|Update (12:57 UTC, 10-Jan): We received the following note from Erik Bais of A2B Internet:
The issue with the PS Mada ip address is that there was still a historic entry in our bgp network config. A reboot of one of the routers in the network triggered the announcements where the bgp more specifics where triggered based on the e-bgp received routes. That was both the case for SIT and Mada. SIT was a customer of us in the past and they contacted us in the last couple of days to look into it. The IP space of PS Mada came originally from our network space ( 18.104.22.168/17 ) where they bought some space from us.
We checked the announcements and fixed the issue.
Dyn Research can confirm that as of 11:18 UTC on 10-Jan the routing hijack ceased as did the traffic re-direction. It is reassuring to hear that this was caused by a router glitch and not by something more nefarious. After the incidents we observed in 2013 and the Bitcoin hijacks last year, this type of phenomenon can raise serious concerns. Perhaps this incident can also serve as a reminder to double-check router configs. Now that IPv4 address space utilization is so dense, accidents are inevitable.
It’s a new year, but some things never change. In the past few days we have observed a spate of incidents of routing misbehavior including two man-in-the-middle routing hijacks conducted in the past couple of days by A2B Internet out of the Netherlands.
Beginning at 00:33:44 UTC on Thursday, 8 January, we began observing a routing hijack of IP address space normally announced by Mada Telecom (AS51407), a Palestinian ISP with presence in both Gaza and the West Bank. Beginning at that time, A2B Internet B.V. (AS51088) began announcing 22.214.171.124/24, which is a more-specific route of 126.96.36.199/23, normally announced by Mada.
Traceroutes directed to this address space are presently being re-directed to A2B Internet’s network in the Netherlands before continuing on to Palestine. For example:
trace from Cyberjava, Malaysia to Mada Telecom, PS on Jan 09, 2015
2 x.x.x.x (Cyberjaya, Malaysia) 3.442
3 188.8.131.52 (Extreme Broadband, Malaysia) 0.696
4 184.108.40.206 (Extreme Broadband, Malaysia) 1.222
5 220.127.116.11 global.hgc.com.hk 35.854
6 18.104.22.168 global.hgc.com.hk 36.742
7 22.214.171.124 (Hutchison, Singapore) 41.628
8 126.96.36.199 (Hutchison, Amsterdam) 190.787
9 188.8.131.52 (Tata, Amsterdam, NL) 213.494
10 184.108.40.206 (A2B Internet, NL) 200.990
11 220.127.116.11 (GTT, Amsterdam) 268.366
12 18.104.22.168 xe-5-0-1.edge3.Amsterdam.Level3.net 300.909
13 22.214.171.124 ae-236-3612.edge5.London1.Level3.net 268.586
14 126.96.36.199 ae-234-3610.edge5.london1.Level3.net 269.017
15 188.8.131.52 ADOBE-SYSTE.edge3.London15.Level3.net 362.157
16 184.108.40.206 (Mada Telecom, Palestine) 329.861
17 220.127.116.11 (Mada Telecom, Palestine) 408.753
The on-demand traceroute functionality in Dyn Internet Intelligence shows the redirection through A2B Internet. The view from Vienna is highlighted below:
Below is a topological view of our traceroutes going through A2B Internet en-route to Mada Telecom.
This isn’t the first MITM hijack we have observed involving AS51088 in the last couple of days. About two hours earlier starting at 22:23:09 UTC on 7 January, we observed AS51088 announce 18.104.22.168/21 – a network that hosts over 3,000 domains including IPs associated with Bitcoin.
Below is a sampling of our traceroutes from yesterday that were redirected through AS51088 en-route to SIT Internetdiensten (AS61044).
We’ve alerted the impacted parties and will update this blog if we receive any additional information.
As I noted in my September blog,
Regardless of the cause of each of these incidents, the problem is a very real and growing one. Perhaps documenting these incidents will promote a greater understanding of the extent and nature of the problems around the trust-based Internet routing system in global use today.