Author Archives: Doug Madory
Author Archives: Doug Madory
Last week, we reported via Twitter that the Iranian state telecom TIC hijacked address space containing a number of pornographic websites. The relevant BGP announcement was likely intended to stay within the borders of Iran, but had leaked out of the country in a manner reminiscent of Pakistan’s block of Youtube via BGP hijack in 2008. Over the weekend, TIC performed BGP hijacks of additional IP address space hosting adult content as well as IP addresses associated with Apple’s iTunes service.
Iranian state telecom hijacking IP space that is hosting adult websites. Censorship leaking out of Iran? #bgphijack pic.twitter.com/t4XTLnQhIS
— Dyn Research (@DynResearch) January 6, 2017
In addition, in 2015 on this blog we reported that a new DNS root server instance in Tehran was being leaked outside Iran, a situation that was quickly rectified at that time. Despite the fact that the Tehran K-root is intended to only be accessible within Iran, as we will see below, it is currently being accessed by one of the largest US telecommunications companies.
Iranian BGP-based Censorship
Last week, Iranian state telecom announced a BGP hijack of address space (99.192.226.0/24) hosting numerous pornographic websites. Continue reading
Last week, we reported via Twitter that the Iranian state telecom TIC hijacked address space containing a number of pornographic websites. The relevant BGP announcement was likely intended to stay within the borders of Iran, but had leaked out of the country in a manner reminiscent of Pakistan’s block of Youtube via BGP hijack in 2008. Over the weekend, TIC performed BGP hijacks of additional IP address space hosting adult content as well as IP addresses associated with Apple’s iTunes service.
Iranian state telecom hijacking IP space that is hosting adult websites. Censorship leaking out of Iran? #bgphijack pic.twitter.com/t4XTLnQhIS
— Dyn Research (@DynResearch) January 6, 2017
In addition, in 2015 on this blog we reported that a new DNS root server instance in Tehran was being leaked outside Iran, a situation that was quickly rectified at that time. Despite the fact that the Tehran K-root is intended to only be accessible within Iran, as we will see below, it is currently being accessed by one of the largest US telecommunications companies.
Iranian BGP-based Censorship
Last week, Iranian state telecom announced a BGP hijack of address space (99.192.226.0/24) hosting numerous pornographic websites. Continue reading
The northern Syrian city of Aleppo is one of the key battlegrounds of that country’s on-going civil war as well as the epicenter of the European refugee crisis. The most appropriate United States response to events in Aleppo has become a major foreign policy question among the candidates in this year’s U.S. presidential election. Experts are now predicting that forces loyal to President Bashar al-Assad, backed by the Russian military, will take control of rebel-held eastern Aleppo within weeks. The image below (from Wikipedia) illustrates the the current state (as of 9 October 2016) of the conflict in Aleppo, depicting rebel-held regions in green and those under government control in red.
From a BGP routing standpoint, this development was reflected by the disappearance of AS24814 — we first reported the appearance of AS24814 serving Aleppo in 2013. At 14:42 Continue reading
Earlier this month, security blogger Brian Krebs broke a story about an Israeli DDoS-for-hire service, vDOS, which had been hacked, revealing “tens of thousands of paying customers and their (DDoS) targets.” Afterwards, Krebs noticed that vDOS itself was also a victim of a recent BGP hijack from a company called BackConnect, which claims to be the “world’s first and leading open source based DDoS and network security provider.”
Bryant Townsend, CEO of BackConnect, confirmed to Krebs that they had indeed conducted a BGP hijack on vDOS, but claimed that it was for “defensive purposes.” In an email to the NANOG list, Townsend explained that in doing so they “were able to collect intelligence on the actors behind the botnet as well as identify the attack servers used by the booter service,” implying this was a one-time event. Krebs then contacted Dyn for some assistance in researching what appeared to be a series of BGP hijacks conducted by BackConnect over the past year. What emerges from this analysis is that the hijack against vDOS probably wasn’t the first time BackConnect used BGP hijacks in the course of its business. And via the use of Continue reading |
Early this morning in Syria, the Internet was almost entirely down for four hours. It was the ninth such outage since 31 July 2016 — each one lasting from approximately 4am to 8am local time. And, according to sources inside Syria, the objective of these outages was to prevent cheating on national High School exams. The motivation for today’s national outage: a Chemistry final.
