Because spammers can’t easily obtain new IP addresses through legitimate means, they frequently resort to stealing IP address blocks that are dormant and aren’t being utilized by the rightful owners. There is a thriving black market in IP addresses; spammers don’t care whether the source of their IP addresses is legitimate or even legal. A cybercriminal that can steal a large IP address block (for example, a /16 or 65,536 IP addresses) can generate thousands of dollars per month.
Why is it taking so long to secure BGP?
The answer to this question lies in the fact that BGP is a global protocol, running across organizational and national borders. As such, it lacks a single centralized authority that can mandate the deployment of a security solution; instead, every organization can autonomously decide which routing security solutions it will deploy in its own network. Thus, the deployment becomes a coordination game among thousands of independently operated networks. This is further complicated by the fact that many security solutions do not work well unless a large number of networks deploy them.
Using the Turk Telekom looking glass we can see that AS9121 (Turk Telekom) has specific /32 routes for these IP addresses. Since this is the most specific route possible for an IPv4 address, this route will always be selected and the result is that traffic for this IP address is sent to this new bogus route.
BGP traffic hijacking is on the rise, according to internet performance metrics analyst firm Renesys, which last year noted that over a period of two months, around 1500 IP address blocks were rerouted. Several were in Australia.
In practical terms, this means that Man-In-the-Middle BGP route hijacking has now moved from a theoretical concern to something that happens fairly regularly, and the potential for traffic interception is very real. Everyone on the Internet — certainly the largest global carriers, certainly any bank or credit card processing company or government agency — should now be monitoring the global routing of their advertised IP prefixes.
This kind of attack should not happen. You cannot carry out this kind of hijacking without leaving permanent, visible footprints in global routing that point right back to the point of interception. We believe that people are still attempting this because they believe (correctly, in most cases) that nobody is looking.
But the routers do not verify that the route “announcements,” as they are called, are correct. Mistakes in entering the information — or worse yet, a malicious attack — can cause a network to become unavailable.
It can also cause, for example, a company’s Internet traffic to be circuitously routed through another network it does not need to go through, opening the possibility the traffic could be intercepted. The attack is known as “route hijacking,” and can’t be stopped by any security product.
In March 2011, a researcher noticed that traffic destined for Facebook on AT&T’s network strangely went through China for a while. While the requests would normally go directly to Facebook’s network provider, the traffic first went through China Telecom and then to SK Broadband in South Korea before routing to Facebook. Although the incident was characterized as a mistake, it would have been possible for unencrypted Facebook traffic to have been spied on.