back to article Mystery traffic redirection attack pulls net traffic through Belarus, Iceland

Tons of internet traffic is being deliberately diverted through locations including Belarus and Iceland, and intercepted by crooks or worse, security experts fear. Network intelligence firm Renesys warns that victims including financial institutions, VoIP providers, and governments have been targeted by the man-in-the-middle …

COMMENTS

This topic is closed for new posts.
  1. Anonymous Coward
    Anonymous Coward

    Surprise!

    Why is it that when we see the word "exploit" or the phrase "security problems/issues", the article is always about Microsoft.

    People need to give themselves a shake and stop using MS products!

    YES I AM THAT STUPID THANKS FOR ASKING!!!

    1. cynic 2

      Re: Surprise!

      I take it that reading comprehension is not your strong point?

      1. Dan Paul

        Re: Surprise! (not Really it's Eadon by another name)

        You are correct he did not read the article, that anonymous coward was really Eadon using another fake user name. That was almost word for word from an old post from Eadon.

        1. FrankAlphaXII

          Re: Surprise! (not Really it's Eadon by another name)

          If it had been Eadon, it would have ended with some stupid shit like:

          "MS MAN IN THE MIDDLE FAIL!" or such drivel. Its just someone who doesn't know how to RTFA.

          1. Anonymous Coward
            Anonymous Coward

            Re: Surprise! (not Really it's Eadon by another name)

            You guys got it all wrong, it wasn't Microsoft products that allowed these attacks, it was Balmer doing these attacks from his laptop (Apple with Windoze 8.1 with a Ubuntu VM).

            1. Wzrd1 Silver badge

              Re: Surprise! (not Really it's Eadon by another name)

              It's that bloody damned volcano acting out again.

              First, it fucks up all of European air traffic, now it's mucking about with the network traffic!

              1. Crisp

                Everybody above this line

                Has been trolled.

                1. Anonymous Coward
                  Anonymous Coward

                  Re: Everybody above this line

                  Pretty successfully if I do say so myself! It's satire mother fuckers!!! (as I believe Noel Coward once said.)

                2. Michael Wojcik Silver badge

                  Re: Everybody above this line

                  Lions 7, Christians 4, by my count. Looks like a few Reg readers need to go back to Internet school.

        2. Anonymous Coward
          Anonymous Coward

          Re: Surprise! (not Really it's Eadon by another name)

          Do not feed the troll. Do not even acknowledge that the troll once existed.

          That is all.

          1. Destroy All Monsters Silver badge
            Trollface

            Re: Surprise! (not Really it's Eadon by another name)

            I CAN'T BELIEVE IT'S NOT EADON

            Our New I Can’t Believe It’s Not Eadon!® Deliciously Simple™ comment spread is made from real, simple ingredients like flaming, troll oil and inappropriate Microsoft Rage. 100% rant, 0% artificial intelligence.

      2. Fatman

        Re: Surprise!

        I take it that reading comprehension is not your strong point?

        Probably because this poster is still in grammar school.

    2. Necronomnomnomicon

      Re: Surprise!

      But is isn't about Microsoft? They're not even mentioned.

      1. Anonymous Coward
        Anonymous Coward

        Re: Surprise!

        > But is isn't about Microsoft? They're not even mentioned.

        I assume his post was meant to parody someone else. Unfortunately he's pretty rubbish at it.

        1. Anonymous Coward
          Anonymous Coward

          Re: Surprise!

          >I assume his post was meant to parody someone else. Unfortunately he's pretty rubbish at it.

          I don't know. He seems to startled a number of foolish self-important people into a conversation. I think that demonstrates some skill at composition.

    3. Anonymous Coward
      Anonymous Coward

      Re: Surprise!

      I'm Twelve Years Old and What is This?

    4. Anonymous Coward
      Anonymous Coward

      Re: Surprise!

      It's Government sponsored, NSA and GCHQ flexing their muscles.

    5. Fatman
      FAIL

      Re: Surprise!

      Why is it that when we see the word "exploit" or the phrase "security problems/issues", the article is always about Microsoft.

      Look, I enjoy bashing the hell out of Mickeysoft, but, if you even had the smallest bit of understanding how internet traffic gets routed globally; then you would have realized that your diatribe was completely full of shit. End of story!!

      Take Mickeysoft out to the woodshed and give them the 'shellacking' they truly deserve; when they screw up; but this is not one of those instances.

      Go back to school!

  2. NoneSuch Silver badge

    Yes AC @14:15. We all know the router division at Microsoft is to blame. I blame severe under-staffing. It's currently at zero.

    1. Sealand

      > It's currently at zero.

      Whoa, that's understaffing.

      And not only that, but Microsoft wasn't mentioned in the article at all. I suppose the Microsoft article division is to blame here?

      What? Oh, they're understaffed too? Dang it.

