Flutterby™! : Stealing the net

Lunch discussion today was about some of the ways in which misconfigured BGP and misplaced trust can result in MitM scanning of large quantities of Internet traffic. Which, apparently, someone is doing.

Renesys has the run-down on the man-in-the-middle Internet hijacking that's been throwing a lot of data through Iceland and Belarus (among others):

This year, that potential has become reality. We have actually observed live Man-In-the-Middle (MITM) hijacks on more than 60 days so far this year. About 1,500 individual IP blocks have been hijacked, in events lasting from minutes to days, by attackers working from various countries.

And various people have written run-downs on that:

• Techdirt: Massive Man-in-the-Middle Attacks Have Been Hijacking Huge Amounts Of Internet Traffic And Almost No One Noticed
• All Things D: How Somebody Forced the World’s Internet Traffic Through Belarus and Iceland

The lunch conversation was with people who work with BGP (Border Gateway Protocol), and who pointed out that the routes through those countries don't necessarily mean that the sniffing was happening there, but was an artifact of that a bad route means data coming out goes into the sniffer, and then has to be dumped somewhere that doesn't have the bad route so that it can be pushed back to the real destination without creating a loop.

It was also recommended that I watch DEF CON 16 Hacking Conference Presentation By Kapela - Pilosov - Stealing the Internet - Video and Slides (YouTube) to understand this, and to see a live demonstration of it happening.

The other thing of note: If the attacker mucks with the TTL of traceroute packages, the only way to detect this is to be detecting timing differences between the traceroute packet TTL and the actual return trip, and building some heuristics based on those few milliseconds...