On-going BGP Hijack Targets Palestinian ISP

January 9, 2015 Doug Madory
DII_Mada_hijack

It’s a new year, but some things never change. In the past few days we have observed a spate of incidents of routing misbehavior including two man-in-the-middle routing hijacks conducted in the past couple of days by A2B Internet out of the Netherlands.

Beginning at 00:33:44 UTC on Thursday, 8 January, we began observing a routing hijack of IP address space normally announced by Mada Telecom (AS51047), a Palestinian ISP with presence in both Gaza and the West Bank. Beginning at that time, A2B Internet B.V. (AS51088) began announcing 46.244.81.0/24, which is a more-specific route of 46.244.80.0/23, normally announced by Mada.

46.244.81.0_24

Traceroutes directed to this address space are presently being re-directed to A2B Internet’s network in the Netherlands before continuing on to Palestine. For example:


trace from Cyberjava, Malaysia to Mada Telecom, PS on Jan 09, 2015
1                                                              *
2  x.x.x.x         (Cyberjaya, Malaysia)                   3.442
3  113.23.163.57   (Extreme Broadband, Malaysia)           0.696
4  113.23.190.109  (Extreme Broadband, Malaysia)           1.222
5  218.189.12.101  global.hgc.com.hk                      35.854
6  218.189.8.102   global.hgc.com.hk                      36.742
7  118.143.224.243 (Hutchison, Singapore)                 41.628
8  218.189.8.142   (Hutchison, Amsterdam)                190.787
9  195.219.150.6   (Tata, Amsterdam, NL)                 213.494
10 46.244.0.4      (A2B Internet, NL)                    200.990
11 141.136.97.5    (GTT, Amsterdam)                      268.366
12 4.68.70.97      xe-5-0-1.edge3.Amsterdam.Level3.net   300.909
13 4.69.166.61     ae-236-3612.edge5.London1.Level3.net  268.586
14 4.69.166.53     ae-234-3610.edge5.london1.Level3.net  269.017
15 212.187.138.254 ADOBE-SYSTE.edge3.London15.Level3.net 362.157
16 46.43.64.89     (Mada Telecom, Palestine)             329.861
17 46.244.81.207   (Mada Telecom, Palestine)             408.753

The on-demand traceroute functionality in Dyn Internet Intelligence shows the redirection through A2B Internet. The view from Vienna is highlighted below:

DII_Mada_hijack

Below is a topological view of our traceroutes going through A2B Internet en-route to Mada Telecom.

mada_hijack

This isn’t the first MITM hijack we have observed involving AS51088 in the last couple of days. About two hours earlier starting at 22:23:09 UTC on 7 January, we observed AS51088 announce 37.148.192.0/21 – a network that hosts over 3,000 domains including IPs associated with Bitcoin.

37.148.192.0_21_1420639200_1420726970

Below is a sampling of our traceroutes from yesterday that were redirected through AS51088 en-route to SIT Internetdiensten (AS61044).

61044_hijack

We’ve alerted the impacted parties and will update this blog if we receive any additional information.

As I noted in my September blog,

Regardless of the cause of each of these incidents, the problem is a very real and growing one. Perhaps documenting these incidents will promote a greater understanding of the extent and nature of the problems around the trust-based Internet routing system in global use today.

The post On-going BGP Hijack Targets Palestinian ISP appeared first on Dyn Research.

Read more...

About the Author

Doug Madory is a Director of Internet Analysis at Dyn where he works on Internet infrastructure analysis projects. Doug has a special interest in mapping the logical Internet to the physical lines that connect it together, with a special interest on submarine cables.

Follow on Twitter More Content by Doug Madory
Previous Article
Internet for the Next 3 Billion
Internet for the Next 3 Billion

Last month, I traveled to Doha, Qatar to participate in the ITU’s Telecom...

Next Article
Someone Disconnects North Korea – Who?
Someone Disconnects North Korea – Who?

North Korea went off the Internet Monday, 22 December 2014, and Dyn illustrates the fragility of their netw...