Rotors of M-209 cipher machine.

BGP Hijacking and Other Routing Attacks and Problems

Intentional BGP Hijacking

Organizations like the NSA manipulate Internet routing to make certain traffic easier to intercept. The NSA calls it "network shaping" or "traffic shaping".

How IP Routing
Works

The same techniques make their way to organized crime. A criminal group used a large reservoir of trusted IP addresses, malware installed on millions of computers, and BGP route hijacking to cause billions of false ad impressions and defraud advertisers out of $29 million.
Google and Whiteops analysis Ars Technica article

October-November 2018 — An article in Military Cyber Affairs accused the Chinese government of manipulating BCP routing in order to intercept Internet traffic. That was followed by a blog posting from Oracle's Internet Intelligence about BGP misdirection through China in 2015 through 2017.
China’s Maxim — Leave No Access Point Unexploited: The Hidden Story of China Telecom’s BGP Hijacking China Telecom's Internet Traffic Misdirection

Soon after, for 83 minutes on 12 November, traffic to large blocks of Google-owned IP space was routed through China Telecom, TransTelecom in Russia, and MainOne, a small ISP in Nigeria. The ThousandEyes network-monitoring and analysis organization commented: "This incident further underscores one of the fundamental weaknesses in the fabric of the Internet. BGP was designed to be a chain of trust between well-meaning ISPs and universities that blindly believe the information they receive. It hasn’t evolved to reflect the complex commercial and geopolitical relationships that exist between ISPs and nations today."
ThousandEyes on 12 Nov 2018 event Ars Technica report

April 2018 — Someone took over part of Equinix, an ISP in Columbus, Ohio, USA, causing it to advertise a preferred route for a block of addresses that includes Amazon's Route 53 DNS service. A fake DNS server at Equinix then provided misleading answers for address queries about MyEtherWallet.com, and discarded all other queries.

The result was that some users of MyEtherWallet.com, a cryptocoin wallet app, had their traffic misdirected to a man-in-the-middle attack. There are reports that over $150,000 in Ethereum was stolen through this attack. Some users of other services using Route 53, such as Instagram, were unable to reach their desired server.
ThousandEyes on AWS Route 53 DNS and BGP hijack

December 2017 — Network traffic to and from Google, Facebook, Apple, Microsoft, Mail.ru, Vkontakte, and other prominent sites was misrouted through AS39523, an obscure Russian network.
BGPmon analysis Qrator analysis Ars Technica article

April 2017 — Network traffic to and from MasterCard, Visa, and over two dozen other financial institutions was misrouted through Rostelecom, a telco controlled by the Russian government.
BGPmon analysis Ars Technica article

July 2015 — Hacking Team and a case of BGP hijacking

July 2015 — Ars Technica on Hacking Team orchestrated brazen BGP hack to hijack IPs it didn't own

September 2014 — Why Is It Taking So Long to Secure Internet Routing?

2013 — Renesys reported that attacks over a period of several months had hijacked BGP routes from about 1,500 IP blocks for periods lasting from minutes to days, re-routing traffic through Belarus, Russia, and Iceland. Victims included large banks, foreign ministries of several countries, a large US VoIP provider, and several ISPs. At one point traffic between two networks in Denver, Colorado, was redirected via the US east coast and Iceland. Also see the Renesys report:
The New Threat: Targeted Internet Traffic Misdirection

8 April 2010 — China Telecom hijacked Internet backbone traffic in what has been described as 15% of the Internet backbone traffic for 18 minutes in "both a large-scale experiment and a demonstration of Chinese capabilities." Reports include:
Arbor Networks Ars Technica The Citizen Lab The Register Reuters

Political Outages

Authoritarian regimes in Africa, the Middle East, and Asia sometimes disconnect or otherwise disrupt national Internet access around elections or other times of anticipated unrest, or even during school testing times.

According to research by Oracle + Dyn, this started with Egypt disconnecting itself in January 2011. It was followed by intentional disruptions in Bahrain, Libya, and Syria.

