Internet Performance Delivered right to your inbox

On-going BGP Hijack Targets Palestinian ISP

Dyn On-going BGP Hijack Targets Palestinian ISP
         Update (12:57 UTC, 10-Jan): We received the following note from Erik Bais of A2B Internet:

The issue with the PS Mada ip address is that there was still a historic entry in our bgp network config. A reboot of one of the routers in the network triggered the announcements where the bgp more specifics where triggered based on the e-bgp received routes. That was both the case for SIT and Mada. SIT was a customer of us in the past and they contacted us in the last couple of days to look into it. The IP space of PS Mada came originally from our network space ( 46.244.0.0/17 ) where they bought some space from us.

We checked the announcements and fixed the issue.

Dyn Research can confirm that as of 11:18 UTC on 10-Jan the routing hijack ceased as did the traffic re-direction. It is reassuring to hear that this was caused by a router glitch and not by something more nefarious. After the incidents we observed in 2013 and the Bitcoin hijacks last year, this type of phenomenon can raise serious concerns. Perhaps this incident can also serve as a reminder to double-check router configs. Now that IPv4 address space utilization is so dense, accidents are inevitable.

        

It’s a new year, but some things never change. In the past few days we have observed a spate of incidents of routing misbehavior including two man-in-the-middle routing hijacks conducted in the past couple of days by A2B Internet out of the Netherlands.

Beginning at 00:33:44 UTC on Thursday, 8 January, we began observing a routing hijack of IP address space normally announced by Mada Telecom (AS51407), a Palestinian ISP with presence in both Gaza and the West Bank. Beginning at that time, A2B Internet B.V. (AS51088) began announcing 46.244.81.0/24, which is a more-specific route of 46.244.80.0/23, normally announced by Mada.

46.244.81.0_24

Traceroutes directed to this address space are presently being re-directed to A2B Internet’s network in the Netherlands before continuing on to Palestine. For example:


trace from Cyberjava, Malaysia to Mada Telecom, PS on Jan 09, 2015
1                                                              *
2  x.x.x.x         (Cyberjaya, Malaysia)                   3.442
3  113.23.163.57   (Extreme Broadband, Malaysia)           0.696
4  113.23.190.109  (Extreme Broadband, Malaysia)           1.222
5  218.189.12.101  global.hgc.com.hk                      35.854
6  218.189.8.102   global.hgc.com.hk                      36.742
7  118.143.224.243 (Hutchison, Singapore)                 41.628
8  218.189.8.142   (Hutchison, Amsterdam)                190.787
9  195.219.150.6   (Tata, Amsterdam, NL)                 213.494
10 46.244.0.4      (A2B Internet, NL)                    200.990
11 141.136.97.5    (GTT, Amsterdam)                      268.366
12 4.68.70.97      xe-5-0-1.edge3.Amsterdam.Level3.net   300.909
13 4.69.166.61     ae-236-3612.edge5.London1.Level3.net  268.586
14 4.69.166.53     ae-234-3610.edge5.london1.Level3.net  269.017
15 212.187.138.254 ADOBE-SYSTE.edge3.London15.Level3.net 362.157
16 46.43.64.89     (Mada Telecom, Palestine)             329.861
17 46.244.81.207   (Mada Telecom, Palestine)             408.753

The on-demand traceroute functionality in Dyn Internet Intelligence shows the redirection through A2B Internet. The view from Vienna is highlighted below:

DII_Mada_hijack

Below is a topological view of our traceroutes going through A2B Internet en-route to Mada Telecom.

mada_hijack

This isn’t the first MITM hijack we have observed involving AS51088 in the last couple of days. About two hours earlier starting at 22:23:09 UTC on 7 January, we observed AS51088 announce 37.148.192.0/21 – a network that hosts over 3,000 domains including IPs associated with Bitcoin.

37.148.192.0_21_1420639200_1420726970

Below is a sampling of our traceroutes from yesterday that were redirected through AS51088 en-route to SIT Internetdiensten (AS61044).

61044_hijack

We’ve alerted the impacted parties and will update this blog if we receive any additional information.

As I noted in my September blog,

Regardless of the cause of each of these incidents, the problem is a very real and growing one. Perhaps documenting these incidents will promote a greater understanding of the extent and nature of the problems around the trust-based Internet routing system in global use today.


Share Now

Doug Madory
Whois: Doug Madory

Doug Madory is a Director of Internet Analysis at Dyn where he works on Internet infrastructure analysis projects. Doug has a special interest in mapping the logical Internet to the physical lines that connect it together, with a focus on submarine cables.