
Hacking Team and a case of BGP hijacking - rolux
http://blog.bofh.it/id_456
======
acaloiar
As someone who works in technology, but has only a cursory understanding of
BGP, I find BGP's trust mechanism flabbergasting. Would anyone like to explain
why it remains the preferred protocol and what improvements are in the works
to mitigate the effect of these sort of hijacks?

~~~
EthanHeilman
>What improvements are in the works to mitigate the effect of these sort of
hijacks?

I happen to have published research in this area[0]. There are two systems
being developed to secure BGP.

The first is the RPKI which aims to provide a Public Key Infrastructure to
attest to the origination of IP addresses. To grossly oversimplify it:
everyone would get a certificate that says "AS X is allowed to originate IP
prefix Y". Many routers already support the RPKI[1] and the RPKI is currently
undergoing deployment[2], but it should take some time before operators begin
using it to make routing decisions. Once used the RPKI offers substantial
security benefits[3].

The second protocol is BGPSEC which is designed secure routing paths. It will
use the RPKI as its foundation.

[0]:
[https://www.cs.bu.edu/~goldbe/papers/sigRPKI.pdf](https://www.cs.bu.edu/~goldbe/papers/sigRPKI.pdf)

[1]: [http://www.cisco.com/c/en/us/td/docs/ios-
xml/ios/iproute_bgp...](http://www.cisco.com/c/en/us/td/docs/ios-
xml/ios/iproute_bgp/configuration/xe-3s/irg-xe-3s-book/irg-origin-as.pdf)

[2]: [http://rpki-monitor.antd.nist.gov/](http://rpki-monitor.antd.nist.gov/)

[3]:
[http://arxiv.org/pdf/1307.2690v1.pdf](http://arxiv.org/pdf/1307.2690v1.pdf)

~~~
nly
And presumably the only organisation issuing the certs will be the
organisation issuing IP space, right? RIGHT?... Guys?

------
diafygi
For those who are curious, 46.166.163.0/24 (the hijacked IPs) belong to
balticservers.com, which is based out of Lithuania[1].

[http://wikiscan.org/plage-
ip/46.166.163.0/24?submenu=whois](http://wikiscan.org/plage-
ip/46.166.163.0/24?submenu=whois)

~~~
Laforet
Interesting choice, I don't recall many malware C&C servers hosted in
Lithuania

~~~
toyg
The Italian "Special Branch" were hosting a "legal" cnc with a security-
oriented ISP there -- not really classic malware.

------
vultour
Everyone should just blackhole any traffic to and from the Aruba ISP. They
have failed to maintain the trust relationship needed at high-tier ISPs and
should no longer be operational.

------
gr0wln1n
Can somebody explain how they got the police to help them?

"You remember the RAT we sold you? Yea... That's broken because ... Help us or
people might notice." If that's it.. Wow. This whole story gets more fishy by
the minute.

~~~
rurban
Exactly, how can the police order an ISP to commit a crime? Why did the ISP
committed the crime? Hopefully both will be charged now.

The only one thing I trust here is the independence of the Italian prosecution
system.

~~~
curiousjorge
I'm not surprised, in Italy the Mafia blew up or assassinated prosecutors and
lawyers threatening them. In countries where the government is not the law,
anything can happen with the right sized envelops of cash.

------
acd
You can take over other providers IP space by announcing their IPs via BGP
from well connected high ranked tier ISPs, but just because you can do one
thing does not mean you should exercise it.

Internet was built on the premise that you can trust other organisations such
as good willed universites, it was not built for a landscape of internet crime
and state sponsored hackers.

BGP and central certificate authorities is flawed in princicple and this
sense. Its very easy to create fake certificates for big organisations if you
have the power of a state.

Diginotar is such an Epic fail of CA which shows exactly why you cannot trust
central trust when there is state hackers at work.

So you either hijack BGP, DNS or Central certificate authority then you steal
peoples cookies. Since most does not use two factor authentication that is
enough to take ownership of their email accounts. Once the email accounts is
compromised all other accounts can be compromised through password resets.

------
rudolf0
This is pretty crazy. I wonder how the route hijack didn't get noticed by
anyone at the time, though? Or at least if someone did notice, they didn't
make a fuss about it.

~~~
gr0wln1n
That frightended me a little to.. It seems like these things can fly by if
operators don't fuck up on a major scale like recently with Malaysia(?).

------
cft
I do not undertsand this. We recently had to change our announcement to
upstream ISPs from/23 to /22 and our ISPs verified with ARIN that the entire
/22 belonged to us, before changing their filters. Also, there's RADb
database.

~~~
spamlord
I used to work at a spam company and we did this and similar techniques.

One similar technique was we basically created our own fake ISPs, disguised as
rural wireless Internet providers. Paid yearly ARIN fees, had or own /20
blocks of IP space allocated, etc. We specifically requested ip filtering
completely removed from our peering connection with major upstream/backbone
ISPs. They did so without question. This allowed us to source route any IP out
to the Internet. Then, we would purchase large blocks of IPs (a couple of /20s
a month) from Romania and Argentina. We would create GRE tunnels over to RO
and route them back to the US. It's been years since I was involved so my
memory of the technical details is hazy now...

~~~
lawnchair_larry
Did anyone ever notice?

~~~
spamlord
Not getting listed on Spamhaus was a constant battle. One time our network
engineer made a huge mistake by announcing 15-20 /20 blocks registered with
RIPE out of the US ASN. Spamhaus apparently automatically scans for this type
of suspicious behavior and falgged like 20,000 ips.

[https://en.wikipedia.org/wiki/Autonomous_system_(Internet)](https://en.wikipedia.org/wiki/Autonomous_system_\(Internet\))

------
based2
[http://www.bortzmeyer.org/bgp-malaisie.html](http://www.bortzmeyer.org/bgp-
malaisie.html)

