Massive Man-in-the-Middle Attacks Have Been Hijacking Huge Amounts Of Internet Traffic And Almost No One Noticed

from the this-is-a-problem dept

Recently, at the debate between former NSA (and CIA) boss Michael Hayden and reporter Barton Gellman, one of the statements Hayden made has stuck with me. He talked about this "wonderful" "accident of history and technology that put most of the world's web traffic inside the United States." He used this to suggest that it was our right and duty to therefore use that traffic to spy on everyone possible. I'm thinking about that statement, because (1) it was no "accident" of history or technology that resulted in that, but rather a concerted effort based on where the internet was first built and (2) because there's no reason why it needs to remain that way. And that second point is extra important when you realize that with a little effort, it's not that hard for determined individuals, organizations or governments to divert that traffic through other countries.

And, it turns out, that's exactly what's happening. Someone (or a group of someones) has been running a number of giant man-in-the-middle attacks, effectively routing a lot of traffic through Belarus and Iceland, as described in great detail by Renesys (and again in slightly more laymen's terms by Arik Hesseldahl).

Whoever is doing it, is almost certainly up to no good. It seems likely that the attacks are for criminal purposes, rather than government espionage, but it certainly could be done either way. Renesys gives a few examples of the hijackings, starting with a brief one in February of this year, in which global traffic was redirected to an ISP in Belarus, where the traffic had no reason to be. Renesys gives a single example of a trace showing a packet supposedly going from Guadalajara, Mexico to Washington, DC... but with quite the detour:
Here’s an example of a trace from Guadalajara, Mexico to Washington, DC that goes through Moscow and Minsk. Mexican provider Alestra hands it to PCCW for transit in Laredo, Texas. PCCW takes it to the Washington, DC metro area, where they would normally hand it to Qwest/Centurylink for delivery.

Instead, however, PCCW gives it to Level3 (previously Global Crossing), who is advertising a false Belarus route, having heard it from Russia’s TransTelecom, who heard it from their customer, Belarus Telecom. Level3 carries the traffic to London, where it delivers it to Transtelecom, who takes it to Moscow and on to Belarus. Beltelecom has a chance to examine the traffic, and then sends it back out on the “clean path” through Russian provider ReTN. ReTN delivers it to Frankfurt and hands it to NTT, who takes it to New York. Finally, NTT hands it off to Qwest/Centurylink in Washington DC, and the traffic is delivered.
Here's that same traceroute in graphic form from Renesys:
This is hardly the only example. I highly recommend reading the entire Renesys report. It notes how this happens, and how this had been a "theoretical concern," but is now happening "fairly regularly." It also notes that these attacks leave a very visible footprint -- and lots of large providers should be monitoring this, but aren't.

This is absolutely true, but it again brings me back around to Hayden's glee at this "accident of history." A reasonable person, actually concerned with basic online security would have (or should have) looked at that same claimed "accident of history" and realized that this was a clear threat that needed to be dealt with, rather than an opportunity. But that's not what happened. So, despite the NSA claiming over and over again that it's focused on protecting Americans and American businesses, its desire to spy on everyone also means that they've done little to nothing to prevent this kind of attack from happening now. Yes, it's great for the NSA when tons of traffic goes through the US to be spied on -- but it's also great for criminals, terrorists and enemies of the US when that traffic can be easily made to travel through other countries as well -- and that's now apparently being done on a regular basis.

It seems like a reasonable question to ask -- as current NSA boss Keith Alexander keeps talking up the need for better "cybersecurity" -- why he hasn't actually been focused on better securing and encrypting the entire internet. Of course, we all know the answer for that: doing so would make his other job (spying on everyone) much harder. It's yet another reason why it's dangerous to have Alexander in charge of both the NSA and US Cyber Command, when the two are clearly at cross purposes.


Reader Comments (rss)

(Flattened / Threaded)

  •  
    icon
    silverscarcat (profile), Nov 21st, 2013 @ 5:44am

    You know...

    I had been wondering why so many sites I visited at times seemed very slow.

    Could this be the reason?

     

    reply to this | link to this | view in chronology ]

    •  
      icon
      John Fenderson (profile), Nov 21st, 2013 @ 8:44am

      Re: You know...

      You can run traceroute yourself and find out. It's simple to do. I do this when I experience unusual network behavior, but have never noticed an unusual route like this. It's possible that only certain traffic streams are redirected. (Pure speculation, I haven't read the report yet.)

       

      reply to this | link to this | view in chronology ]

      •  
        icon
        beltorak (profile), Nov 21st, 2013 @ 8:59am

        Re: Re: You know...

        you should do a tcptraceroute (or tracetcp for windows). regular traceroute uses ICMP which is a completely different protocol than what HTTP uses (TCP). I don't think BGP tables can be written to differentiate by the protocol that is layered on top of IP, but many firewall setups do treat ICMP and TCP differently. This will help determine if there's a bad firewall/gateway somewhere in your path.

