#route_hijacking

“Early this morning (UTC) our systems detected a suspicious event where many prefixes for high profile destinations were being announced by an unused Russian Autonomous System.

Starting at 04:43 (UTC) 80 prefixes normally announced by organizations such Google, Apple, Facebook, Microsoft, Twitch, NTT Communications and Riot Games were now detected in the global BGP routing tables with an Origin AS of 39523 (DV-LINK-AS), out of Russia.”

▻https://bgpmon.net/popular-destinations-rerouted-to-russia

Example of a Facebook prefix briefly routed towards AS39523 DV-LINK-AS (on Twitter):

@bgpstream
BGP,HJ,hijacked prefix AS32934 31.13.84.0/24, Facebook, Inc.,-,By AS39523 DV-LINK-AS, ▻http://bgpstream.com/event/119987

#BGP #routing_security #route_hijacking

One of the very few documented cases where a #BGP prefix hijacking is certainly done voluntarily (here, by the #HackingTeam digital weapon dealer company).

▻http://arstechnica.com/security/2015/07/hacking-team-orchestrated-brazen-bgp-hack-to-hijack-ips-it-didnt-own

▻http://www.bgpmon.net/how-hacking-team-helped-italian-special-operations-group-with-bgp-routing-hi

#Internet_security

Sprint, Windstream traffic routing errors hijacked other ISPs

It is not always longer far away countries such as India or Pakistan which make these mistakes but also Mr. USA himself can made erroneous announcements (#BGP #route_hijacking).

In simple words, it is like putting road signs on the Internet where Sprint and Windstream say to the world:
“Hey guys, send all traffic for the following networks to us: Telesmart, Macedonia, Saoudinet, Saoudi Arabia, a network from Gaza, one from Iceland, and three from China”
(all their traffic are belong to us ...)
The effect is that the traffic does not reach its destination, or that it transits via another network as was the case for Telesmart.

Quotes from ▻http://www.renesys.com/2014/09/latest-isps-to-hijack :

From 13:56 UTC on Tuesday (9-September) to 15:56 UTC on Wednesday (10-September), US wireless carrier #Sprint (AS1239) started hijacking a prefix (95.128.184.0/22) from Telesmart, an ISP in Macedonia. What was interesting was that once traffic arrived at Sprint, it continued onto Cogent and finally onto its intended destination at Telesmart in Skopje. Was this an accidental #man-in-the-middle (#MITM) or something else?

[...]

The same day #Windstream (AS7029) began announcing 212.118.142.0/24 (SaudiNet), which is normally announced by Saudi Arabian incumbent, Saudi Telecom. Unlike the previous Sprint example, traceroutes to this prefix along the Windstream route died within Windstream, effectively knocking this network off the Internet for anyone accepting the bogus route. Then on Wednesday, Windstream announced a handful of strange routes for about 10 hours including one from Gaza, one from Iceland, and three from China — all more-specifics of existing routes, ensuring their global propagation and acceptance.
[...]
There is a potentially innocent explanation to this example. Perhaps, these address ranges were ones that Windstream deemed to be sources of bad traffic and so was “blackholing” them internally, a relatively common practice. In this scenario, we could have simply witnessed Windstream inadvertently leaking internal routes to the global Internet for 10 hours.

PS: Also interesting reference in a larger context, at this year’s #Defcon 22 conference, Luca Bruno and Mariano Graziano from eurecom.fr ("a leading teaching and research institution in the fields of information and communication technologies") gave a talk about the vulnerabilities of some ISPs’ public #looking_glass utilities that would allow an attacker to remotely modify #router configurations.

white paper:
▻https://www.defcon.org/images/defcon-22/dc-22-presentations/Bruno-Graziano/DEFCON-22-Luca-Bruno-Mariano-Graziano-looking-glass-WP-UPDATED.pdf
presentation:
▻https://www.defcon.org/images/defcon-22/dc-22-presentations/Bruno-Graziano/DEFCON-22-Luca-Bruno-Mariano-Graziano-looking-glass-Updated.pdf

http://upload.wikimedia.org/wikipedia/en/0/03/Aybabtu.png

#ISP
#security
#blackhole

#Wristcutters

Indosat AS4761 hijacked 400k+ prefixes on April 2, 2014
►http://www.bgpmon.net/hijack-event-today-by-indosat

Indosat, AS4761, one of Indonesia’s largest telecommunication networks normally originates about 300 prefixes. Starting at 18:26 UTC (April 2, 2014) AS4761 began to originate 417,038 new prefixes normally announced by other Autonomous Systems such as yours. The ‘mis-origination’ event by Indosat lasted for several hours affecting different prefixes at different times until approximately 21:15 UTC.

It appears our AS was affected as well (between 19:33 and 20:23), but I am a bit suspicious as I cannot corroborate this info with other sources than bgpmon.net
Any reference I find traces back to bgpmon. (and I cannot read Indonesian).

No Waldo here:
▻https://radar.qrator.net/general/?asnum=4761

Perhaps @Stephane Bortzmeyer has an opinion on this ?
Autres sources que découlant de bgpmon ?

paranoïa über alles : from the bgpmon service:

Users with a premium account also have access to all the individual BGP updates as well as the full AS path. This will tell you in detail what networks selected this bad route and the exact timestamps. Some of you also received a phone call to inform you of the events immideatly after detection (part of the Enterprise add-on).

#BGP
#route_hijacking
#routing
#AS4761
#Indosat