Last fall, the Interior Minister of Ukraine announced the creation of a national Cyberpolice (Кіберполіцію) to protect the country from everything from credit card fraud to malware.  Here’s something that would be great to add to their list: fraudulent BGP routing out of Ukraine.  Last year, we reported on an incident in which Ukrainian ISP Vega hijacked routes from British Telecom (including that of the UK’s Atomic Weapons Establishment), an event that could perhaps be chalked up to an innocent mistake.  However, the fraudulent routing we’re now seeing from Ukraine is deliberately designed to go unnoticed.  We’ll review some of this new behavior in this blog.

Governments take note

The profile of this issue has grown in the past year as governments have had to respond to their address space being fraudulently used.  Last July, the Dutch Minister of Foreign Affairs (pictured right) was confronted with parliamentary questions concerning an incident where “attackers” had commandeered IP address space belonging to the Ministry of Foreign Affairs the previous year.  In that incident, on 18 November 2014, Decision Marketing (AS62228) out of Sofia, Bulgaria began globally announcing eleven BGP routes that did not belong to them.

These routes included the following:
159.100.0.0/17      Transport Research Laboratory                   GB
171.25.0.0/17       Swisscom IT Services AG Sankt Gallen            CH
193.177.64.0/18     Ministerie van Buitenlandse Zaken               NL
193.201.243.0/24    MA3X Ltd.       Sofiya  Sofiya-Grad             BG
193.202.128.0/18    Bayer Business Services GmbH Nordrhein-Westfalen DE
193.243.0.0/17      Cable & Wireless UK P.U.C.                      GB
194.38.0.0/18       RIPE Network Coordination Centre                AU
210.79.128.0/18     Mediatti Communications Inc.                    JP
210.87.64.0/18      Asia Pacific Network Information Centre         AU
80.114.192.0/18     Ziggo B.V.      Amsterdam       Noord-Holland   NL
83.175.0.0/18       Telecom Italia S.p.a.                           IT

The one that caught the attention of the Dutch was 193.177.64.0/18.  Its propagation profile is shown below on the left – note it never was circulated to more than 40% of our peering base.  Decision Marketing (clearly a spamming operation) impressively embeds a Bulgarian accent into their logo with the slogan “We are email marketing company.”

In the following month, the Swiss Governmental CERT announced that it had (with the assistance of Spamhaus) recovered IP address space belonging to a Swiss regional government but being used by spammers.  The graphic below shows the route being originated by the spamming operation (AS62741) on the left disappears on 25 June and returns on 29 June, being announced by its rightful owners, the canton of Fribourg.

In the Dutch Minister’s defense, there isn’t much one can do to completely prevent any entity from announcing the address space of another entity as the routing system is based on trust.  Also the hijacking of unused address space is undoubtedly lower on the priority list than other things facing European governments these days.  Perhaps with available IPv4 address space drying up, might it be getting harder for spammers to squat on unused IP address space without someone noticing?

A Problem in Ukraine

Last October, Dyn’s Scientist Emeritus Jim Cowie was the keynote speaker at ENOG 10 in Odessa, Ukraine.  The ENOG (Eurasia Network Operators Group) covers the Russian Federation, CIS and Eastern Europe and a video of Jim’s presentation is posted below – and is advanced to the portion which covers the fraudulent routing we spotted coming out of the Ukraine.

At the beginning of last year, we published a blog entitled The Vast World of Fraudulent Routing which detailed six different entities deliberately announcing address space that didn’t belong to them.  In Case 5 from that post, we described a perpetrator attempting to mask his fraudulent routing by forging the AS Path to contain what would otherwise appear to be a believable origin for the address space being announced.

In that case, we observed things like unused British Telecom address space being announced by AS5400 (British Telecom’s ASN) according to the AS Paths in BGP data.  To the lay observer this would appear legitimate, however, it was being exclusively transited through a small ISP in Ufa, Russia – a city unlikely to house a branch office of BT.

The activity described in Case 5 disappeared in November 2014, but the next month in December we started seeing something similar out of Kiev, Ukraine, i.e., a new instance of phony, yet plausible AS origins for bogus routes.

200.202.64.0/19 (Brazil Home Shopping Ltd) was one of those routes.  It was routed along the following path:

   ... 9002 8438 18739 10495 11295

If we investigate this route, we can see that it is originated by the rightmost AS on the path AS11295 (Brazil Home Shopping Ltd).  Well that seems to check out — good so far.  Then it goes through AS18739 and AS10495, which are both Brazilian ASNs.  Ok, still looks plausible, right?  But then it exclusively goes through Ukrainian provider Hetman Soft (AS8434) and on to Russian fixed-line carrier RETN (AS9002).  Routes along paths like these are only circulated to a limited set of mostly Russian carriers.