The Migration of Political Internet Shutdowns
Oracle Dyn Global Business Unit
The Global Economic Damage of Internet Blackouts
The Atlantic

Egypt started this trend in January 2011:
Egypt Cuts Off Most Internet and Cell Service
The New York Times
Egypt Leaves the Internet
Dyn Blog

Iraq blocked Internet access in June 2014 in areas where ISIS has a physical presence:
Iraqi Government Takes Its Fight With ISIS Online
Foreign Policy

Then in May, August, and October 2015, Iraq blocked Internet access to prevent 6th-grade school children from cheating on tests:

Uzbekistan had already done this, in August 2014:

The National Intelligence Agency of the Democratic Republic of Congo ordered that the Internet be blocked in Kinshasa until further notice. This was after bloody clashes between opponents of President Joseph Kabila and police:
DR Congo authorities block Internet in Kinshasa — operators
Agence France-Presse

In February 2016, Gujarat State in India blocked mobile Internet access to stop exam cheating:
To beat exam cheats, Gujarat to block mobile internet today
The Times of India

In June 2016 Algeria blocked Internet access to stop exam cheating:
Algeria blocks Facebook, Twitter to stop exam cheats: state media
Reuters

In July and August 2016 Syria repeatedly shut down the Internet for 4 hours per day to prevent cheating on national high school exams:
Syria goes to extremes to foil cheaters
Dyn Blog

Gabon shut down its Internet connection in September 2016 after announcing election results:
Quartz

Cameroon block Internet access in English-speaking areas of the country in January 2017 after a series of protests:
Cameroon goes offline after Anglophone revolt
CNN
Cameroon's Internet Has Been Cut For Four Weeks With No End in Sight
Vice Motherboard

An article in March 2017 reported on the seven-year series of intentional interruptions to communications in the Democratic Republic of Congo:
The Evolution of Internet Shutdowns in DR Congo
CIPESA

Togo cut Internet access through the fall of 2017 in response to protests:
Why are people protesting in Togo?
Al Jazeera
WhatsApp's role as a government protest tool is in the spotlight again as Togo blocks it
Quartz

In December 2017 Equatorial Guinea held an election, Internet access had been restricted for years (access to opposition websites blocked for 4 years), more restricted since the electoral campaign started in late October, and entire cut off around the day of voting. See:
Deutsche Welle Reporters Without Borders News24

In January 2018 the Democratic Republic of Congo blocked the Internet and set up physical barriers on roads:
News24 Quartz

Outages Caused by Routing Blunders

2004 — TTNet in Turkey (AS9121) accidentally pretended to be the entire Internet on the morning of Christmas Eve (U.S. time), leaving large chunks of the Internet unreachable for a few hours.

2008 — In February 2008, the Pakistani government was worried that a video disrespectful toward Muhammed had been uploaded to YouTube. Government leaders directed Pakistan Telecom to either force YouTube to remove the video or else shut down YouTube. Informed that neither of those was possible, the government settled for making it so no one using Pakistan Telecom could view anything on YouTube.

You don't do that by filtering rules, as the edge routers can't keep up. You do it by black-holing the route(s) to the corresponding IP block(s).

The problem was that they then propagated those black-hole routes over BGP to PCCW, an ISP in Hong Kong, which in turn propagated those extremely attractive routes across the Internet. It made it look as though some corner of Pakistan was, by far, the most attractive route to YouTube. Almost everyone's attempted connection got routed that way.

The result for most of the world was that you lost access to YouTube for a few hours. Somehow society survived that episode. The result within Pakistan was all telecommunications were disrupted for several days, maybe a week. Mobile phone couldn't connect to the network, wired phones had no dial tone. Also see the ArsTechnica report.

2010 — Renesys reported that something like 15% of the Internet's backbone traffic was re-routed through China for 18 minutes in April.

2014 — China suffered a country-wide Internet outage for 45 minutes on 22 January 2014. Chinese government spokesmen blamed the outage on the DNS root servers. But outsiders said that the Chinese government's attempt to control their citizens' Internet access involved a DNS poisoning operation that spun out of control.

They wanted to block access to 65.49.2.178, belonging to Dynamic Internet Technology, which provides the FreeGate censorship-circomvention tool and also hosts a Falun Gong news portal mirror. They instead poisoned the DNS records by mapping all domain names in the world to that single IP address. This was a massive distributed denial of service attack against that company, as China is estimated to have more Internet users than any other country (other than India) has people. But none of those masses could see anything until the DNS caches got straightened out.

2014 — Domestic Russia traffic between Moscow and Yaroslavl was routed through Stockholm and a China Telecom router in Frankfurt, Germany, see Ars Technica coverage here and an analysis by Dyn Research (formerly Renesys) here. It says that a networking sharing agreement and BGP peering relationship between Russian mobile provider Vimpelcom and China Telecom led to one party leaking the routes received from the other "over a dozen times in the past year between these two providers." The same author wrote about China's accidental 18-minute hijacking of backbone routes in 2010.

Back to the Security Page