Palestinian Internet Routes Hijacked
Palestinian Internet is experiencing issues. Security literate computer users are aware that there is potential for what are known as ‘man in the middle’, or MiTM attacks. This is typically executed by finding a way to get between a user and a web site they want to access, perhaps by running a rogue access point in a coffee shop. If your browser complains about a bad X509 certificate from a web site, it could be a MiTM.
There is another, deeper level of this sort of attack, in which entire blocks of IP addresses are hijacked. This has happened in Gaza and the West Bank, and it may have played a role in the alleged attack on Sony by North Korea.
When you turn your computer on, it receives an IP address and a default route from your home router’s DHCP server. That works for a home or office, but how does an entire country like Palestine or North Korea gain access?
There are five regional internet registries (RIRs) which are in charge of managing four billion Ipv4 addresses and a much larger Ipv6 space. Unlike the private IP address your home router gives you, the RIRs deal in globally unique public addresses. These Ipv4 addresses were issued to the RIRs from a common in blocks of sixteen million. The past tense is correct here; the last free blocks of that size were allocated in 2011, and only Ipv6 space remains. The RIRs break these large blocks into prefixes, which are assigned to ISPs, and their location in the global internet is published using Border Gateway Protocol.
Block sizes are expressed with Classless Inter-Domain Routing prefixes, variable length bit masks for 32 bit Ipv4 address blocks. The top level blocks contain sixteen million addresses, expressed as a /8s, and the smallest globally routable prefix is a /24, which is 256 addresses. Each ISP has a unique ID in the form of an Autonomous System Number. You can think of this as a sort of area code for blocks of IP addresses.
And if one ISP offers a more specific prefixes than the rightful owner, they will receive all of their traffic, functionally knocking the other provider offline.
Palestinian ISP Faces Hijack
This route hijacking scenario happened for Palestinian ISP Mada Telecom, and the culprit was restoration of an outdated configuration at Netherlands based A2B. IP address space for the Mideast comes from the European RIR, so those addresses having once been used in the Netherlands makes perfect sense.
Mada was assigned 184.108.40.206/23, a block of 512 addresses. A2P split this in two, offering, 220.127.116.11/24 and 18.104.22.168/24, effectively claiming Mada’s traffic by offering more specific destinations. A quick look into the University of Oregon’s RouteViews shows that this problem has been corrected.
Events like this can be attacks, but they are much more often configuration errors. Either way, the process for resolving this is the rightful owner contacting the provider that is using their prefixes, and if they are unresponsive, sending emails to their upstream providers will get the bad prefixes filtered. This is all done in a very ad hoc fashion, via mailing lists operated by the North American Network Operations Group (NANOG) or the Middle East Network Operations Group (MENOG).
North Korean IPs, Chinese Intruder?
There is another, much less common hijacking scenario, which involves a small ISP and its immediate neighbor. North Korea’s STAR-KP has AS131279 and their only outlet to the world is AS4837, China Unicom.
If a network engineer for China Unicom wished to use an IP address from within a STAR-KP prefix this is simple. All that must be done is adding the IP address to China Unicom’s internal gateway protocol and setting up a system to use it. An effort like this is just a few minutes of work to configure, and if the address chosen is unused the deception can remain in place for a long time. The only way this would be noticed by an outsider would be if they ran a traceroute and noticed the IP in question had a different path than the others right next to it.
Noisy, Rare, Easily Detected
Broad outages such as this, both accidental and intentional, have been happening since the internet was converted to Classless Inter-Domain Routing and version four of Border Gateway Protocol back in 1994. This is not some emerging threat and when it happens it is not at all subtle. Mada Telecom returned to operation using 22.214.171.124/23, which is a bit unusual. Victims of such attacks typically break their address space into /24s, the smallest possible prefix, to thwart future attacks.
The ‘pinhole attack’ on North Korea in order to shift the blame for the Sony attack would have been technically simple, but there is no hard evidence that such a thing occurred. We do need to be mindful of such things when it involves nation states in conflict; the potential for a ‘kinetic response’ to a cyber provocation is within the bounds of international law, and we can not afford a case of mistaken identity when the consequences are so serious.
Images from American Registry of Internet Numbers, University of Oregon Route Views; other images from Shutterstock.