It is striking how far we have come since Egypt in 2011, when their country-wide outage was a huge international story. National Internet blackouts are so routine and banal that they are now becoming a common tactic to prevent cheating among youth. In fact, this latest round Continue reading
Last fall, the Interior Minister of Ukraine announced the creation of a national Cyberpolice (Кіберполіцію) to protect the country from everything from credit card fraud to malware. Here’s something that would be great to add to their list: fraudulent BGP routing out of Ukraine. Last year, we reported on an incident in which Ukrainian ISP Vega hijacked routes from British Telecom (including that of the UK’s Atomic Weapons Establishment), an event that could perhaps be chalked up to an innocent mistake. However, the fraudulent routing we’re now seeing from Ukraine is deliberately designed to go unnoticed. We’ll review some of this new behavior in this blog.
Governments take note
The profile of this issue has grown in the past year as governments have had to respond to their address space being fraudulently used. Last July, the Dutch Minister of Foreign Affairs (pictured right) was confronted with parliamentary questions concerning an incident where “attackers” had commandeered IP address space belonging to the Ministry of Foreign Affairs the previous year. In that incident, on 18 November 2014, Decision Marketing (AS62228) out of Sofia, Bulgaria began globally announcing eleven BGP routes that did not belong to Continue reading |
This week marks a somber milestone in Internet history: the 5-year anniversary of former Egyptian President Hosni Mubarak’s order to shutdown his country’s access to the global Internet amid widespread protests. Similar popular protests would sweep through the region during a time frame that became known as the Arab Spring. Within days of the Egyptian blackout, Internet service would be restored and Mubarak would resign after 30 years in power.
Egypt
On the evening of 27 January 2011 (US Eastern Time), we were alerted to the Egyptian blackout by our BGP route monitoring system. Within minutes, I was assisting my colleague Jim Cowie in Continue reading
Just after midnight local time on 22 November, saboteurs, presumably allied with Ukrainian nationalists, set off explosives knocking out power lines to the Crimean peninsula. At 21:29 UTC on 21 November (00:29am on 22-Nov, local time) , we observed numerous Internet outages affecting providers in Crimea and causing significant degradation in Internet connectivity in the disputed region.
With Crimean Tatar activists and Ukrainian nationalists currently blocking repair crews from restoring power, Crimea may be looking at as much as a month without electricity as the Ukrainian winter sets in. Perhaps more importantly, the incident could serve as a flash point spurring greater conflict between Ukraine and Russia. |
Impacts
The impacts can be seen in the MRTG traffic volume plot from the Crimea Internet Exchange — the drop-offs are noted with red arrows and followed by intermittent periods of partial connectivity.
In the past week, we have detected the first signs of the Internet returning to Syria’s largest city, Aleppo. Internet service in this part of the country was knocked out on March 24 — over seven months ago. Internet connectivity, and the lack of it, has been a continuing subplot to this bloody civil war well into its fifth year.
A notable difference with the restored service is that it is no longer routed via Turkey (as it had been) — likely due to the fact that the Syrian government no longer controls the ground between Aleppo (in the northern part of the country) and Turkey. The restoration of Internet service in Aleppo may be an outcome of Russia’s recent engagement (with assistance from Iran) in the battle for Aleppo — and perhaps an indicator of the scales tipping towards government forces in this protracted battle.
Background
The first Syrian Internet shutdown occurred in June 2011 during ‘Arab Spring’ protests as two thirds of the country’s routed networks were taken down for over 48 hours. As the conflict has continued over the years, Syria has suffered numerous Internet blackouts including a multi-day outage in November Continue reading
Earlier this week, an article in New York Times captured the world’s imagination with the prospect of secret Russian submarines possessing the ability to sabotage undersea communication cables (with perhaps Marko Ramius at the helm, pictured above). While it is a bit of a Hollywood scenario, it is still an interesting one to consider, although, as we’ll see, perhaps an unrealistic one, despite the temptation to exaggerate the risk.