         

        reply to this | link to this | view in chronology ]

      •  
        identicon
        Brazenly Anonymous, Nov 21st, 2013 @ 9:30am

        Re: Re: You know...

        Insufficient in cases where the return traffic is the only traffic interfered with. However, if you were to get a fairly solid grasp on your Round Trip Time (RTT) and set the Time To Live (TTL) on your outbound packet to about 1/3 the RTT, you could use the presence or lack of response as a pretty solid indicator that return traffic has been tampered with.

        Doing this will of course require a fair amount of technical expertise.

         

        reply to this | link to this | view in chronology ]

        •  
          identicon
          Brazenly Anonymous, Nov 21st, 2013 @ 9:33am

          Re: Re: Re: You know...

          Wait, scratch that last bit. I didn't realize that ping offers an option to set TTL.

          So:
          ping -c 10 dest

          Take average response time, divide by three, we will call the result x.

          ping -t x -c 10 dest

          If you get responses, your return traffic is probably being tampered with.

           

          reply to this | link to this | view in chronology ]

  •  
    icon
    That One Guy (profile), Nov 21st, 2013 @ 5:47am

    Adding insult to injury

    You also have to wonder how much such hacking/redirects were facilitated by the actions of the NSA and other spy agencies intentionally weakening internet security and encryption, just to make their jobs easier.

    So it's quite likely that the NSA, who is supposedly in the business of protecting people, pretty much directly aided what appears to be fairly large scale MitM attacks against the very people they were supposed to be protecting.

    Thanks guys, really. /s

     

    reply to this | link to this | view in chronology ]

  •  
    icon
    Mark Harrill (profile), Nov 21st, 2013 @ 6:00am

    ISPs

    Would it surprise you if the NSA/CIA owned an ISP in Belarus?

     

    reply to this | link to this | view in chronology ]

    •  
      identicon
      Anonymous Coward, Nov 21st, 2013 @ 8:02am

      Re: ISPs

      Not particularly. Though given the hop that goes through Moscow, I'd suspect the Russians first. The NSA isn't sharing their goodies with Russia, so Russia has to get it's own.

       

      reply to this | link to this | view in chronology ]

    •  
      identicon
      Anonymous Coward, Nov 21st, 2013 @ 8:05am

      Re: ISPs

      Would it surprise you if the NSA/CIA owned an ISP in Belarus?

      Would it surprise me if the Russian FSB had inherited from the KGB a complete, thorough, and utter penetration of the NSA?   

      Would it surprise me if the the Russian FSB had further covertly obtained an appropriation of U.S. taxpayer dollars to purchase an ISP in Belarus?

       

      reply to this | link to this | view in chronology ]

  •  
    identicon
    Anonymous Coward, Nov 21st, 2013 @ 7:48am

    And they still cannot track down hackers.

    Can my tax dollars start being redirected to something that actually matters like education? How about that huge ass pothole at the end of my street?

    I think I can manage for a day without the NSA taking care of me. Well maybe, it would be hard to manage, but I'll do my best! I promise.

     

    reply to this | link to this | view in chronology ]

  • This comment has been flagged by the community. Click here to show it
     
    identicon
    out_of_the_blue, Nov 21st, 2013 @ 8:01am

    Was NOT "hi-jacked"! They still have their data!

    You're stepping on your piratey notion that data can be taken yet the owner of it isn't harmed.

    Anyway, rest of Mike's text just blames NSA for spying while omitting corporate spying. -- "it's also great for criminals, terrorists and enemies of the US' -- You can actually condense that to "mega-corporations", but I suppose it'd be okay if just added on the major bad actors.

    Just because a lot of people have gotten a lot of easy money off teh internets doesn't make it a plus overall: at the very least, the Internet enables spying on scale and in detail as never before.

    04:01:16[f-2-7]

     

    reply to this | link to this | view in chronology ]

    •  
      identicon
      Anonymous Coward, Nov 21st, 2013 @ 8:09am

      Re: Was NOT "hi-jacked"! They still have their data!

      If I hi-jack a plane the passengers have not lost their flights but they are going somewhere unintended. The exact same is happening here, no theft but a change of route by a seemingly unauthorized party. So yeah, hi-jack is the correct word.

      To the second half of your drivel: No corporations do not have the monopoly on evil or the intent to do harm. The list given was again correct.


      6/10 would rage again.

       

      reply to this | link to this | view in chronology ]

      •  
        identicon
        Anonymous Coward, Nov 21st, 2013 @ 7:35pm

        Re: Re: Was NOT "hi-jacked"! They still have their data!

