Skip the navigation

Warning! Targeted Internet misdirection on the rise

Traffic from financial firms, government agencies, VoIP providers quietly hijacked and rerouted through ISPs in Belarus, Iceland, researcher says

November 19, 2013 03:28 PM ET

Computerworld - Unknown attackers have successfully hijacked and redirected Internet traffic belonging to financial services companies, VoIP providers and governments many times over the past year.

Internet monitoring firm Renesys says it's observed such hijacked traffic during at least 60 days in 2013.

A total of about 1,500 individual IP blocks from 150 cities around the world have been intercepted, inspected and possibly compromised in incidents lasting from a few minutes to several days, the company said today.

Throughout February, for instance, online traffic at numerous financial services companies, network service providers and government agencies in the U.S. South Korea, Germany, the Czech Republic, Iran and other countries was redirected to an Internet Service Provider in Belarus.

Similarly, in May and again in July, Internet traffic from a large U.S. providers of managed network services was hijacked and routed through IP addresses owned by an Icelandic ISP.

In these and other cases, the intercepts were enabled through so-called "Man-in-the-Middle" attacks, when traffic flowing between two points is briefly rerouted to another location and then released back its original path. Such redirections allow attackers to surreptitiously inspect and modify traffic.

If the hijacked traffic is rerouted to a point close to the original destination, the entire caper can be carried with no noticeable lag in traffic time.

The attacks show in practical terms that Border Gateway Protocol (BGP) hijacking is not theoretical, it poses real problems, said Doug Madory, an analyst at Renesys.

BGP routers, which direct traffic between autonomous systems on the Internet, can be accessed by hackers to spoof the IP address of another entity to misdirect traffic there, Madory said. It's difficult to determine that the activity is criminal because such misdirection often occurs due to human error -- such as transposing the digits in an Internet address space. In most cases, such inadvertent misdirection is quickly caught and remedied.

Madory said it's likely the misdirection to the Iceland and Belarus ISPs found by Renesys earlier this year was deliberate. It is likely that people with access to BGP routers at these ISPs created the spurious routes unbeknownst to the ISPs or the victims, he added.

The attackers appear to have found a way to redirect only small portions of traffic bound for a specific destination to avoid being detected, Madory said.

"What's novel here is making just a small percent of the Internet believe the bogus route so they have a way to get traffic to that destination," without notice, Madory said. "If you announced the address space of somebody else and everyone else believed it, then all traffic (for the destination) will be routed to you."

Jaikumar Vijayan covers data security and privacy issues, financial services security and e-voting for Computerworld. Follow Jaikumar on Twitter at Twitter@jaivijayan, or subscribe to Jaikumar's RSS feed Vijayan RSS. His email address is jvijayan@computerworld.com.

Read more about Security in Computerworld's Security Topic Center.



Our Commenting Policies