Belarus, all because of a false route injected at Level3, the ISP formerly known as Global Crossing. The traffic was likely examined and then returned on a “clean path” to its destination—all of this happening in the blink of an eye.
In the second example, a provider in Iceland began announcing routes for 597 IP networks owned by a large U.S. VoIP provider; normally the Icelandic provider Opin Kerfi announces only three IP networks, Renesys said. The company monitored 17 events routing traffic through Iceland.
“We have active measurements that verify that during the period when BGP routes were hijacked in each case, traffic redirection was taking place through Belarusian and Icelandic routers. These facts are not in doubt; they are well-supported by the data,” the blog said. “What’s not known is the exact mechanism, motivation, or actors.”
Since this isn’t a vulnerability that can be patched, mitigations are limited to either cryptographically signing routes, or following a best practice known as BGP 38, where ISPs put filters in place to prevent spoofing and route injection, Cowie said. Both are expensive and may not be economically feasible to ISPs unless all are required to do so. Also, in particular with crypto signing of routes, if the trust is derived from the government or a single organization, they would have control over segments of Internet traffic which could introduce another set of surveillance issues.
“The tempo [of route injection attacks] has picked up over the course of this year, so my guess is this is more common knowledge among groups who can do this,” Cowie said. “It’s hard to say whether it’s one group, or two groups, three groups. Maybe they know each other, we don’t know. It’s really pretty unknowable.”
Graphic courtesy of Renesys.