        If anything I'd call it copying because that is what they're doing. Don't get me wrong I hate seeing our rights thrown to the wayside on a daily basis like they're nonexistent. It's sickening to even think of it because we're supposed to be the greatest nation in the world and the first line of defense when it comes to freedom, rights, and privacy.

        Now we're just this screwed up shadow powered by greed and corruption. I don't even know what to call it because it's sad and honestly it makes me ashamed to be an American. I love my country and my government is destroying it and from where I'm sitting I feel helpless when it comes to what could I do to help end this abuse.
        I cannot just walk away from life to fight the good fight. Well I could, but then I'd lose my house, car, and most likely my wife as well. That's why I feel helpless when it comes to the subject. :(

        I wish I knew what we could do, but I haven't the slightest clue which is pretty depressing as well. I almost wish I did not care because it would be far less painful than watching everything you believe in being ripped apart.

         

        reply to this | link to this | view in chronology ]

    • This comment has been flagged by the community. Click here to show it
       
      identicon
      out_of_the_blue, Nov 21st, 2013 @ 8:20am

      LONG LIVE ANDROID!

      I sure love google!

       

      reply to this | link to this | view in chronology ]

    •  
      identicon
      Anonymous Coward, Nov 21st, 2013 @ 8:28am

      Re: Was NOT "hi-jacked"! They still have their data!

      Hijack: Word #4027 that Blue does not understand.

       

      reply to this | link to this | view in chronology ]

      •  
        icon
        Gwiz (profile), Nov 21st, 2013 @ 8:44am

        Re: Re: Was NOT "hi-jacked"! They still have their data!

        Hijack: Word #4027 that Blue does not understand.


        It might be more efficient to keep a list of words Blue DOES understand.

         

        reply to this | link to this | view in chronology ]

        •  
          identicon
          Anonymous Coward, Nov 21st, 2013 @ 9:46am

          Re: Re: Re: Was NOT "hi-jacked"! They still have their data!

          ok.

          The
          Google
          is
          bad

          that cover it?

           

          reply to this | link to this | view in chronology ]

          •  
            identicon
            Anonymous Coward, Nov 21st, 2013 @ 10:51am

            Re: Re: Re: Re: Was NOT "hi-jacked"! They still have their data!

            List is too long. He clearly doesn't have a good handle on what 'Google' means because he lumps tons of stuff that doesn't belong into that entity, like this site for example.

             

            reply to this | link to this | view in chronology ]

            •  
              icon
              PaulT (profile), Nov 22nd, 2013 @ 1:44am

              Re: Re: Re: Re: Re: Was NOT "hi-jacked"! They still have their data!

              But Mike once went to the Google campus! That means they own him and everything on this site!

              Yes, that's what he honestly believes.

               

              reply to this | link to this | view in chronology ]

    •  
      identicon
      Brazenly Anonymous, Nov 21st, 2013 @ 10:49am

      Re: Was NOT "hi-jacked"! They still have their data!

      1) Copying data is different than re-routing packets and thereby generating additional delays in traffic.

      2) There is a massive difference in data that defines a work of art and data that describes the activities of a person. The first is intended to be publicly available and the question is one of cost. The second is not intended to publicly available.

       

      reply to this | link to this | view in chronology ]

  •  
    identicon
    Brazenly Anonymous, Nov 21st, 2013 @ 8:06am

    Level 3

    Given the technical requirements for such a large diversion*, I'd pin this as virtually requiring the deliberate cooperation of Level 3. Level 3 is also more or less confirmed as cooperating with the NSA to tap Google's datalinks. Since the router shouldn't know that the packets are coming from Mexico, it is likely that this redirection is happening also to packets sent from within the US.

    In other words, there is a distinct probability that, on order from the NSA, Level 3 is deliberately generating international paths for domestic packets, allowing the NSA to skirt restrictions on domestic monitoring. With current data the probability is low and additional data is unlikely to be easy to acquire, but keep that in mind regarding the monitoring of only international traffic.

    *Technical requirements: The problem here is the ease of generating a loop if NTT ever receives advertisements from Level 3. In order to avoid that, at least one of the two companies has to be clued in on the deal. In practice, it is much easier to isolate the irregular portion of the route than the regular one.

     

    reply to this | link to this | view in chronology ]

    •  
      identicon
      Anonymous Coward, Nov 21st, 2013 @ 8:36am

      Re: Level 3

      My thoughts exactly. There is a possibility that the NSA has compromised routers in foreign ISPs so that they can route the traffic through them and capture it on foreign soil.

       

      reply to this | link to this | view in chronology ]

      •  
        identicon
        Anonymous Coward, Nov 21st, 2013 @ 8:39am

        Re: Re: Level 3

        Remember, Alexander doesn't just head the NSA but also USCC. This is EXACTLY the sort of thing the USCC not only could do but would do.

