Your browser is obsolete!

The page may not load correctly.

  • add to favourites
    Add to Bookmarks

Network detour

Read: 299 Comments: 2 Rating: 8

Let's suppose someone decides to make some money on phishing scams and purchases a phishing kit. What do they do next? Of course, they could find a web host to make their site available to the general public and start sending scam emails to gullible users. But, if they couldn’t use this simple method, would they have any other options?

The Internet is resilient because sender-recipient data can be transmitted over multiple routes. This is similar to car drivers who can choose an alternative route to avoid a traffic jam (in our case, a "jam" is when a communication channel doesn't have sufficient bandwidth to transmit all the data).

Routes change constantly, with intermediate servers disappearing and reappearing. One can never be sure that an established route will remain usable throughout an entire session. The BGP (Border Gateway Protocol) is used to address this problem.

A BGP AS (autonomous system) is not just some abstract handy feature. This is serious business, and there exists a bureau that provides information about AS numbers on banking days from 9 a.m. to 5 p.m. These numbers are allocated by the RIR (Regional Internet Registry) or the LIR (Local Internet Registry).

And the IANA (Internet Assigned Number Authority) is above those two. Since IANA can't service all providers worldwide, it delegates some of its tasks to its regional representatives, each of which is responsible for a specific part of our planet (RIPE NCC fulfils the role in Europe and Russia).

#drweb

https://habr.com/post/184350

By the way, everyone has heard of IP addresses. But what happens if we swap the letters in this abbreviation?

PI – Provider Independent.

Usually when you start working with a service provider, they issue a number of public addresses for you—those are PA (Provider Aggregatable) addresses.

Acquiring them is easy but if your company leaves your service provider, you will have to return the PA addresses. And you can't simultaneously use the service from multiple providers.

And should you choose to change your service provider, the old PA addresses will remain with that provider, and your new ISP will get you new ones. But where’s the resilience here?

An LIR (Local Internet Registry) can assign you a set of PI (provider independent) addresses as well as an ASN (autonomous system number). Now these addresses belong to your company, and no service provider will take them away from you. If you don't like one ISP, you can easily switch to another one, with all your addresses remaining intact.

But let's get back to BGP. It’s important to remember that data is transmitted over a number of a service provider's servers, and they share information about available routes with neighbouring nodes. Then what would happen if one of them provides incorrect routing information?

Attackers used BGP to redirect Amazon Route 53 (Amazon DNS) traffic to their own DNS server. As a result, users wanting to visit MyEtherWallet.com (the site that facilitates access to Ethereum wallets) were redirected to a bogus server hosting a fake copy of the site.

#drweb

A rogue route was introduced on behalf of the US ISP eNet (AS 10297) in Columbus, OH. After an announcement was made by the attackers, all of eNet’s peers, which included such large communication companies as Level 3, Hurricane Electric, Cogent and NTT, started routing traffic intended for Amazon Route 53 to the attackers' server.

Remember any film or cartoon scenes of someone repositioning a way-finding sign at a crossroad?

No one noticed the hijack for two hours, and the criminals were able to steal money unhindered!

Apart from compromising a network node, are there any other ways to alter a route?

  • Find a large number of vulnerable routers whose routing tables can be altered by furnishing them with corrupt DNS information.

All other options require access to the router. And many tricks exist for accomplishing this task. Here are just few that come to mind:

  • A BGP interface brute-force attack;
  • Gain access by compromising an email account or hacking into the computer of an employee or an administrator (who controls the router);
  • Exploit existing loopholes in the BGP service on the router (my experience shows that those are usually Bird, Quagga or the Cisco daemon);
  • Exploit vulnerabilities in other services being run on the router;
  • "Wedge" between two nodes engaged in a BGP session.

https://cryptoworld.su/перехват-трафика-с-помощью-подмены-bgp-с/

This is how vulnerable our digital environment actually is!

Why are we telling you all this? Usually when we speak about data theft or a system getting infected via a website, we are implying that threat actors exploited a vulnerability. But sites do not necessarily have loopholes (or criminals may be unable to find them). Then redirecting traffic can help mount an attack against a target group visiting a specific site. Such an attack is complicated to execute, but neither owners nor visitors to the target site can learn about the attack in advance can do nothing to prevent it.

#fraud #phishing #personal_data #site

Dr.Web recommends

BGP hijacking is one of those rare cases when Parental Control won't help because attackers use legitimate addresses and a proper site name. So don't lower your guard, and exercise caution when submitting personal information or performing transactions online!

Rate this issue and receive Dr.Weblings! (1 vote = 1 Dr.Webling)

Sign in and get 10 Dr.Weblings for sharing the link to this issue via social media.

[Twitter]

Unfortunately, due to Facebook's technical limitations, Dr.Weblings cannot be awarded. However, you can share this link with your friends for free.

Tell us what you think

Leave your comment on the day of publication and get 10 Dr.Weblings, or get 1 Dr.Webling for a comment posted any other day. Comments are published automatically and are reviewed by a moderator. Rules for leaving comments about Doctor Web news items.

To leave a comment, you need to log in under your Doctor Web site account. If you don't have an account yet, you can create one.

Comments