Re: Someone’s Been Siphoning Data Through a Huge Security Hole in the Internet

Jared Mauch jared at puck.nether.net
Sat Dec 7 20:05:09 UTC 2013


On Dec 6, 2013, at 2:57 PM, Stephane Bortzmeyer <bortzmeyer at nic.fr> wrote:

> On Fri, Dec 06, 2013 at 01:05:54PM -0500,
> Jared Mauch <jared at puck.nether.net> wrote 
> a message of 36 lines which said:
> 
>> I've detected 11.6 million of these events since 2008 just looking at the
>> route-views data.  Most recently the past two days 701 has done a large MITM of
>> traffic.
> 
> The big novelty in the Renesys paper is the proof (with traceroute)
> that there was a return path, something which did not exist in the
> famous Pakistan Telecom case, or in most (all?) other BGP
> hijackings. This return path allows to attacker to really get access
> to the data with little chance of the victim noticing. That's
> something new.

I've been sending the traceroutes to networks for years to get them to clean up their acts.  I guess the lesson is publish often?

Folks can see the prefixes involved here:

http://puck.nether.net/bgp/leakinfo.cgi

The ASN search works best.  I'll work on optimizing the prefix stuff as it's not returning "promptly".

- Jared


More information about the NANOG mailing list