Stories
Slash Boxes
Comments

SoylentNews is people

BGP Fails Again or More from the 'Hacking Team' Hack

posted by janrinok on Monday July 13 2015, @09:08PM   Printer-friendly
from the it's-only-illegal-if-you-do-it dept.

throckmorten writes:

From Ars: "Spyware service provider Hacking Team orchestrated the hijacking of IP addresses it didn't own to help Italian police regain control over several computers that were being monitored in an investigation"

http://arstechnica.com/security/2015/07/hacking-team-orchestrated-brazen-bgp-hack-to-hijack-ips-it-didnt-own/

Over a six day period in August 2013, Italian Web host Aruba S.p.A. fraudulently announced its ownership of 256 IP addresses into the global routing system known as border gateway protocol, the messages document. Aruba's move came under the direction of Hacking Team and the Special Operations Group of the Italian National Military Police, which was using Hacking Team's Remote Control System malware to monitor the computers of unidentified targets. The hijacking came after the IP addresses became unreachable under its rightful owner Santrex, the "bullet-proof" Web hosting provider that catered to criminals and went out of business in October 2013, according to KrebsOnSecurity.

It's not clear from the e-mails, but they appear to suggest Hacking Team and the Italian police were also relying on Santrex. The emails were included in some 400 gigabytes of proprietary data taken during last weekend's breach of Hacking Team and then made public on the Internet.

With the sudden loss of the block of IP addresses, Italy's Special Operations Group was unable to communicate with several computers that were infected with the Hacking Team malware. The e-mails show Hacking Team support workers discussing how the law enforcement agency could regain control. Eventually, Italian police worked with Aruba to get the block—which was known as 46.166.163.0/24 in Internet routing parlance—announced in the BGP system as belonging to Aruba. It's the first known case of an ISP fraudulently announcing another provider's address space, said Doug Madory, director of Internet analysis at Dyn Research, which performs research on Internet performance.

Also covered by Brian Krebs:

http://krebsonsecurity.com/2015/07/hacking-team-used-spammer-tricks-to-resurrect-spy-network/

Original Submission

 
This discussion has been archived. No new comments can be posted.
BGP Fails Again or More from the 'Hacking Team' Hack | Log In/Create an Account | Top | 27 comments | Search Discussion
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.

  • (Score: 0) by Anonymous Coward on Tuesday July 14 2015, @01:57AM

    by Anonymous Coward on Tuesday July 14 2015, @01:57AM (#208718)

    What irks me is that IPv6 won't solve the BGP problem, it will only make it worse. I don't get it why IETF couldn't come up with a better protocol, since IPv6 isn't compatible with IPv4, it wouldn't hurt to create a new and better BGP protocol while they were at it.

  • (Score: 3, Interesting) by gnuman on Tuesday July 14 2015, @03:40AM

    by gnuman (5013) on Tuesday July 14 2015, @03:40AM (#208737)

    1. IPv6 makes routing tables easier to filter. A North American block should not generally appear from South Africa. IPv6 aims at geographical fragmentation.
    2. IPv6 is easier on routers because it handles TTL differently.
    3. IPv6 requires much less routes since localized entities will never run out of local IPs. If you get an IPv6 /32 route, you will not exhaust it, unlike a tiny in comparison IPv4 /24

    Anyway, BGP has little to do with actual IP protocol version.

  • (Score: 2) by sjames on Tuesday July 14 2015, @12:37PM

    by sjames (2882) on Tuesday July 14 2015, @12:37PM (#208855) Journal

    BGP is truly a separate issue. It is simply one of many protocols for exchanging routing information. Eventually there will be a new version of BGP that can handle v6 and v4.

    But it's a hard problem. Consider, what is your suggestion for assuring that someone announcing a route has the right to do so? Clearly there would have to be some sort of cryptographic proof of delegation involved. But it can't be a central registry since a router just booting won't have a route to the registry until it has already accepted many routes into it's table from BGP. Next up, how do you aggregate routes without losing the proof?

    The originator of a BGP announcement has no idea what routers may pass that announcement on. Consider, you announce (legitimately) a route to 1.2.3.0/24 (a block allocated to you) to two upstream ISPs. Eventually, both ISPs announce that route (possibly as part of an aggregation) to their peers. If a transit agreement is in place, some of those peers may announce it to their peers. Otherwise, they will still announce it to their own customers who have elected to recieve BGP (perhaps because they are multi-homed).

    Other than your upstreams verifying (as they generally would) that you have a right to announce 1.2.3.0/24, nobody else in that mass of routers who may announce a route to you can logically validate the announcements. Does ISP C which you don't even know exists have a right to announce a route to 1.2.3.0/24 to a router in Mongolia? Turns out, it does because they are a peer to ISPD which is a peer to ISPB who is one of your upstreams and they have a transit agreement in place. If they don't announce that, people in Mongolia can't reach you.

    Finally, remember that none of this is static. The failure of a port halfway around the world may totally change who is announcing a route to your class C and where they are announcing it. That's how the internet routes around damage.

    .