How 3ve’s BGP hijackers eluded the Internet—and made $29M

3ve used addresses of unsuspecting owners—like the US Air Force.

How 3ve’s BGP hijackers eluded the Internet—and made $29M

Enlarge (credit: Aurich / Getty)

Over the past decade, many attackers have exploited design weaknesses in the Internet’s global routing system. Most commonly, the Border Gateway Protocol (BGP) is abused to divert gigabytes, or possibly even petabytes, of high-value traffic to ISPs inside Russia or China, sometimes for years at a time, so that the data can be analyzed or manipulated. Other times, attackers have used BGP hijackings more surgically to achieve specific aims, such as stealing cryptocurrency or regaining control of computers monitored in a police investigation.

Late last month came word of a new scheme. In one of the most sophisticated uses of BGP hijacking yet, criminals used the technique to generate $29 million in fraudulent ad revenue, in part by taking control of IP addresses belonging to the US Air Force and other reputable organizations.

In all, "3ve," as researchers dubbed the ad fraud gang, used BGP attacks to hijack more than 1.5 million IP addresses over a 12-month span beginning in April 2017. The hijacking was notable for the precision and sophistication of the attackers, who clearly had experience with BGP—and a huge amount of patience.

Read 34 remaining paragraphs | Comments

Google goes down after major BGP mishap routes traffic through China

Google says it doesn’t believe leak was malicious despite suspicious appearances.

Google goes down after major BGP mishap routes traffic through China

Enlarge (credit: https://www.flickr.com/photos/bfishadow/5668460325)

Google lost control of several million of its IP addresses for more than an hour on Monday in an event that intermittently made its search and other services unavailable to many users and also caused problems for Spotify and other Google cloud customers. While Google said it had no reason to believe the mishap was a malicious hijacking attempt, the leak appeared suspicious to many, in part because it misdirected traffic to China Telecom, the Chinese government-owned provider that was recently caught improperly routing traffic belonging to a raft of Western carriers though mainland China.

The leak started at 21:13 UTC when MainOne Cable Company, a small ISP in Lagos, Nigeria, suddenly updated tables in the Internet’s global routing system to improperly declare that its autonomous system 37282 was the proper path to reach 212 IP prefixes belonging to Google. Within minutes, China Telecom improperly accepted the route and announced it worldwide. The move by China Telecom, aka aka AS4809, in turn caused Russia-based Transtelecom, aka AS20485, and other large service providers to also follow the route.

The redirections, BGPmon said on Twitter came in five distinct waves over a 74-minute period. The redirected IP ranges transmitted some of Google's most sensitive communications, including the company's corporate WAN infrastructure and the Google VPN. This graphic from regional Internet registry RIPE NCC shows how the domino effect played out over a two-hour span. The image below shows an abbreviated version of those events.

Read 10 remaining paragraphs | Comments