  3. Anonymous Coward
    Anonymous Coward

    I bet the NSA & CGHQ are pissed... someone else inspecting all that data before they did, who knows what opportunities to steal good comercial data they missed out on there.

    1. Rob

      Who's to say...

      ... it's not them doing the redirects to a few trusted sites they have that aren't in their home territories to avoid suspicion.

    2. RobHib
      Joke

      @obnoxiousGit

      'Tis Snowden snooping on his old employer with the help of new friends.

  4. Anonymous Coward
    Anonymous Coward

    This is what happens when you use Linux.

    1. Anonymous Coward
      Anonymous Coward

      Sjeez - now THIS is sad. Now even the quality of the trolling is in decline. *Please* make an effort.

      You didn't mention some creative use of vulnerabilities to show Linux is much unsafer than Windows, you didn't express adoration for great philanthropist Bill Gates, I mean, WTF? Kindly do it properly, your trolling is, well, pathetic is the only word for it.

  5. John Riddoch
    Black Helicopters

    Nice sales pitch at the end...

    "Everyone on the internet ... should now be monitoring the global routing of their advertised IP prefixes"

    With the subtext of "which we'll be happy to provide. For a fee, of course..."

    1. BongoJoe
      Black Helicopters

      Re: Nice sales pitch at the end...

      I was wondering if I ought to tell my eighty-two year old aunt to start monitoring the IP packets between her and the local WI. After all, that recipe for plum jam may be hijacked and stolen.

      1. Phil O'Sophical Silver badge
        Facepalm

        Re: Nice sales pitch at the end...

        After all, that recipe for plum jam may be hijacked and stolen.

        Well, now that you've told them about it...

  6. Mr Anonymous

    Upstreams should _always_ filter announcements.

    That's it.

  7. Khaptain Silver badge

    Datacentre Question

    Who has any datacenters in either of these countries ? Google, NSA, GCHQ, The Chinese, Al Qeada ?

    Someone is in control of the routeurs through which this data is being read/siphoned/spied upon...., who ?

    1. Anonymous Coward
      Anonymous Coward

      Re: Datacentre Question

      I can't speak for Iceland but for Belarus, I would think it's the home of the "Russian Business Network" and half of the worlds spammers and trojan creators.

    2. lglethal Silver badge
      Alert

      Re: Datacentre Question

      Belarus - Dictatorship, allied to Russia, known for human rights abuses, internet criminals, pumping spam and being Europe's last old school Toatlitarian regime.

      Iceland - Democracy, member of NATO, not overly friendly with the US (offered asylum to Snowden), friendly with the EU (but not part of it), not so friendly with the UK (Cod wars and the collapse of Iclandic banks). Not known for internet criminals and pumping spam. Known for being an awesome looking place that you would love to visit if it wasnt so damn far away.

      Not really seeing any group that would likely be friendly with both of those countries...

      1. Suricou Raven

        Re: Datacentre Question

        Assuming it needs friendly. Easy enough to set up a front company without the government knowing. For added points, throw in a couple of badly-forged documents and load the computer with a banking trojan and list of credit cards - that way if you do get caught, it looks like just another criminal gang was behind it.

      2. Frumious Bandersnatch

        Re: Datacentre Question

        Iceland - Democracy, member of NATO, not overly friendly with the US (offered asylum to Snowden ...,

        and Bobby Fischer before him. Based only on those two facts and the film 101 Reykjavik, it seems like a good place.

        1. BongoJoe
          Thumb Up

          Re: Datacentre Question

          Don't forget the home of the wonderful CCP Games...

      3. itzman
        Paris Hilton

        Re: Datacentre Question

        you forgot the egregious Bjork, that androgynous alien with a screeching voice that thinks it's Art.

        1. Destroy All Monsters Silver badge
          Coat

          Re: Datacentre Question

          You think it was Bjork? I find that hard to believe.

          1. Michael Wojcik Silver badge

            Re: Datacentre Question

            Definitely not Bjork. Bjork can manipulate IP routing with her mind. She doesn't need no stinkin' BGP advertisements.

      4. Anonymous Coward
        Anonymous Coward

        Re: Datacentre Question

        "Belarus - Dictatorship" In your opinion, or rather, the phrase you are parroting from some politically-backed media manipulators. The population don't seem to think so, and kind of like that he isn't kowtowing to the global economic slash and burn project.

        "Allied to Russia" Yes. it's right next to Russia, and they can mostly all speak Russian. You want it to be allied to Mexico or something?

        "Known for human rights abuses" like supporting the population presumably and not selling off public assets to foreign multinationals. No mention of Ukraine where they are currently imprisoning Yulia Tymoshenko?

        "Internet criminals" ORLY ? Last I saw they were mostly making trucks, tractors, footwear and doing programming for Western companies.

