Banks and governments targeted by invisible hijacking attacks

Net monitoring firm Renesys says it has uncovered evidence of mass hijackings of network traffic

Net-monitoring firm Renesys says it has uncovered evidence of mass hijackings of network traffic.

Since the start of 2013, the firm has observed live man-in-the-middle hijacks on more than 60 days involving about 1,500 sets of IP addresses.

These hijack attacks involve inspecting or modifying a victim’s traffic before passing it along to the intended recipient.

Renesys said criminals had re-routed data to and from finance firms, net phone services and governments during the attacks it observed.

Typically, attacks simply changed the route the traffic took to its final destination. In some cases, traffic being sent across a city travelled half way around the world before being delivered to its destination.

“It’s possible to drag specific Internet traffic halfway around the world, inspect it, modify it if desired, and send it on its way,” Renesys technology head Jim Cowie wrote in a blog post.

More on network security

  • Networking blog roundup: Cisco NAM; why BGP matters in an SDN world
  • Cisco ASA and BGP peering problems: Command line tips
  • Improving BGP services and security
  • Rethink network design with next-gen network security architecture
  • Networking blogs: Networking forensics embracing new security role
  • Networking blogs: Security community needs STIX
  • Evaluating network security virtualization products

The firm’s observations have proved that man-in-the-middle route hijacking has now moved from a theoretical concern to something that happens fairly regularly, he said.

According to Cowie, the potential for traffic interception is very real, and everyone on the internet, especially the largest global carriers, bank or credit card processing companies or government agencies should be monitoring for this kind of intrusion.

This kind of attack should not happen and cannot be done without leaving permanent, visible footprints in global routing that point right back to the point of interception.

But, Renesys believes the attacks are taking place because in most cases nobody is looking, and therefore increased transparency is essential.

“Until the day when all routes are signed and secured (and that day may never fully arrive), the best way to prevent manipulation of trust-based routing will be to help people expose violations of trust, and recognise those who implement best practices,” said Cowie.

Read more on Network security management