Submarine cable cuts occur with regularity and the cable repair industry has considerable experience dealing with these incidents. However, the vast majority of these failures are the result of accidents occurring in relatively shallow water, and not due to a deliberate actor intending to maximize downtime. There is enormous capacity and resiliency among the cables crossing the Atlantic (the subject of the New York Times article), so to even make a dent, a saboteur would need to take out numerous cables in short order.
A mass telecom sabotage event involving the severing of many submarine cables (perhaps at multiple hard-to-reach deep-water locations to complicate repairs) would be profoundly disruptive to international communications — Internet or otherwise. For countries like the U.S. with extensive local hosting, the impact Continue reading
Recent routing leaks remind us why monitoring Internet routing and performance is important and requires effective tools. Routing leaks are the ‘benign cousin’ of the malicious BGP route hijack. They happen accidentally, but the result is the same: traffic to affected prefixes is redirected, lost, or intercepted. And if they happen to you, your online business and brand suffers.
In this blog, we look at examples of a full-table peer leak, an origination leak, and a small peer leak and what happens to traffic when these incidents occur. As we will see, some events can go on for years, undetected and hence, unremediated, but extremely impactful never the less. As you read this blog, keep the following questions in mind. Would you know if the events described here were happening to you? Would you know how to identify the culprit if you did?
iTel/Peer1 routing leak
Starting on 10 October at 10:54 UTC, iTel (AS16696) leaked a full routing table (555,010 routes) to Peer 1 (AS13768). Normally, iTel exports 49 routes to Peer 1; however, over the course of several minutes, it leaked 436,776 routes from Hurricane Electric (AS6939) and 229,537 Continue reading
The Washington Post recently published a great piece about the development and current weaknesses of the Border Gateway Protocol (BGP, which is used to route all Internet traffic). This morning Telekom Malaysia (a.k.a TMnet) helped to illustrate the points made in the article by leaking almost half of the global routing table via Level 3 at 08:44 UTC.
Some of the most affected companies were those peering with Telekom Malaysia. The following graphics illustrate the impact to routes from Amazon and Cloudflare.
Google’s extensive peering likely insulated it from some of the effects of having its routes leaked. However, it didn’t escape the incident completely unscathed. Here is an example of a normal traceroute to Google’s data center in Council Bluffs, Iowa from Prague, which goes via Frankfurt and London before crossing the Atlantic Ocean.
trace from Prague to Google, Council Bluffs, IA at 02:45 Jun 11, 2015
1 *
2 212.162.8.253 ge-6-14.car2.Prague1.Level3.net 16.583
3 4.69.154.135 ae-3-80.edge3.Frankfurt1.Level3.net 22.934
4 4.68.70.186 Level 3 (Frankfurt, DE) 23.101
5 209.85.241.110 Google (Frankfurt, DE) 23.796
6 209.85.250.143 Google (Frankfurt, DE) 24.086
7 72.14.235.17 Google (London, GB) 32.709
8 209.85.247.145 Google (New York City) 103.091
9 216.239.46.217 Google (Council Bluffs) 133.098
10 209.85.250.4 Google (Council Bluffs) 133.245
11 216.239.43.217 Google (Council Bluffs) 133. Continue reading
Saturday’s earthquake in Nepal, which claimed the lives of at least 4,000 victims and injured many more, took a toll on the country’s Internet connectivity, which was already one of the least developed in the region. A recent evaluation of Internet infrastructure in South Asia commissioned by the United Nations Economic and Social Commission for Asia and the Pacific (ESCAP) classified Nepal’s international connectivity as ‘weak’ and its fixed and mobile infrastructure as ‘limited’.
While the loss of Internet connectivity pales in comparison to the loss of life, the ability to communicate both domestically and internationally will be crucial in coming days for the coordination of relief efforts already underway. Innovative services from Facebook and Google to facilitate communicating the status of those affected by the massive earthquake would be largely useless if Nepal had been knocked entirely offline. In fact, Nepal’s international links generally survived the earthquake, however last mile connectivity is another matter.