        "Pumping spam" and the largest countries in the world pumping spam are ...... oh let's guess. Yours?

        " and being Europe's last old school Toatlitarian regime." They are not in the EU. They appear to support their population much better than many of the poor countries in the EU. And since they have strengthned ties wih Russia, to protect themselves from economic or political attacks from the west, any hopes of implementing some kind of foreign-backed bankers' coup, are pretty much pie in the sky.

        1. Destroy All Monsters Silver badge
          Facepalm

          Re: Datacentre Question

          The population don't seem to think so

          What.

          Look, I know where you are coming from. But this is not an East-vs-West question. Belarus would be better off with less Lukashenko (did he authorize mapping the Chernobyl exclusion zone on Belarus side yet?), but that is indeed not a matter of US foreign policy. Let me cite Ron Paul:

          Mr. Speaker, I rise in opposition to the “Belarus Democracy Act” reauthorization. This title of this bill would have amused George Orwell, as it is in fact a US regime-change bill. ... I strongly object to the sanctions that this legislation imposes on Belarus. We must keep in mind that sanctions and blockades of foreign countries are considered acts of war. Do we need to continue war-like actions against yet another country? Can we afford it? I wish to emphasize that I take this position not because I am in support of the regime in Belarus, or anywhere else. I take this position because it is dangerous folly to be the nation that arrogates to itself the right to determine the leadership of the rest of the world. As we teeter closer to bankruptcy, it should be more obvious that we need to change our foreign policy to one of constructive engagement rather than hostile interventionism. And though it scarcely should need to be said, I must remind my colleagues today that we are the U.S. House of Representatives, and not some sort of world congress. We have no constitutional authority to intervene in the wholly domestic affairs of Belarus or any other sovereign nation.

  8. Anonymous Coward
    Anonymous Coward

    Where's "rate this article gone"?

    This one gets 11 out of 10 just for the subtitle.

    Everybody, look what's going down.

    Have a good weekend, brothers and sisters.

    1. Ted Treen
      Pint

      Re: Where's "rate this article gone"?

      You get an up vote for knowing the Buffs (all the way back from '67 - when I was but a callow 17yr old...)

      Come to think of it, kudos to Mr Leyden, too.

      Now where's that "ageing hippie" icon?

  9. Anonymous Coward
    Anonymous Coward

    So...

    "... financial institutions, VoIP providers, and governments have been targeted."

    Sounds OK to me.

  10. Anonymous Coward
    Anonymous Coward

    Russia helped with "outing" what the NSA was doing, is Russia getting "outed" now?

  11. Mike 16

    Noticeable Latency Increase?

    As a Comcast subscriber, that would be "Hmm, it's been about 15 minutes now..."

  12. jonfr

    Good luck with Síminn

    Good luck with Síminn, they don't like to provide answers if you are not a customers of there and even then it can sometimes be difficult (I am a customer of Síminn in Iceland).

    What The Register can do is to contact pfs.is and ask for answers there. They are the monitoring body for Iceland communications and rules. They might provide some answers by asking Síminn the right questions that needs to be answered in this case.

  13. Gannon (J.) Dick
    Pint

    When BGP *can* fail ...

    ... it simply means that "News" is unreliable always, but Journalism, with corroboration, is as pure as newly driven snow.

    Eat, Drink and over collect metadata for tomorrow the S/N ratio might go down.

  14. Destroy All Monsters Silver badge
    WTF?

    "Well, we'll not risk another frontal assault. That rabbit's dynamite."

    So, as of yet we are unsure whether dark and nefarious activities are indeed afoot or whether we are in the presence of pure accident biggened up by a Security Company pushing its wares.

    We are, however, sure that the current BGP exhibits all the syndromes of being no longer appropriate to the 21st century seeing that anything can be advertised by anyone with no traceability or justification.

    Better get some protocol druids on the same table and bang heads together pronto.

    Yeah, instead we get monetizable advances like new TLD domain names ending in ".cocacola" and sh*t.

  15. Ian 55

    At what point do we say 'Right, let's start again?'

    And this time build an internet that's just a tiny bit more secure than the one we have got?

  16. Anonymous Coward
    Anonymous Coward

    I'm Still Missing Something

    Another Register article with no direct Dr Who reference.

  17. CmdrX3

    ....and shit like this is why we can't have nice things.

  18. Adam JC

    VoIP Traffic...

    "The Icelandic traffic hijack was repeated after two months of inactivity by another but different source within the country, Opin Kerfi (AS48685) which "began announcing origination routes for 597 IP networks owned by one of the largest facilities-based providers of managed services in the US, a large VoIP provider"."

    Being that almost NO VoIP system I've ever come across (And I've come across a few...) ever bothers to implement SRTP or any noticeable form of encryption (Despite the difficulty of doing this being quite frankly laughable) this would effectively allow them to listen to any conversation (In realtime, if necessary).

