BGP routing incidents in 2014, malicious or not?

Over the last year we have seen and written about numerous BGP routing incidents that looked out of the ordinary, straight-up suspicious or were just configuration mistakes. In this blog post we will highlight a few of them and look at the impact and cause of each of the observed incidents and try to determine if there was any malicious intent.

I presented the same data last week at NANOG 63, in San Antonio, a recording of this presentation can be found below:

BGP hijacking for monetary gain.

bitcoin-robber We have all heard of Bitcoin, it’s been in the news quite a bit and chances are that some of you are mining Bitcoins right now. There are now computing devices optimized for Bitcoin mining and even dedicated Bitcoin mining data centers. In addition to the dedicated data centers, many Bitcoin miners use cloud compute instances from Amazon, OVH, Digital Ocean, etc. So it’s obvious that there is a lot of money spent on Bitcoin mining & trading; and as such there is also an opportunity to make a quick buck.
This summer we blogged about a series of BGP hijacks where an attacker cleverly misused the Bitcoin stratum protocol. By hijacking IP addresses of the pool server IP addresses, the attacker stole 83,000 US dollars worth of Bitcoins. This was an advanced attack, not just from the Bitcoin perspective but also from the BGP perspective. In an attempt to hide the attack, the originator used AS path prepending with a range of Autonomous systems. More details regarding the BGP part of this attack can be found on our blog here, or at Dell SecureWorks.

Malicious or not? Yes, I believe it is obvious that this attack was targeted with the main purpose to steal Bitcoins for monetary gain. The attacker actively tried to hide the origin of the attack by using AS path spoofing. Since the attacker hijacked /24 prefixes there would have been quite a bit collateral damage as the other 200+ Ip addresses in that prefix were also temporarily hijacked.

IP squatting and spammers

spam_emailIn September we wrote about a number of spamming campaigns that relied on IP squatting to send spam. IP squatting is a technique where folks find un-announced address space, announce that IP space for a brief period, effectively stealing those IP addresses from the right-full owner and then use it, for example to send spam. In our blog post we identified a number of campaigns all with a very similar fingerprint. Each time a small group of prefixes is announced for a few hours only before it is withdrawn and a new group of prefixes is being announced again. A visualization of this unique pattern can be found in the image below.

This method is great for spammers because it solves the problem of IP reputation (spam) list. By the time these addresses are added to the various lists, the spammer has moved on to other addresses from a previously unused ranged. Tracking the actual origin of the spammers is also harder as whois data will only show who owns the space, not necessarily who announced it.

Source: stat.ripe.net

Source: stat.ripe.net

Research showed that this technique is more common than many may think as dozens of prefixes were squatted during a single week and used to originate spam from. Not only is the reputation of these addresses damaged, making it harder to use in the future by the rightful owner but it can also cause outages. We observed a case where a prefix belonging to an Internet Exchange point was squatted and used by the spam operation. If this had would have been a peering LAN prefix announced as a more specific it would have caused serious damage to the stability of the Internet Exchange in question.

Malicious or not? Sending spam is illegal in many countries, combined with the fact that IP addresses were temporarily stolen from the rightful owner makes this yet an other example of a malicious routing event. The long-term damage done to the address reputation and possible stability issues for Internet Exchanges make these serious malicious incidents.

Large scale hijacks to Syria and Indonesia.

syrian telecom3BGP hijacks happen on an almost daily basis, some are targeted while many are operational errors. Many of the incidents affect one or a few prefixes at a time, however every now and then we detect larger scale ones such as the hijack by the Syrian Telecom Establishment and Indosat. In both cases hundreds or thousands of prefixes were mis-originated and as a result traffic for those prefix was rerouted to Indonesia and Syria. In the case of Syria, many Internet users were routed over the path to Syria for about 1500 prefixes. This means that a significant number of users were not able to reach the services residing in these 1500 prefixes, this included IP addresses for the US DoD, YouTube, Level3, Telstra, Rogers, Time warner cable, Akamai, Telefonica and more.

Malicious or not?  There’s no evidence that suggests that these two events were malicious.  But just because these incidents don’t appear to be intentional, doesn’t mean all is  good.  In both cases traffic was redirected to Indonesia and Syria. Due to the number of prefixes that were being rerouted to say Syria, simply the volume of traffic would have most likely caused traffic to be dropped and as a result the hijacked prefixes would have experiences partial outages, similar as we have seen with large scale routing leaks. In the case of the Syrian Telecom incident, large networks such as NTT, Telecom Italia and Hurricane Electric picked up the hijacked routes and would have re-routed towards Syria, causing a significant number of Internet users to follow the wrong path to content networks such as YouTube, Akamai and Incapsula while causing performance and availability problems.

Traffic intercepting and impersonation

Identity-Theft-Insurance-To-buy-or-not-to-buy-We have seen a few cases where adversaries originated prefixes with a clear goal to intercept traffic. Once the traffic was rerouted to the adversary it would then reach a server that was setup and configured to impersonate the service for which traffic was redirected. In the spring of 2014 we wrote about the DNS hijacks in Turkey, where traffic for popular free DNS resolvers such as Google’s 8.8.8.8 , OpenDNS and Level3 were redirected to servers controlled by the Turkish government. These servers impersonated the real DNS resolvers and were returning mostly valid DNS answers except for censored domains such as youtube and twitter. We wrote about a similar incident in 2013, where an ISP in the Netherlands used BGP to hijack one of the SpamHaus RBL servers. After he was able to redirect this traffic to a server controlled by the attacker all RBL queries returned a positive answer, which resulted in many emails falsely being classified as spam and as a result rendered the SpamHaus service unusable.

Both of these incidents are similar to the Bitcoin attack, where BGP was used to redirect traffic to a server controlled by the adversaries who then setup a service that was impersonating the real service. Users of the service were now redirected to a non-trusted 3rd party who is now impersonating the real service. This is both a real problem for the user of the service as well as the operator of the service and can cause financial and reputational damage to both the user and the operator.

Malicious or not? Redirecting traffic away from the intended destination, impersonating the hijacked service and providing false answers rendering parts of the service unusable, causing reputation and possibly financial damage make these cases another example of malicious incidents.

Conclusion

In this blog we highlighted a few of the high-profile incidents we observed over the last year. In all cases services were affected and damage was done to the service, reputation, privacy or even significant financial implications.
Technologies such as RPKI are immature and not widely deployed yet. Once more widely deployed it should reduce the impact of incidental mis-origination incidents such as the Indosat event. However, since RPKI doesn’t solve full AS path validation, it won’t help in cases such as the Bitcoin hijack. As a result monitoring and detection using services such as BGPmon.net are an important tool for network operators. BGPMon.net provides early detection and alerting with actionable information and is an important tool for any network and security engineering team. Sign-up for our monitoring service here and start monitoring up to 5 prefixes for free. Our systems will then inform you of any relevant routing event affecting your network as soon as it is detected.