As we reported on Saturday, we began seeing severe Internet outages and instabilities immediately following the earthquake at 6:11 UTC. On the left is a timeline of outages through today and on the right is the volume of DNS queries Continue reading
As the available supply of IPv4 addresses dwindles, the market for these virtual commodities is heating up. In recent months, the pace of the address transfers has greatly accelerated as evidenced by RIPE’s table of IPv4 transfers, as well as the increasing number of IPv4 brokers facilitating the exchange of IPv4 address space. However, the transfer of IPv4 address space isn’t always problem-free and, in this blog, we’ll review this new trend and some of the issues that can arise.
Buying and selling IPv4
In 2011, when Microsoft paid $7.5 million for 666,624 IPv4 addresses as part of the Nortel bankruptcy, observers wondered whether this development would usher in the era of the commercial sale of IPv4 address space. As statistics from European registrar RIPE show, the market may have had a slow start, but we’re in that new era now.
RIPE’s table of transfers of provider independent IPv4 address clearly shows a rapidly increasing rate of transfers of IPv4 address blocks and unique IPv4 addresses. The following two graphs illustrate the uptick in recent months of address space movement. February 2015 saw that most organizational transfers (373), while November 2014 saw the Continue reading
On the heels of the BGP leak yesterday that briefly impaired Google services around the world, comes another routing incident that impacted some other important Internet services.
Beginning on Saturday, Ukrainian telecom provider, Vega, began announcing 14 British Telecom (BT) routes, resulting in the redirection of Internet traffic through Ukraine for a handful of British Telecom customers. Early yesterday morning, Vega announced another 167 BT prefixes for 1.5 hours resulting in the rerouting of additional traffic destined for some of BT’s customers, including the UK’s Atomic Weapons Establishment, the “organization responsible for the design, manufacture and support of warheads for the United Kingdom’s nuclear deterrent.”
Background
In early 2013, Ukrainian provider Vega (AS12883) became a reseller of BT services, but prior to Saturday had never announced any BT routes. Then, in the middle of a weekend night in Europe (02:37 UTC on Saturday, March 7th), Vega began announcing 14 prefixes typically announced by AS2856 of BT. These prefixes are listed below.
109.234.168.0/21 Thales Transport and Security Ltd (Barnet, GB)
109.234.169.0/24 Thales Transport and Security Ltd (Ealing, GB)
144.87.142.0/24 Royal Mail Group Limited (Sheffield, GB)
144.87.143.0/24 Royal Mail Group Limited (Chesterfield, GB)
147.182.214.0/24 Black & Veatch (Manchester, GB)
193.113.245.0/24 BT - 21CN (GB)
193.221.55.0/24 Svenska Cellulosa Aktiebolaget SCA (GB)
193. Continue reading
This morning, users of Google around the world were unable to access many of the company’s services due to a routing leak in India. Beginning at 08:58 UTC Indian broadband provider Hathway (AS17488) incorrectly announced over 300 Google prefixes to its Indian transit provider Bharti Airtel (AS9498).
Bharti in turn announced these routes to the rest of the world, and a number of ISPs accepted these routes including US carriers Cogent (AS174), Level 3 (AS3549) as well as overseas incumbent carriers Orange (France Telecom, AS5511), Singapore Telecom (Singtel, AS7473) and Pakistan Telecom (PTCL, AS17557). Like many providers around the world, Hathway peers with Google so that their customers have more direct connectivity with Google services. But when that private relationship enters the public Internet the result can be accidental global traffic redirection.
Last fall, I wrote two blog posts here and here about the issues surrounding routing leaks such this one. Routing leaks happen regularly and can have the effect of misdirecting global traffic. Last month, I gave a talk in the NANOG 63 Peering Forum entitled “Hidden Risks of Peering” that went over some examples of routing leaks like this one.