In the past year, we observed this entity announcing the following phony, yet plausible origins (it seems to have a preference for LACNIC resources):

Prefix 187.239.0.0/16 (Uninet, MX) 177.90.0.0/16 (Universidade De Sao Paulo, BR) 200.200.0.0/16 (Embratel, BR) 181.56.0.0/16 (Telmex Colombia, CO) 161.255.0.0/16 (Movistar (Telcel), VE) 177.21.128.0/20 (Netdigit Telecom, BR) 196.3.16.0/20 (Net Uno, C.A., VE) 186.189.224.0/20 (FastBee Argentina S.A.) 186.236.240.0/20 (Prefeitura de Cuiabá, BR) 191.102.224.0/20 (DirecTV Colombia) 177.8.80.0/20 (Centro Int. de Telemática do Exército,BR) ... many more

Plausible, but Phoney Origin AS8151 (Uninet, MX) AS28571 (Univ De Sao Paulo, BR) AS4230 (Embratel, BR) AS10620 (Telmex Colombia, CO) AS6306 (Movistar (Telcel), VE) AS28245 (Netdigit Telecomunicacoes, BR) AS11562 (Net Uno, C.A., VE) AS28028 (FastBee Argentina S.A) AS263638 (Prefeitura de Cuiabá, BR) AS262928 (DirecTV Colombia) AS52890 (Centro Int. de Telemática do Exército,BR)

In case we needed additional confirmation of the location of where these routes were coming from, one could run traceroutes into this address space and get times and paths that were consistent with Ukraine, not Brazil. Such as 20ms from Moscow:

trace from Moscow, RU to 200.202.64.1
1 *                                                                          0.0
2 87.245.229.46  ReTN external interconnections  Moscow          Russia    0.478
3 87.245.233.26  ReTN's Backbone                 Kiev            Ukraine  19.717
4 *                                                                          0.0
5 200.202.64.1   BR HOME SHOPPING LTDA           Belo Horizonte  Brazil   20.419

And 12ms from Minsk:

trace from Minsk, BY to 200.202.64.1
1 *                                                                             0.0
2 *                                                                             0.0
3 93.84.125.194   BELTELECOM                        Minsk           Belarus   4.343
4 93.85.80.54     Republican Unitary Telecommunica  Minsk           Belarus   4.425
5 93.85.80.126    Republican Unitary Telecommunica  Minsk           Belarus   0.984
6 87.245.237.21   ReTN external interconnections    Kiev            Ukraine  12.405
7 87.245.232.173  ReTN's Backbone                   Kiev            Ukraine  12.511
8 *                                                                             0.0
9 200.202.64.1    BR HOME SHOPPING LTDA             Belo Horizonte  Brazil    12.67

As of Friday last week, 200.202.64.0/19 (Brazil Home Shopping Ltd) was still being fraudulently announced out of Ukraine, although the AS path has changed slightly (AS41331 has taken the place of AS8434):

   ... 9002 41331 18739 10495 11295

The individuals involved in this type of activity can be quite brazen.  Aside from having the audacity to announce the address space of the Brazilian Military (Centro Int. de Telemática do Exército) from the example above, earlier this year a new IP squatting operation began hijacking address space of APRICOT 2016, just weeks before the conference was set to begin.  APRICOT is APNIC‘s technical conference which focuses on topics like routing security.  We alerted the conference organizers, who were able to fend off the hijack by getting the perpetrator’s (AS260) upstream (GTT, AS3257) to drop the bad routes.  Dyn’s Director of Infrastructure, Joe Abley then described the entire incident in a lightning talk at APRICOT 2016:

.@ableyjoe presents at #APRICOT2016 on BGP hijacking of #APRICOT2016 itself! Video: https://t.co/TdzU8ZS4JB pic.twitter.com/No9OBfPHgO

— Dyn Research (@DynResearch) February 24, 2016

Although GTT blocked the specific routes hijacking APRICOT 2016 IP space from its customer AS260 (Xconnect24), this entity continues to announce bogus routes via GTT out to parts of the Internet using bogus origins, just as it did with APRICOT.

Unfortunately, fighting this type of activity is difficult because the perpetrators are getting more advanced at hiding their activity from basic BGP analysis, but also because even when nefarious activity is identified and upstream providers are alerted, the fraudulent routes continue to be circulated.  This is why we support the Internet Society‘s Mutually Agreed Norms for Routing Security (MANRS) project and recommend that companies monitor their IP address space (routed and unrouted) with tools like those found in Dyn’s Internet Intelligence family of products. For more information about this type of phenomenon, see last year’s coverage of our analysis in the Washington Post and the Wall Street Journal.

More Fraudulent Routing = More Need for #MANRS https://t.co/fgLdry1Ljq

— Routing Manifesto (@RtgManifesto) March 22, 2016

Update:

This blog post has been translated into Russian and published in the online magazine Internet Inside. (Pg 33)