BGP hijackers: “This traffic is going to Russia!”

BGP hijackers: “This traffic is going to Russia!”

BGP hijackers: “This traffic is going to Russia!”

December 14, 2017

Traffic sent to and from major internet sites was briefly rerouted to an ISP in Russia by an unknown party. The likely precursor of an attack, researchers describe the Dec. 13 event as suspicious and intentional.

According to BGPMON, which detected the event, starting at 04:43 (UTC) 80 prefixes normally announced by several organizations were detected in the global BGP routing tables with an Origin AS of 39523 (DV-LINK-AS), out of Russia.

The attack behavior was short lived at only six minutes and researchers have no clue as to why it happened. But it is a sobering reminder of how fragile the internet really is and how easy it can be exploited.

Rerouting internet traffic from its intended destination to a nefarious location – by corrupting or manipulating internet routing protocols – is a way to perform man-in-the-middle attacks or spoof a website to trick users into handing over their personal credentials and other sensitive information.

The December attack exploited the border gateway protocol (BGP). Attackers monitor internet traffic from specific sites and hijack the traffic to a host on their own network as a choke point. Although rare, some instances are documented on Wikipedia, including a cyberattacker who attempted to steal Bitcoin in 2014.

In the December case, some of the largest internet sites were impacted – Google, Apple, Facebook, Microsoft, Twitch, NTT Communications and Riot Games. Users of these sites trust that their communications are secure because they use SSL/TLS encryption over HTTPS.

Unfortunately, attackers who can manipulate BGP to perform man-in-the-middle attacks can also manipulate TLS/SSL encryption in HTTPS to secretly eavesdrop on user communications.

In March 2017, US-CERT issued a warning that HTTPS interception is weakening TLS security and advised organizations who use HTTPS inspection products to verify that they properly validate certificate chains and pass warnings and errors to the client.

Monitoring network traffic through a choke point is a common technique used by companies in their own networks as well as governments. For example, China uses a perimeter dubbed the Great Firewall to redirect and monitor all traffic going in and out of the country.

Using BGP to execute man-in-the-middle attacks allows attackers to modify internet traffic before reaching its destination. This type of attack is widely believed to have been used for corporate espionage, nation-state spying and by intelligence agencies who mine internet data without the knowledge of ISPs.

While preventing internet routing manipulation is primarily a problem at the ISP level, users can ensure that their personal HTTPS sessions are safe by using HTTP public key pinning.

Public key pinning tells the web browser to associate a specific cryptographic public key with a certain web server, thereby preventing man-in-the-middle attacks with forged certificates.

The web server provides a list of public key hashes so that browsers can verify that the encryption certificate it receives is authorized by the web server with which they want to communicate. This allows a user’s web browser to determine whether communications are being intercepted and whether to proceed.

For more about this subject, read the white paper, How to detect malicious covert communications.” It explains how to expose hidden attack communications, even in encrypted traffic, without decryption.

About the author


Vectra® is the world leader in AI-powered network detection and response.

Author profile and blog posts

Most recent blog posts from the same author

Threat detection

How to Track Attackers as They Move to Your Network from the Cloud

December 8, 2020
Read blog post
Security operations

Expertise That Unlocks the Potential within Your Security Operations

July 21, 2020
Read blog post

A Tale of Two Attacks: Shining a Security Spotlight on Microsoft Office 365

October 26, 2020
Read blog post