    That's pretty.. erm... concerning.

  19. Thomas Allen

    Successful packet bidding strategies?

    Would you need to bid for and win ALL (or most of) the packets of a long message to understand the whole message? It may not work to only have access to a small percentage of the packets that make up a message.

    Maybe if you know beforehand that a bank sends its messages at 10am exactly, and you could bid for all the packets at that instant, at a particular junction, and win all the packets of a single message. (a timing attack)

    The article suggests traffic can be "diverted" simply by having a successful bidding strategy at internet router junctions. If you know exactly when the packets are coming, a fast computer could bid and win the packets you want.

    1. Destroy All Monsters Silver badge
      Holmes

      Re: Successful packet bidding strategies?

      AFAIK it's not that complex. Router Alice just tells router Bob that it has this "extremely short route" to address (say) block 192.56.255.255, so Bob might consider to route all the packets to address block towards Alice instead of Eve once it receives that announcement. No "bidding" is involved as financial strategies have not yet penetrated this fabric.

      1. Wzrd1 Silver badge

        Re: Successful packet bidding strategies?

        BGP is supposed to be protected by accepting routing updates/changes from particular AS numbers.

        It's really not all that complicated and I'm really rusty with configuring Cisco routers, not to mention the various other vendors.

  20. codeusirae

    Protecting Border Gateway Protocol ..

    "Administrators must understand many important aspects of BGP as a protocol to assess where it may be susceptible to various forms of attack and where it must be protected .. administrators must mitigate the risk and potential impact of associated exploit attempts" .. link

    1. Wzrd1 Silver badge

      Re: Protecting Border Gateway Protocol ..

      When I saw this article, that is exactly what article I was thinking of.

      WTF are the various service providers doing, hiring from the pool of CCNA school dropouts?

  21. cracked
    Facepalm

    If you've stumbled across a recent Comment I've made - to just about any article - you know what I am going to write ...

    Ding! Ding! Ding! Ding!

    Thanks very much for pulling it - I'll pay the $50 fine.

    ;-)

    So "safe" is this system, so well designed; that it can easily meet the many and varied needs of its global user-base, without breaking sweat. It can handle all of the necessary machinery behind a virtual currency, facilitiate transactions between international finance institutions, collect the chatter from the millions of iToasters and iTellys everyone has plugged in and still satisfy the needs of a bazillion cat lovers without asking them for too many security tokens before they get their video-fix.

    Only, no; it can't.

    Stop the bus. We should all be politely queuing for the emergency exits.

  22. Frank Rysanek

    Mixed feelings... am I missing something here?

    This sounds odd. Simply advertising someone else's prefix would point the whole world (or a big part thereof) to *you*. If you were a "stub network" with no other connectivity, you wouldn't be able to forward the traffic to its actual destination (unless you were able to tunnel it to another AS, unaffacted by your BGP injection attack).

    Target a single website and present your own mockup say for phishing purposes? maybe. You'd get caught and/or disconnected soon, owing to the havoc you'd cause.

    Cause a big havoc by making lots of servers inaccessble? Piece of cake. Good for DoS attacks.

    After inspection, redirect traffic to its rightful destination? That's difficult. You'd need a second connectivity, able to take the load. For a small target network with little traffic, a tunnel to someplace else might cut it. In order to re-route some high-volume network, you'd need a thick native link, effectively you'd need to be a transit operator. And you'd probably want to goof just a relatively limited perimeter of your peers (based on distance metric) into thinking that you are the actual origin - principally if you goofed the whole internet, you wouldn't be able to forward the traffic to its rightful destination. You need a carefully crafted local routing anomaly, which might be difficult to achieve.

    And, in general you wouldn't be able to hijack traffic flowing in both directions (such as to wiretap a phonecall in full duplex), unless you did the BGP hijacking trick in *both* directions simultaneously: against both ends of the sessions you try to wiretap. Hijacking a single BGP prefix gives you just one direction of the traffic flow.

    Doesn't sound like something very useful for anything except a massive and short-lived DoS attack.

    Unless you have your hijacking gear installed in a big transit operator's backbone routers.

    Who would you have to be, to be in that position :-)

    Considering the need for a "local routing anomaly", what would be the point for the attacker's target network, somewhere in the global internet, to check the BGP for its own routing advertisements? A single check at an available nearby point wouldn't do. You'd have to check your prefix at a number of routers worldwide and analyze the "spatial propagation" for anomalies in the distance metric... hardly feasible, unless you're Google.

    Then again the threat is probably real, as a number of people worldwide apparently work towards a more secure BGP. There is a decade-old standard called S-BGP... which probably hasn't reached universal use, if BGP hijacking is nowadays still (or ever more) in vogue...

This topic is closed for new posts.