Md at debian.org

tales of a debian maintainer

Hacking Team and a case of BGP hijacking

After just a few hours the Hacking Team emails archive has already provided many tasty leaks. I want to focus on a routing security issue since this is my main research activity for this year.

Short summary: if these emails are true, and so far nobody has found any credible reason to believe that they are not, then some major italian ISPs hijacked the IP addresses of a foreign ISP on request of the section of the Carabinieri which investigates terrorism and organized crime.

The goal was to recover access to some copies of the Hacking Team malware which were controlled by "anonymizer" VPSes hosted on the hijacked network and that were abruptly disabled by their provider.

Thanks to the great RIPEstat service I have been able to verify that indeed the network 46.166.163.0/24 was announced by (elided) (a large italian hosting company) in 2013, from august 15 to 22.

Then I downloaded from the RIPE RIS archive a BGP table dump for august 20 2013 and processed it with my zebra-dump-parser software to extract the relevant routes. It shows that (elided) did not just advertise the hijacked network to the two italian ISPs mentioned in the emails, but apparently to all their other peers since the announce was also accepted by Hurricane Electric at MIX-IT. This means that the hijacking was not limited to a couple of local networks but involved many others all over the world.

As an italian network operator I am seriously concerned that some of my BGP peers appear to be involved in what would usually be considered a criminal activity.

As all operators know, there is still too much mutual trust involved in global BGP routing, and in some cases it is misplaced: we need better best practices, tools and protocols to make this kind of things impossible in the future.

(Some of the relevant leaked emails: 1 2 3 4 5 6 7 8 9.)

About

This is the blog of Marco d'Itri.

S M T W T F S
1 2 3 4 5 6 7
8 9 10 11 12 13 14
15 16 17 18 19 20 21
22 23 24 25 26 27 28
29 30          

See also:

My blogroll:


W3C HTML 4.01
W3C CSS 2.0     

Powered by Bryar.pm.