[ed. NSA hacking into fiber optic cables? That's like so yesterday.]
The traffic hijack, they showed, could be done in such a way that no one would notice because the attackers could simply re-route the traffic to a router they controlled, then forward it to its intended destination once they were done with it, leaving no one the wiser about what had occurred.Now, five years later, this is exactly what has happened. Earlier this year, researchers say, someone mysteriously hijacked internet traffic headed to government agencies, corporate offices and other recipients in the US and elsewhere and redirected it to Belarus and Iceland, before sending it on its way to its legitimate destinations. They did so repeatedly over several months. But luckily someone did notice.
And this may not be the first time it has occurred -- just the first time it got caught.
Analysts at Renesys, a network monitoring firm, said that over several months earlier this year someone diverted the traffic using the same vulnerability in the so-called Border Gateway Protocol, or BGP, that the two security researchers demonstrated in 2008. The BGP attack, a version of the classic man-in-the-middle exploit, allows hijackers to fool other routers into re-directing data to a system they control. When they finally send it to its correct destination, neither the sender nor recipient is aware that their data has made an unscheduled stop. (...)
BGP eavesdropping has long been a known weakness, but no one is known to have intentionally exploited it like this until now. The technique doesn't attack a bug or flaw in BGP, but simply takes advantage of the fact that BGP's architecture is based on trust.
To make it easy for e-mail traffic from an ISP in California to reach customers of an ISP in Spain, networks for these providers and others communicate through BGP routers. Each router distributes so-called announcements indicating which IP addresses they're in the best position to deliver traffic to, for the quickest, most efficient route. But BGP routers assume that when another router says it's the best path to a specific block of IP addresses, it's telling the truth. That gullibility makes it easy for eavesdroppers to fool routers into sending them traffic they shouldn't get.
When a user types a website name into his browser or clicks "send" to launch an e-mail, a router belonging to the sender's ISP consults a BGP table for the best route to the destination. That table is built from the announcements issued by ISPs and other networks declaring the range of IP addresses, or IP prefixes, to which they'll deliver traffic. The routing table searches for the destination IP address among those prefixes, and if two systems deliver traffic for the address, the one with the narrower, more specific range of prefixes "wins" the traffic.
For example, one ISP announces that it delivers to a group of 90,000 IP addresses, while another delivers to a subset of 24,000 of those addresses. If the destination IP address falls within both of these, the e-mail will get sent to the narrower, more specific one.
To intercept data, anyone with a BGP router or control of a BGP router could send out an announcement for a range of IP addresses he wished to target that was narrower than the chunk advertised by other network routers. The announcement would take just minutes to propagate worldwide and, just like that, data that should have headed to those networks would begin arriving to the eavesdropper's router instead.
Ordinarily, when an attacker tried to then forward the stolen traffic to its rightful destination, it would boomerang back to him, since other routers would still believe that his was the best destination for the traffic. But the technique demonstrated at DefCon, and now spotted in the wild, allows an attacker to send his announcement in such a way that it is delivered only to select routers. So, once the traffic passes through his router, it gets directed to its rightful destination through routers that never got the bogus announcement. The attack intercepts only traffic headed to target addresses, not from them.
by Kim Zetter, Wired UK | Read more:
Image: Map courtesy of Renesys
