Blog - article

Sorry, this blog post has not been posted yet. Come back and check again later!

BGP hijackers: “This traffic is going to Russia!”

By:
Chris Morales
December 14, 2017

Traffic sent to and from major internet sites was briefly rerouted to an ISP in Russia by an unknown party. The likely precursor of an attack, researchers describe the Dec. 13 event as suspicious and intentional.

According to BGPMON, which detected the event, starting at 04:43 (UTC) 80 prefixes normally announced by several organizations were detected in the global BGP routing tables with an Origin AS of 39523 (DV-LINK-AS), out of Russia.

The attack behavior was short lived at only six minutes and researchers have no clue as to why it happened. But it is a sobering reminder of how fragile the internet really is and how easy it can be exploited.

Rerouting internet traffic from its intended destination to a nefarious location – by corrupting or manipulating internet routing protocols – is a way to perform man-in-the-middle attacks or spoof a website to trick users into handing over their personal credentials and other sensitive information.

The December attack exploited the border gateway protocol (BGP). Attackers monitor internet traffic from specific sites and hijack the traffic to a host on their own network as a choke point. Although rare, some instances are documented on Wikipedia, including a cyberattacker who attempted to steal Bitcoin in 2014.

In the December case, some of the largest internet sites were impacted – Google, Apple, Facebook, Microsoft, Twitch, NTT Communications and Riot Games. Users of these sites trust that their communications are secure because they use SSL/TLS encryption over HTTPS.

Unfortunately, attackers who can manipulate BGP to perform man-in-the-middle attacks can also manipulate TLS/SSL encryption in HTTPS to secretly eavesdrop on user communications.

In March 2017, US-CERT issued a warning that HTTPS interception is weakening TLS security and advised organizations who use HTTPS inspection products to verify that they properly validate certificate chains and pass warnings and errors to the client.

Monitoring network traffic through a choke point is a common technique used by companies in their own networks as well as governments. For example, China uses a perimeter dubbed the Great Firewall to redirect and monitor all traffic going in and out of the country.

Using BGP to execute man-in-the-middle attacks allows attackers to modify internet traffic before reaching its destination. This type of attack is widely believed to have been used for corporate espionage, nation-state spying and by intelligence agencies who mine internet data without the knowledge of ISPs.

While preventing internet routing manipulation is primarily a problem at the ISP level, users can ensure that their personal HTTPS sessions are safe by using HTTP public key pinning.

Public key pinning tells the web browser to associate a specific cryptographic public key with a certain web server, thereby preventing man-in-the-middle attacks with forged certificates.

The web server provides a list of public key hashes so that browsers can verify that the encryption certificate it receives is authorized by the web server with which they want to communicate. This allows a user’s web browser to determine whether communications are being intercepted and whether to proceed.

For more about this subject, read the white paper, How to detect malicious covert communications.” It explains how to expose hidden attack communications, even in encrypted traffic, without decryption.

About the author

Chris Morales

Christopher Morales is Head of Security Analytics at Vectra, where he advises and designs incident response and threat management programs for Fortune 500 enterprise clients. He has nearly two decades of information security experience in an array of cybersecurity consulting, sales, and research roles. Christopher is a widely respected expert on cybersecurity issues and technologies and has researched, written and presented numerous information security architecture programs and processes.

Author profile and blog posts

Most recent blog posts from the same author

Cybersecurity

Threat Behaviors in the Attack Lifecycle

June 20, 2019
Read blog post
Cybersecurity

Visibilité, détection et aide à la résolution des incidents avec une architecture sans outil SIEM

April 30, 2019
Read blog post
Threat detection

Bedrohungserkennung und Response mit einer Architektur ohne SIEM

April 5, 2019
Read blog post