Security research firm Renesys has authored an interesting blog post noting how theyre seeing a significant uptick in the number of large-scale man in the middle attacks. Whats more, insists the firm, these attacks are increasingly gobbling up a larger and larger share of overall Internet traffic without most people bothering to notice. Click for full size Since February, the firm states they have observed 38 distinct events in which significant blocks of Internet traffic have been covertly redirected to routers at Icelandic or Belarusian service providers. Renesys provides one such example of a trace from Guadalajara, Mexico to Washington, DC that goes through Moscow and Minsk: quote:Mexican provider Alestra hands it to PCCW for transit in Laredo, Texas. PCCW takes it to the Washington, DC metro area, where they would normally hand it to Qwest/Centurylink for delivery. Instead, however, PCCW gives it to Level3 (previously Global Crossing), who is advertising a false Belarus route, having heard it from Russia’s TransTelecom, who heard it from their customer, Belarus Telecom. Level3 carries the traffic to London, where it delivers it to Transtelecom, who takes it to Moscow and on to Belarus. Beltelecom has a chance to examine the traffic, and then sends it back out on the “clean path” through Russian provider ReTN. ReTN delivers it to Frankfurt and hands it to NTT, who takes it to New York. Finally, NTT hands it off to Qwest/Centurylink in Washington DC, and the traffic is delivered. They offer up a few other interesting examples, including an instance where traffic that should have simply traveled between two locations in Denver, Colorado actually wound up getting bounced all the way to Iceland and back. This scale of man in the middle hijacking (involving deleting altering or even creating authorized BGP routes) was largely a worrisome theory until earlier this year, when someone made it a reality. The hijacking is largely imperceptible to regular users. Why is this happening? Renesys says they dont have a clear understanding of the exact mechanism, motivation, or actors, though most assume this is either intelligence or criminal in nature. Renesys goes on to note that these attacks leave a visible trail to be followed, but that most communications providers dont appear too concerned with tracking or thwarting the efforts. In practical terms, this means that Man-In-the-Middle BGP route hijacking has now moved from a theoretical concern to something that happens fairly regularly, and the potential for traffic interception is very real, notes the firm. Everyone on the Internet — certainly the largest global carriers, certainly any bank or credit card processing company or government agency — should now be monitoring the global routing of their advertised IP prefixes.
Posted on: Sat, 23 Nov 2013 01:36:59 +0000
Trending Topics
Recently Viewed Topics
© 2015