Massive Man-in-the-Middle Attacks Have Been Hijacking Huge Amounts Of Internet Traffic And Almost No One Noticed
from the this-is-a-problem dept
Recently, at the debate between former NSA (and CIA) boss Michael Hayden and reporter Barton Gellman, one of the statements Hayden made has stuck with me. He talked about this "wonderful" "accident of history and technology that put most of the world's web traffic inside the United States." He used this to suggest that it was our right and duty to therefore use that traffic to spy on everyone possible. I'm thinking about that statement, because (1) it was no "accident" of history or technology that resulted in that, but rather a concerted effort based on where the internet was first built and (2) because there's no reason why it needs to remain that way. And that second point is extra important when you realize that with a little effort, it's not that hard for determined individuals, organizations or governments to divert that traffic through other countries.And, it turns out, that's exactly what's happening. Someone (or a group of someones) has been running a number of giant man-in-the-middle attacks, effectively routing a lot of traffic through Belarus and Iceland, as described in great detail by Renesys (and again in slightly more laymen's terms by Arik Hesseldahl).
Whoever is doing it, is almost certainly up to no good. It seems likely that the attacks are for criminal purposes, rather than government espionage, but it certainly could be done either way. Renesys gives a few examples of the hijackings, starting with a brief one in February of this year, in which global traffic was redirected to an ISP in Belarus, where the traffic had no reason to be. Renesys gives a single example of a trace showing a packet supposedly going from Guadalajara, Mexico to Washington, DC... but with quite the detour:
Here’s an example of a trace from Guadalajara, Mexico to Washington, DC that goes through Moscow and Minsk. Mexican provider Alestra hands it to PCCW for transit in Laredo, Texas. PCCW takes it to the Washington, DC metro area, where they would normally hand it to Qwest/Centurylink for delivery.Here's that same traceroute in graphic form from Renesys:
Instead, however, PCCW gives it to Level3 (previously Global Crossing), who is advertising a false Belarus route, having heard it from Russia’s TransTelecom, who heard it from their customer, Belarus Telecom. Level3 carries the traffic to London, where it delivers it to Transtelecom, who takes it to Moscow and on to Belarus. Beltelecom has a chance to examine the traffic, and then sends it back out on the “clean path” through Russian provider ReTN. ReTN delivers it to Frankfurt and hands it to NTT, who takes it to New York. Finally, NTT hands it off to Qwest/Centurylink in Washington DC, and the traffic is delivered.
This is absolutely true, but it again brings me back around to Hayden's glee at this "accident of history." A reasonable person, actually concerned with basic online security would have (or should have) looked at that same claimed "accident of history" and realized that this was a clear threat that needed to be dealt with, rather than an opportunity. But that's not what happened. So, despite the NSA claiming over and over again that it's focused on protecting Americans and American businesses, its desire to spy on everyone also means that they've done little to nothing to prevent this kind of attack from happening now. Yes, it's great for the NSA when tons of traffic goes through the US to be spied on -- but it's also great for criminals, terrorists and enemies of the US when that traffic can be easily made to travel through other countries as well -- and that's now apparently being done on a regular basis.
It seems like a reasonable question to ask -- as current NSA boss Keith Alexander keeps talking up the need for better "cybersecurity" -- why he hasn't actually been focused on better securing and encrypting the entire internet. Of course, we all know the answer for that: doing so would make his other job (spying on everyone) much harder. It's yet another reason why it's dangerous to have Alexander in charge of both the NSA and US Cyber Command, when the two are clearly at cross purposes.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: crime, hijacking traffic, man in the middle attacks, nsa, surveillance
Companies: renesys
Reader Comments
Subscribe: RSS
View by: Time | Thread
You know...
Could this be the reason?
[ link to this | view in chronology ]
Re: You know...
[ link to this | view in chronology ]
Re: Re: You know...
[ link to this | view in chronology ]
Re: Re: You know...
Doing this will of course require a fair amount of technical expertise.
[ link to this | view in chronology ]
Re: Re: Re: You know...
So:
ping -c 10 dest
Take average response time, divide by three, we will call the result x.
ping -t x -c 10 dest
If you get responses, your return traffic is probably being tampered with.
[ link to this | view in chronology ]
Adding insult to injury
So it's quite likely that the NSA, who is supposedly in the business of protecting people, pretty much directly aided what appears to be fairly large scale MitM attacks against the very people they were supposed to be protecting.
Thanks guys, really. /s
[ link to this | view in chronology ]
ISPs
[ link to this | view in chronology ]
Re: ISPs
[ link to this | view in chronology ]
Re: ISPs
Would it surprise me if the Russian FSB had inherited from the KGB a complete, thorough, and utter penetration of the NSA?
