Morning pedes,
I'm a sysadmin working for a small datacenter in Germany. Against 09:00 GMT we had calls from some of our customers, they were complaining about some service degradation: load times for websites slowed down, ssh connections got terminated, ftp traffic was slow.
Analyzing my systems led to no results, so I called my provider if there was an issue with our connection.
He said: "to make it short: the Internet is partially broken..." I said what? Yup, some issues with route announcements in the BGP routers around the world.
As I write this, he called me back to tell me the issue got solved. Some guy/group, whatever, was able to insert false route announcements at BGP level, this is insane.
Let's see what the day brings up, but this was pretty scary (well, for my customers and for my boss, for me it was pretty exciting). Eyes on.
Godspeed, frens
This actually happens pretty regularly. It gets noticed almost immediately, but sometimes takes a few hours to resolve. BGP has very little security implemented (though several options exist). It is an old protocol that makes up the very (routing) fabric of the interwebs.
This usually happens due to human error, or an attack against some provider/network/service. When someone else "announces" a network that does not belong to them, within minutes, ALL the traffic for that network begins routing to them instead of the rightful network owner. This can be used for a multitude of malicious attacks, traffic inspection, client (browser) hijacking, etc.
Yup, there is no security in the protocol itself - it's all about whether the peering points will accept the connection and updates or not.
If you are in possession of zero day exploits for these routers then you can basically do what you like.
The stealthiest approach is to point the traffic you want to intercept to a mirror, and then forward that traffic on to the original destination once you have a copy of it (man in the middle).
Depending on what you are doing and where you are doing it adds to the complexity of doing this seamlessly, but it's certainly possible.
Thanks, that's what i've learned today. Had another call with the chief network engineer from our provider, he told me the same things you guys are talking about.
He also confirmed that it was a short lasting attack against german Telekom infrastructure. They solved it pretty quick, but it was widespread.
It seems to be an easy task with huge effects if you know what you have to do.