How Somebody Forced the World’s Internet Traffic Through Belarus and Iceland - Polidicks

[t]http://www.renesys.com/wp-content/uploads/2013/11/global-hijack-cities.png[/t] [i]Locations targeted by the attacks[/i] [QUOTE]What if someone slipped in between you and the various servers you’re connecting with and diverted your traffic elsewhere, funneling it through a choke point of their choosing, so they could capture, copy and analyze it? Your data takes some extra — and imperceptible — milliseconds to get where it’s going and ultimately everything you’re doing online works just fine. But your traffic has been hijacked by parties unknown and you’re none the wiser that it has happened. In network security circles, this is what’s known as a Man-In-The-Middle attack. And for years it has been understood to be possible in theory, but never seen in practice. That changed earlier this year when someone — it’s unclear who — diverted Internet traffic from some 150 cities around the world through networks in Belarus and Iceland. The troubling disclosure came yesterday from the research company Renesys. The firm specializes in tracking the operational health of global Internet infrastructure. When Internet traffic goes down in one country or another, whether because of a natural disasteror political unrest, Renesys is usually among the first to see it. The attack — and Renesys maintains that it was an attack — targeted large Internet carriers in every major city in the U.S. and numerous major cities in Europe and around the world. ... The first incident took place during most of the month of February, when Internet traffic was silently redirected through an Internet service provider called GlobalOneBel, based in the Belarusian capital, Minsk. The targets of these attacks included financial institutions, government agencies and network service providers. ... These attacks occurred throughout February and into March. Then they stopped for awhile. The attacks resumed in May, and almost right away the choke point switched from Belarus to Iceland. For about five minutes — literally — traffic was routed through was an Icelandic ISP called Nyherji hf. Then they stopped again — until July. This time, the venue was again in Iceland. Beginning on July 31, traffic from a large VOIP company — Renesys wouldn’t name it — was diverted through an Internet service provider called Opin Kerfi that oddly announced access to 597 different IP blocks versus its usual three. The result caused routine Internet traffic to take some routes that were so indirect as to be absurd. For a brief time on Aug. 2, data traffic between two providers in Denver didn’t just flow across town as it normally would. Instead the bits went to Iceland first, with stops in London, Montreal, New York, Dallas and Kansas City along the way.[/QUOTE] There is a lot more detailed information, including how it worked, in the source: [url]http://allthingsd.com/20131120/how-somebody-forced-the-worlds-internet-traffic-through-belarus-and-iceland/[/url]

is it just me or does the internet seem more weaponised than ever before... this obviously has some state backing somewhere

Sounds like a test to me.

Sounds like a really easy way to take out service of somebody you don't like, pushing that much data through a single choke point would just crash the systems there.

Sounds like a good time to start using RSA-keys on my servers.

Woo, my city is marked on that map! Neat.

[QUOTE=Doctor Zedacon;42931385]Woo, my city is marked on that map! Neat.[/QUOTE] That's not exactly a good thing.... Oh great mine is marked too.

the internet is fucking cool

-snip-

Real life criminals are often much more clever and terrifying than the two dimensional bad guys seen in many movies. This shit is scary, there's shit like Stuxnet floating around that could be used for so much more than scaring some system engineers with ACDC songs, and then this incident just shows you the shit people can do.

That explains all that lag in my MOBAs. I need those precious milliseconds.

Wow, that would be a very effective way to take down an entire service.

Doesn't look like it's being used to take out services/flood a place with traffic though. Moreover, it's a sort of surveillance-type thing and nobody knows who's doing the spying. [t]http://www.renesys.com/wp-content/uploads/2013/11/jim_blog_nov_2013_path1e.jpg[/t] [quote]It’s possible to drag specific Internet traffic halfway around the world, inspect it, [url=http://conferences.sigcomm.org/sigcomm/2012/paper/ccr-paper266.pdf]modify it if desired[/url], and send it on its way. The recipient, perhaps sitting at home in a pleasant Virginia suburb drinking his morning coffee, has no idea that someone in Minsk has the ability to watch him surf the web. Even if he ran his own traceroute to verify connectivity to the world, the paths he’d see would be the usual ones. The reverse path, carrying content back to him from all over the world, has been invisibly tampered with.[/quote] Not only can this be used for spying on whatever/whoever you need to, it can also change the information being sent, which opens up a whole list of problems, even for the most secure internet users. What makes this so hard to figure out is that even though you've got a [url=http://puu.sh/5oI1c.png]list of IPs[/url] to see where it went, they're all just small-time internet service providers who helped receive and send the data to where it thought was the right place. It isn't however, and as to who's actually messed with the connection route to make it do that, it's a bit harder to figure out. bit more information/graphs and things on [url=http://www.renesys.com/2013/11/mitm-internet-hijacking/]the official renesys blog[/url]

Sounds like we've discovered part of what the NSA's massive budget has been going towards.

It'd be nice if we could deploy IPSec for more things, along with running everything over TLS (One of the nice things about HTTP/2 is that it mandates support for TLS, so Firefox at least will [b]only[/b] do HTTP/2 over TLS)

They mean specific data right? They couldn't possibly have diverted [I]all [/I]the traffic at the same time?

[QUOTE=demoguy08;42933354]They mean specific data right? They couldn't possibly have diverted [I]all [/I]the traffic at the same time?[/QUOTE] I don't see why not, They could handle the traffic easily if they have dedicated lines re-routing the traffic. [quote=] As of 2011 the record for bandwidth on a single core was 101 Tbit/sec (370 channels at 273 Gbit/sec each).[28] The record for a multi-core fibre as of January 2013 was 1.05 petabits per second.[/quote] [url]http://en.wikipedia.org/wiki/Optical_fiber#Optical_fiber_communication[/url]

reading through this again, and [quote]at 07:36:36 UTC on July 31st 2013, Icelandic provider Opin Kerfi (AS48685) began announcing origination routes for 597 IP networks owned by one of the largest facilities-based providers of managed services in the United States, a large VoIP provider.[/quote] I'm willing to bet that's skype they're referring to. this whole thing is both interesting and also kind of bothering me [QUOTE=demoguy08;42933354]They mean specific data right? They couldn't possibly have diverted [I]all [/I]the traffic at the same time?[/QUOTE] They might as well have; the data is just being diverted through a longer than necessary route to reach home, and it's inspected by some unwanted third party during the detour. Since it's an actual internet service provider the traffic ends up going through and not some private server made for snooping, that isp doesn't have much trouble in handling extra data. It's naturally built and designed to do so.