This is interesting research:
In a BGP hijack, a malicious actor convinces nearby networks that the best path to reach a specific IP address is through their network. That’s unfortunately not very hard to do, since BGP itself doesn’t have any security procedures for validating that a message is actually coming from the place it says it’s coming from.
To better pinpoint serial attacks, the group first pulled data from several years’ worth of network operator mailing lists, as well as historical BGP data taken every five minutes from the global routing table. From that, they observed particular qualities of malicious actors and then trained a machine-learning model to automatically identify such behaviors.
The system flagged networks that had several key characteristics, particularly with respect to the nature of the specific blocks of IP addresses they use:
- Volatile changes in activity: Hijackers’ address blocks seem to disappear much faster than those of legitimate networks. The average duration of a flagged network’s prefix was under 50 days, compared to almost two years for legitimate networks.
- Multiple address blocks: Serial hijackers tend to advertise many more blocks of IP addresses, also known as “network prefixes.”
- IP addresses in multiple countries: Most networks don’t have foreign IP addresses. In contrast, for the networks that serial hijackers advertised that they had, they were much more likely to be registered in different countries and continents.
Note that this is much more likely to detect criminal attacks than nation-state activities. But it’s still good work.
Posted on October 17, 2019 at 6:08 AM •
This is a really interesting story of an ad fraud scheme that relied on hijacking the Border Gateway Protocol:
Members of 3ve (pronounced “eve”) used their large reservoir of trusted IP addresses to conceal a fraud that otherwise would have been easy for advertisers to detect. The scheme employed a thousand servers hosted inside data centers to impersonate real human beings who purportedly “viewed” ads that were hosted on bogus pages run by the scammers themselves—who then received a check from ad networks for these billions of fake ad impressions. Normally, a scam of this magnitude coming from such a small pool of server-hosted bots would have stuck out to defrauded advertisers. To camouflage the scam, 3ve operators funneled the servers’ fraudulent page requests through millions of compromised IP addresses.
About one million of those IP addresses belonged to computers, primarily based in the US and the UK, that attackers had infected with botnet software strains known as Boaxxe and Kovter. But at the scale employed by 3ve, not even that number of IP addresses was enough. And that’s where the BGP hijacking came in. The hijacking gave 3ve a nearly limitless supply of high-value IP addresses. Combined with the botnets, the ruse made it seem like millions of real people from some of the most affluent parts of the world were viewing the ads.
Lots of details in the article.
An aphorism I often use in my talks is “expertise flows downhill: today’s top-secret NSA programs become tomorrow’s PhD theses and the next day’s hacking tools.” This is an example of that. BGP hacking—known as “traffic shaping” inside the NSA—has long been a tool of national intelligence agencies. Now it is being used by cybercriminals.
EDITED TO ADD (1/2): Classified NSA presentation on “network shaping.” I don’t know if there is a difference inside the NSA between the two terms.
Posted on December 28, 2018 at 6:43 AM •
This is a long—and somewhat technical—paper by Chris C. Demchak and Yuval Shavitt about China’s repeated hacking of the Internet Border Gateway Protocol (BGP): “China’s Maxim Leave No Access Point Unexploited: The Hidden Story of China Telecom’s BGP Hijacking.”
BGP hacking is how large intelligence agencies manipulate Internet routing to make certain traffic easier to intercept. The NSA calls it “network shaping” or “traffic shaping.” Here’s a document from the Snowden archives outlining how the technique works with Yemen.
EDITED TO ADD (10/27): Boing Boing post.
Posted on October 24, 2018 at 6:00 AM •
Renesys is reporting that Internet traffic is being manipulatively rerouted, presumably for eavesdropping purposes. The attacks exploit flaws in the Border Gateway Protocol (BGP). Ars Technica has a good article explaining the details.
The odds that the NSA is not doing this sort of thing are basically zero, but I’m sure that their activities are going to be harder to discover.
Posted on November 21, 2013 at 1:42 PM •
Sidebar photo of Bruce Schneier by Joe MacInnis.