         

        reply to this | link to this | view in chronology ]

    •  
      icon
      John Fenderson (profile), Nov 21st, 2013 @ 8:50am

      Re: Level 3

      Well, Level 3 used to be known as Global Crossing. Remember the Global Crossing scandal? It's not a company that has a reputation for a high degree of integrity.

       

      reply to this | link to this | view in chronology ]

    •  
      identicon
      Anonymous Coward, Nov 21st, 2013 @ 1:07pm

      Re: Level 3

      Not quite. You can reroute traffic without the provider's knowledge. Bell did something similar a year or so back by allowing a multihomed session to falsely advertise AS. The routes propagated to other providers and soon most of the regionwas routed to that bad AS. They weren't sending traffic back out so we noticed right away. Still took over an hour for Tata, Bell, L3, Cogent, etc to clear their tables and get things back up. You can look these ip on MARC.

       

      reply to this | link to this | view in chronology ]

  •  
    identicon
    Anonymous Coward, Nov 21st, 2013 @ 8:07am

    "Instead, however, PCCW gives it to Level3 (previously Global Crossing), who is advertising a false Belarus route"

    Is it just me who sees this as not coincidental that the big "mistake" happens at Level3? Is there any connection between "Level 3 Communications" and "L-3 Communications" in terms of history or parent ownership?

    http://en.wikipedia.org/wiki/Level_3_Communications
    It just says... not to be confused with:
    http://en.wikipedia.org/wiki/L-3_Communications

    Both have had huge US Defense or Intelligence agency contracts.

     

    reply to this | link to this | view in chronology ]

  •  
    identicon
    Anonymous Coward, Nov 21st, 2013 @ 8:18am

    Am I the only one who got confused because I immediately focused on the white areas, looking for the landmasses? I mean, really? A map with blue land an white water?

     

    reply to this | link to this | view in chronology ]

    •  
      icon
      mattshow (profile), Nov 21st, 2013 @ 8:44am

      Re:

      Am I the only one who got confused because I immediately focused on the white areas, looking for the landmasses? I mean, really? A map with blue land an white water?


      Nope, I was thinking the same thing. Then it clicked and everything came into focus and made sense.

       

      reply to this | link to this | view in chronology ]

    •  
      icon
      Vidiot (profile), Nov 21st, 2013 @ 10:44am

      Re:

      Mandatory Arrested Development quote:

      "Buster? You mean, the one who thought the blue on the map was land?"

       

      reply to this | link to this | view in chronology ]

    •  
      identicon
      Anonymous Coward, Nov 21st, 2013 @ 1:49pm

      Re:

      Online mapmakers utilize 'reverse coloring' to minimize blue pixel exhaustion, ensuring future generations will be able to enjoy the color blue.

       

      reply to this | link to this | view in chronology ]

  •  
    icon
    Chosen Reject (profile), Nov 21st, 2013 @ 10:45am

    I agree that Alexander's two positions are opposed to each other. He seems to have preferred the NSA one over the cyber security one. Would he suggest city walls are bad since they make it more difficult to see all angles of where the enemy might be coming from?

     

    reply to this | link to this | view in chronology ]

  •  
    identicon
    Anonymous Coward, Nov 22nd, 2013 @ 11:42am

    nsa and cybercommand are NOT at cross purposes, it's no joke when you realize that, the U.S. feds, i.e. ALL Departments, INCLUDING cybercommand want to COMMAND the internet. It's a pincer move, coming in from two directions.

     

    reply to this | link to this | view in chronology ]

  •  
    identicon
    Anonymous Coward, Nov 23rd, 2013 @ 5:42am

    Almost seems like the US post office. I know someone who once tried to deliver a package to the same county and somehow, when tracking it (after not arriving for a while) it wound up getting routed all the way across the United States.

    Maybe the post office took over the Internet.

     

    reply to this | link to this | view in chronology ]

  •  
    identicon
    Causal Observer, Nov 23rd, 2013 @ 5:12pm

    Same in Santa Monica

    The notorious chinese hackers utilizing hn.kd.ny.adsl ( a fake TLD) been doing it for years and are routing traffic in Santa Monica, CA ( City Wifi open to the public) . I've contacted the management and the tech reps of the service provider on 3 occasions pointing this out and they don't care , nothing has been done in months since .

     

    reply to this | link to this | view in chronology ]


Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here
Get Techdirt’s Daily Email
Save me a cookie
  • Note: A CRLF will be replaced by a break tag (<br>), all other allowable HTML will remain intact
  • Allowed HTML Tags: <b> <i> <a> <em> <br> <strong> <blockquote> <hr> <tt>
Follow Techdirt
A word from our sponsors...
Essential Reading
Techdirt Reading List
Techdirt Insider Chat
A word from our sponsors...
Recent Stories
A word from our sponsors...

Close

Email This