Malice or mistake? Cyber sleuths weigh in on Internet hijack attack

Security experts investigate roots and motive behind surprise rerouting of Internet traffic through Belarus and Iceland

Security research firm Renesys has sounded the alarm over what it believes to be a massive hijacking and redirection of Internet traffic. What's tougher to prove is who's responsible -- and whether malice or incompetence is at work.

The attack involves misusing the Internet's Border Gateway Protocol (BGP), the system by which traffic is routed between peers on the Internet. Several times over the course of 2013, Renesys has monitored and observed what it believes to be systematic misdirection of traffic through hosts in Belarus and Iceland.

BGP works by having each host in the Internet advertise to other hosts what destinations it can reach and how many hops it'll take to get there. A malicious host could advertise itself as being the shortest path to a destination that's actually on the other side of the globe.

How to steal the Internet in one easy step

BGP poisoning, as it's called, isn't new. An earlier BGP incident involved Pakistan Telecom trying to block YouTube but instead taking it offline for the rest of the world. Another involved the majority of Internet traffic being redirected to China for 18 minutes in November 2010. The mechanics of using such a redirection as an attack have been known for years.

Earlier this year, Renesys spotted two acts of redirection that made them suspicious. The first involved Internet traffic being redirected through Belarusian ISP GlobalOneBel -- where traffic originally sent from Guadalajara, Mexico, and intended for Washington, D.C., ended up being diverted through London, Moscow, Minsk, and Frankfurt, before finally bouncing back to the United States.

"These redirections took place on an almost daily basis throughout February, with the set of victim networks changing daily," Renesys claims. "Victims whose traffic was diverted varied by day, and included major financial institutions, governments, and network service providers. Affected countries included the US, South Korea, Germany, the Czech Republic, Lithuania, Libya, and Iran."

A second series of routing diversions, equally unsubtle, sent traffic through Iceland. When Renesys contacted the Icelandic ISPs for clarification, they were at first snubbed, then later told "the problems were the result of a bug in vendor software, that the problem had gone away when patched, and that they did not believe this problem had a malicious origin."

Renesys was skeptical about this being a bug. That left two other possibilities: a mistake or an attack.

Suspicions arise

The Washington Post reporter Andrea Peterson contacted Andree Toonk, founder and lead developer at, for perspective. Toonk felt there wasn't enough data to tell "if what we see is intended or by accident" -- whether it was the result of someone messing up a data table or if the hijack was done with a greater purpose.

But Jennifer Rexford, a computer science professor at Princeton University, told Peterson that most BGP outages caused by mistake do not look like this. Another source, Akamai CSIRT director Michael Smith, told Peterson that such attacks, while dangerous, have a "limited shelf life" -- they advertise themselves rather loudly and ought to be easy to detect.

I reached out to Rebecca Kastl, senior security consultant, and Erik Bataller, principal security consultant for Neohapsis, and asked for their views. Both concurred that without further data it would be difficult to tell if the BGP reroutings were deliberate or not.

Kastl was, however, dubious that this was an accident, since the way traffic was routed in these incidents was markedly unlike the way it changes when BGP is misconfigured by mistake.

"This attack," she wrote, "would require changing BGP reachability information such that Internet traffic flows through and not to the attacker. The latter is easier to accomplish than the former, but the latter also breaks Internet routing architectures whereas the former would not. Because of this, I find it hard to accept that this was an 'accident' or a 'bug.'"

"If this was a malicious attack," Bataller added, "the two most likely motives would either be that someone was testing and honing a technique or there was specific traffic during those periods they were trying to hijack."

Kastl further believed one possible motive was financial crime: "There are a large number of payment card issuers," she wrote, "and the resulting mixture of legacy systems, platform interoperability, and other factors results in card personalization data frequently being transmitted via unencrypted communications. BGP misconfiguration could be an easy method to passively acquire this data without needing to actually compromise the target systems where sensitive data is stored."

BGP is a legacy of the Internet's early days of assumed mutual trust, and its security could be improved greatly. At least one proposal has been advanced in pursuit of that goal.

In the meantime, Renesys believes that "the best way to prevent manipulation of trust-based routing will be to help people expose violations of trust, and recognize those who implement best practices."

This article, "Malice or mistake? Cyber sleuths weigh in on Internet hijack attack," was originally published at Get the first word on what the important tech news really means with the InfoWorld Tech Watch blog. For the latest business technology news, follow on Twitter.

Copyright © 2013 IDG Communications, Inc.

How to choose a low-code development platform