Would it surprise me if the the Russian FSB had further covertly obtained an appropriation of U.S. taxpayer dollars to purchase an ISP in Belarus?
[ link to this | view in chronology ]
Can my tax dollars start being redirected to something that actually matters like education? How about that huge ass pothole at the end of my street?
I think I can manage for a day without the NSA taking care of me. Well maybe, it would be hard to manage, but I'll do my best! I promise.
[ link to this | view in chronology ]
Was NOT "hi-jacked"! They still have their data!
Anyway, rest of Mike's text just blames NSA for spying while omitting corporate spying. -- "it's also great for criminals, terrorists and enemies of the US' -- You can actually condense that to "mega-corporations", but I suppose it'd be okay if just added on the major bad actors.
Just because a lot of people have gotten a lot of easy money off teh internets doesn't make it a plus overall: at the very least, the Internet enables spying on scale and in detail as never before.
04:01:16[f-2-7]
[ link to this | view in chronology ]
Re: Was NOT "hi-jacked"! They still have their data!
To the second half of your drivel: No corporations do not have the monopoly on evil or the intent to do harm. The list given was again correct.
6/10 would rage again.
[ link to this | view in chronology ]
Re: Re: Was NOT "hi-jacked"! They still have their data!
Now we're just this screwed up shadow powered by greed and corruption. I don't even know what to call it because it's sad and honestly it makes me ashamed to be an American. I love my country and my government is destroying it and from where I'm sitting I feel helpless when it comes to what could I do to help end this abuse.
I cannot just walk away from life to fight the good fight. Well I could, but then I'd lose my house, car, and most likely my wife as well. That's why I feel helpless when it comes to the subject. :(
I wish I knew what we could do, but I haven't the slightest clue which is pretty depressing as well. I almost wish I did not care because it would be far less painful than watching everything you believe in being ripped apart.
[ link to this | view in chronology ]
LONG LIVE ANDROID!
[ link to this | view in chronology ]
Re: LONG LIVE ANDROID!
[ link to this | view in chronology ]
Re: Was NOT "hi-jacked"! They still have their data!
[ link to this | view in chronology ]
Re: Re: Was NOT "hi-jacked"! They still have their data!
It might be more efficient to keep a list of words Blue DOES understand.
[ link to this | view in chronology ]
Re: Re: Re: Was NOT "hi-jacked"! They still have their data!
The
Google
is
bad
that cover it?
[ link to this | view in chronology ]
Re: Re: Re: Re: Was NOT "hi-jacked"! They still have their data!
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Was NOT "hi-jacked"! They still have their data!
Yes, that's what he honestly believes.
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Re: Was NOT "hi-jacked"! They still have their data!
[ link to this | view in chronology ]
Re: Was NOT "hi-jacked"! They still have their data!
2) There is a massive difference in data that defines a work of art and data that describes the activities of a person. The first is intended to be publicly available and the question is one of cost. The second is not intended to publicly available.
[ link to this | view in chronology ]
Level 3
In other words, there is a distinct probability that, on order from the NSA, Level 3 is deliberately generating international paths for domestic packets, allowing the NSA to skirt restrictions on domestic monitoring. With current data the probability is low and additional data is unlikely to be easy to acquire, but keep that in mind regarding the monitoring of only international traffic.
*Technical requirements: The problem here is the ease of generating a loop if NTT ever receives advertisements from Level 3. In order to avoid that, at least one of the two companies has to be clued in on the deal. In practice, it is much easier to isolate the irregular portion of the route than the regular one.
[ link to this | view in chronology ]
Re: Level 3
[ link to this | view in chronology ]
Re: Re: Level 3
[ link to this | view in chronology ]
Re: Level 3
[ link to this | view in chronology ]
Re: Re: Level 3
[ link to this | view in chronology ]
Re: Level 3
[ link to this | view in chronology ]
Is it just me who sees this as not coincidental that the big "mistake" happens at Level3? Is there any connection between "Level 3 Communications" and "L-3 Communications" in terms of history or parent ownership?
http://en.wikipedia.org/wiki/Level_3_Communications
It just says... not to be confused with:
http://en.wikipedia.org/wiki/L-3_Communications
Both have had huge US Defense or Intelligence agency contracts.
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Re:
Nope, I was thinking the same thing. Then it clicked and everything came into focus and made sense.
[ link to this | view in chronology ]
Re:
"Buster? You mean, the one who thought the blue on the map was land?"
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Maybe the post office took over the Internet.
[ link to this | view in chronology ]
Same in Santa Monica
[ link to this | view in chronology ]