Massive Man-in-the-Middle Attacks Have Been Hijacking Huge Amounts Of Internet Traffic And Almost No One Noticed

from the this-is-a-problem dept

Recently, at the debate between former NSA (and CIA) boss Michael Hayden and reporter Barton Gellman, one of the statements Hayden made has stuck with me. He talked about this "wonderful" "accident of history and technology that put most of the world's web traffic inside the United States." He used this to suggest that it was our right and duty to therefore use that traffic to spy on everyone possible. I'm thinking about that statement, because (1) it was no "accident" of history or technology that resulted in that, but rather a concerted effort based on where the internet was first built and (2) because there's no reason why it needs to remain that way. And that second point is extra important when you realize that with a little effort, it's not that hard for determined individuals, organizations or governments to divert that traffic through other countries.

And, it turns out, that's exactly what's happening. Someone (or a group of someones) has been running a number of giant man-in-the-middle attacks, effectively routing a lot of traffic through Belarus and Iceland, as described in great detail by Renesys (and again in slightly more laymen's terms by Arik Hesseldahl).

Whoever is doing it, is almost certainly up to no good. It seems likely that the attacks are for criminal purposes, rather than government espionage, but it certainly could be done either way. Renesys gives a few examples of the hijackings, starting with a brief one in February of this year, in which global traffic was redirected to an ISP in Belarus, where the traffic had no reason to be. Renesys gives a single example of a trace showing a packet supposedly going from Guadalajara, Mexico to Washington, DC... but with quite the detour:

Here’s an example of a trace from Guadalajara, Mexico to Washington, DC that goes through Moscow and Minsk. Mexican provider Alestra hands it to PCCW for transit in Laredo, Texas. PCCW takes it to the Washington, DC metro area, where they would normally hand it to Qwest/Centurylink for delivery.

Instead, however, PCCW gives it to Level3 (previously Global Crossing), who is advertising a false Belarus route, having heard it from Russia’s TransTelecom, who heard it from their customer, Belarus Telecom. Level3 carries the traffic to London, where it delivers it to Transtelecom, who takes it to Moscow and on to Belarus. Beltelecom has a chance to examine the traffic, and then sends it back out on the “clean path” through Russian provider ReTN. ReTN delivers it to Frankfurt and hands it to NTT, who takes it to New York. Finally, NTT hands it off to Qwest/Centurylink in Washington DC, and the traffic is delivered.

Here's that same traceroute in graphic form from Renesys: This is hardly the only example. I highly recommend reading the entire Renesys report. It notes how this happens, and how this had been a "theoretical concern," but is now happening "fairly regularly." It also notes that these attacks leave a very visible footprint -- and lots of large providers should be monitoring this, but aren't.

This is absolutely true, but it again brings me back around to Hayden's glee at this "accident of history." A reasonable person, actually concerned with basic online security would have (or should have) looked at that same claimed "accident of history" and realized that this was a clear threat that needed to be dealt with, rather than an opportunity. But that's not what happened. So, despite the NSA claiming over and over again that it's focused on protecting Americans and American businesses, its desire to spy on everyone also means that they've done little to nothing to prevent this kind of attack from happening now. Yes, it's great for the NSA when tons of traffic goes through the US to be spied on -- but it's also great for criminals, terrorists and enemies of the US when that traffic can be easily made to travel through other countries as well -- and that's now apparently being done on a regular basis.

It seems like a reasonable question to ask -- as current NSA boss Keith Alexander keeps talking up the need for better "cybersecurity" -- why he hasn't actually been focused on better securing and encrypting the entire internet. Of course, we all know the answer for that: doing so would make his other job (spying on everyone) much harder. It's yet another reason why it's dangerous to have Alexander in charge of both the NSA and US Cyber Command, when the two are clearly at cross purposes.

Filed Under: crime, hijacking traffic, man in the middle attacks, nsa, surveillance
Companies: renesys