It’s a new year, but some things never change. In the past few days we have observed a spate of incidents of routing misbehavior including two man-in-the-middle routing hijacks conducted in the past couple of days by A2B Internet out of the Netherlands.
Beginning at 00:33:44 UTC on Thursday, 8 January, we began observing a routing hijack of IP address space normally announced by Mada Telecom (AS51047), a Palestinian ISP with presence in both Gaza and the West Bank. Beginning at that time, A2B Internet B.V. (AS51088) began announcing 22.214.171.124/24, which is a more-specific route of 126.96.36.199/23, normally announced by Mada.
Traceroutes directed to this address space are presently being re-directed to A2B Internet’s network in the Netherlands before continuing on to Palestine. For example:
trace from Cyberjava, Malaysia to Mada Telecom, PS on Jan 09, 2015
2 x.x.x.x (Cyberjaya, Malaysia) 3.442
3 188.8.131.52 (Extreme Broadband, Malaysia) 0.696
4 184.108.40.206 (Extreme Broadband, Malaysia) 1.222
5 220.127.116.11 global.hgc.com.hk 35.854
6 18.104.22.168 global.hgc.com.hk 36.742
7 22.214.171.124 (Hutchison, Singapore) 41.628
8 126.96.36.199 (Hutchison, Amsterdam) 190.787
9 188.8.131.52 (Tata, Amsterdam, NL) 213.494
10 184.108.40.206 (A2B Internet, NL) 200.990
11 220.127.116.11 (GTT, Amsterdam) 268.366
12 18.104.22.168 xe-5-0-1.edge3.Amsterdam.Level3.net 300.909
13 22.214.171.124 ae-236-3612.edge5.London1.Level3.net 268.586
14 126.96.36.199 ae-234-3610.edge5.london1.Level3.net 269.017
15 188.8.131.52 ADOBE-SYSTE.edge3.London15.Level3.net 362.157
16 184.108.40.206 (Mada Telecom, Palestine) 329.861
17 220.127.116.11 (Mada Telecom, Palestine) 408.753
The on-demand traceroute functionality in Dyn Internet Intelligence shows the redirection through A2B Internet. The view from Vienna is highlighted below:
Below is a topological view of our traceroutes going through A2B Internet en-route to Mada Telecom.
This isn’t the first MITM hijack we have observed involving AS51088 in the last couple of days. About two hours earlier starting at 22:23:09 UTC on 7 January, we observed AS51088 announce 18.104.22.168/21 – a network that hosts over 3,000 domains including IPs associated with Bitcoin.
Below is a sampling of our traceroutes from yesterday that were redirected through AS51088 en-route to SIT Internetdiensten (AS61044).
We’ve alerted the impacted parties and will update this blog if we receive any additional information.
As I noted in my September blog,
Regardless of the cause of each of these incidents, the problem is a very real and growing one. Perhaps documenting these incidents will promote a greater understanding of the extent and nature of the problems around the trust-based Internet routing system in global use today.
About the Author
Doug Madory is a Director of Internet Analysis at Dyn where he works on Internet infrastructure analysis projects. Doug has a special interest in mapping the logical Internet to the physical lines that connect it together, with a special interest on submarine cables.Follow on Twitter More Content by Doug Madory