Below is a graph showing the Continue reading
As network security engineers have attempted to categorize blocks of IP addresses associated with spam or malware for subsequent filtering at their firewalls, the bad guys have had to evolve to continue to target their victims. Since routing on the global Internet is based entirely on trust, it’s relatively easy to commandeer IP address space that belongs to someone else. In other words, if the bad guys’ IP space is blocked, well then they can just steal someone else’s and continue on as before.
In an attempt to cover their tracks, these criminals will sometimes originate routes using autonomous system numbers (ASNs) that they don’t own either. In one of the cases described below, perpetrators hijacked the victim’s ASN to originate IP address space that could have plausibly been originated by the victim. However, in this case, the traffic was misdirected to the bad guy and an unsophisticated routing analysis would have probably shown nothing amiss.
The weakness of all spoofing techniques is that, at some point, the routes cross over from the fabricated to the legitimate Internet — and, when they do, they appear quite anomalous when compared against historical data and derived business Continue reading
Last month, I traveled to Doha, Qatar to participate in the ITU’s Telecom World conference. While there I got to understand how a satellite provider brings Internet access to South Sudan using medium-earth orbit satellites and, amazingly, achieves terrestrial latencies to a region where reliable terrestrial connections simply don’t exist! The mission of this company is to help close the digital divide by extending Internet access to the estimated three billion people on the planet who are currently not served. Our measurements show the that performance improvement over traditional satellite can be dramatic.
ITU Telecom World
First, let me say a few words about the conference itself and then I’ll review this intriguing new satellite service. In Doha, I was on a panel entitled Affordable International Backhaul and chaired by Abu Saaed Kahn of LIRNEAsia, a telecommunications policy institute primarily focused on the Asia-Pacific region.
It’s a new year, but some things never change. In the past few days we have observed a spate of incidents of routing misbehavior including two man-in-the-middle routing hijacks conducted in the past couple of days by A2B Internet out of the Netherlands.
Beginning at 00:33:44 UTC on Thursday, 8 January, we began observing a routing hijack of IP address space normally announced by Mada Telecom (AS51047), a Palestinian ISP with presence in both Gaza and the West Bank. Beginning at that time, A2B Internet B.V. (AS51088) began announcing 46.244.81.0/24, which is a more-specific route of 46.244.80.0/23, normally announced by Mada.
Traceroutes directed to this address space are presently being re-directed to A2B Internet’s network in the Netherlands before continuing on to Palestine. For example:
trace from Cyberjava, Malaysia to Mada Telecom, PS on Jan 09, 2015
1 *
2 x.x.x.x (Cyberjaya, Malaysia) 3.442
3 113.23.163.57 (Extreme Broadband, Malaysia) 0.696
4 113.23.190.109 (Extreme Broadband, Malaysia) 1.222
5 218.189.12.101 global.hgc.com.hk 35.854
6 218.189.8.102 global.hgc.com.hk 36.742
7 118.143.224.243 (Hutchison, Singapore) 41.628
8 218.189.8.142 (Hutchison, Amsterdam) 190.787
9 195.219.150.6 (Tata, Amsterdam, NL) 213.494
10 46.244.0.4 (A2B Internet, NL) 200.990
11 141.136.97.5 (GTT, Amsterdam) 268.366
12 4.68.70.97 xe-5-0-1.edge3.Amsterdam.Level3.net 300.909
13 4. Continue reading
Nearly two years ago, we broke the story about the activation of the first submarine cable connecting Cuba to the global Internet – a cable that, prior to its activation in January 2013, mysteriously lay dormant on the ocean floor for nearly two years. When the Cuban government issued a confirmation in the days following our report, it contained the following statement:
|
In other words, Cubans should not expect greater access to the Internet just because the ALBA-1 submarine cable was now in operation. Yesterday’s historic agreement to begin normalizing relations between Cuba and the United States contains a pledge by the Cuban government to “greatly expand its citizens’ access to the Internet.” What exactly this pledge entails will determine how the Internet evolves in Cuba in the near term. Decision makers in Cuba should look at another country that recently opened up its telecom sector and is presently experiencing an explosion in Internet growth: Myanmar.
Cuban Isolation
The isolation of Cuba is plainly evident when looking at a map of the submarine cables in the Continue reading