Last fall, the Interior Minister of Ukraine announced the creation of a national Cyberpolice (Кіберполіцію) to protect the country from everything from credit card fraud to malware. Here’s something that would be great to add to their list: fraudulent BGP routing out of Ukraine. Last year, we reported on an incident in which Ukrainian ISP Vega hijacked routes from British Telecom (including that of the UK’s Atomic Weapons Establishment), an event that could perhaps be chalked up to an innocent mistake. However, the fraudulent routing we’re now seeing from Ukraine is deliberately designed to go unnoticed. We’ll review some of this new behavior in this blog.
Governments take note
|The profile of this issue has grown in the past year as governments have had to respond to their address space being fraudulently used. Last July, the Dutch Minister of Foreign Affairs (pictured right) was confronted with parliamentary questions concerning an incident where “attackers” had commandeered IP address space belonging to the Ministry of Foreign Affairs the previous year. In that incident, on 18 November 2014, Decision Marketing (AS62228) out of Sofia, Bulgaria began globally announcing eleven BGP routes that did not belong to them.|
These routes included the following:
126.96.36.199/17 Transport Research Laboratory GB
188.8.131.52/17 Swisscom IT Services AG Sankt Gallen CH
184.108.40.206/18 Ministerie van Buitenlandse Zaken NL
220.127.116.11/24 MA3X Ltd. Sofiya Sofiya-Grad BG
18.104.22.168/18 Bayer Business Services GmbH Nordrhein-Westfalen DE
22.214.171.124/17 Cable & Wireless UK P.U.C. GB
126.96.36.199/18 RIPE Network Coordination Centre AU
188.8.131.52/18 Mediatti Communications Inc. JP
184.108.40.206/18 Asia Pacific Network Information Centre AU
220.127.116.11/18 Ziggo B.V. Amsterdam Noord-Holland NL
18.104.22.168/18 Telecom Italia S.p.a. IT
The one that caught the attention of the Dutch was 22.214.171.124/18. Its propagation profile is shown below on the left – note it never was circulated to more than 40% of our peering base. Decision Marketing (clearly a spamming operation) impressively embeds a Bulgarian accent into their logo with the slogan “We are email marketing company.”
In the following month, the Swiss Governmental CERT announced that it had (with the assistance of Spamhaus) recovered IP address space belonging to a Swiss regional government but being used by spammers. The graphic below shows the route being originated by the spamming operation (AS62741) on the left disappears on 25 June and returns on 29 June, being announced by its rightful owners, the canton of Fribourg.
A Problem in Ukraine
Last October, Dyn’s Scientist Emeritus Jim Cowie was the keynote speaker at ENOG 10 in Odessa, Ukraine. The ENOG (Eurasia Network Operators Group) covers the Russian Federation, CIS and Eastern Europe and a video of Jim’s presentation is posted below – and is advanced to the portion which covers the fraudulent routing we spotted coming out of the Ukraine.
At the beginning of last year, we published a blog entitled The Vast World of Fraudulent Routing which detailed six different entities deliberately announcing address space that didn’t belong to them. In Case 5 from that post, we described a perpetrator attempting to mask his fraudulent routing by forging the AS Path to contain what would otherwise appear to be a believable origin for the address space being announced.
In that case, we observed things like unused British Telecom address space being announced by AS5400 (British Telecom’s ASN) according to the AS Paths in BGP data. To the lay observer this would appear legitimate, however, it was being exclusively transited through a small ISP in Ufa, Russia – a city unlikely to house a branch office of BT.
The activity described in Case 5 disappeared in November 2014, but the next month in December we started seeing something similar out of Kiev, Ukraine, i.e., a new instance of phony, yet plausible AS origins for bogus routes.
126.96.36.199/19 (Brazil Home Shopping Ltd) was one of those routes. It was routed along the following path:
... 9002 8438 18739 10495 11295
If we investigate this route, we can see that it is originated by the rightmost AS on the path AS11295 (Brazil Home Shopping Ltd). Well that seems to check out — good so far. Then it goes through AS18739 and AS10495, which are both Brazilian ASNs. Ok, still looks plausible, right? But then it exclusively goes through Ukrainian provider Hetman Soft (AS8434) and on to Russian fixed-line carrier RETN (AS9002). Routes along paths like these are only circulated to a limited set of mostly Russian carriers.
In the past year, we observed this entity announcing the following phony, yet plausible origins (it seems to have a preference for LACNIC resources):
||Plausible, but Phoney Origin
In case we needed additional confirmation of the location of where these routes were coming from, one could run traceroutes into this address space and get times and paths that were consistent with Ukraine, not Brazil. Such as 20ms from Moscow:
trace from Moscow, RU to 188.8.131.52
1 * 0.0
2 184.108.40.206 ReTN external interconnections Moscow Russia 0.478
3 220.127.116.11 ReTN's Backbone Kiev Ukraine 19.717
4 * 0.0
5 18.104.22.168 BR HOME SHOPPING LTDA Belo Horizonte Brazil 20.419
And 12ms from Minsk:
trace from Minsk, BY to 22.214.171.124
1 * 0.0
2 * 0.0
3 126.96.36.199 BELTELECOM Minsk Belarus 4.343
4 188.8.131.52 Republican Unitary Telecommunica Minsk Belarus 4.425
5 184.108.40.206 Republican Unitary Telecommunica Minsk Belarus 0.984
6 220.127.116.11 ReTN external interconnections Kiev Ukraine 12.405
7 18.104.22.168 ReTN's Backbone Kiev Ukraine 12.511
8 * 0.0
9 22.214.171.124 BR HOME SHOPPING LTDA Belo Horizonte Brazil 12.67
As of Friday last week, 126.96.36.199/19 (Brazil Home Shopping Ltd) was still being fraudulently announced out of Ukraine, although the AS path has changed slightly (AS41331 has taken the place of AS8434):
... 9002 41331 18739 10495 11295
The individuals involved in this type of activity can be quite brazen. Aside from having the audacity to announce the address space of the Brazilian Military (Centro Int. de Telemática do Exército) from the example above, earlier this year a new IP squatting operation began hijacking address space of APRICOT 2016, just weeks before the conference was set to begin. APRICOT is APNIC‘s technical conference which focuses on topics like routing security. We alerted the conference organizers, who were able to fend off the hijack by getting the perpetrator’s (AS260) upstream (GTT, AS3257) to drop the bad routes. Dyn’s Director of Infrastructure, Joe Abley then described the entire incident in a lightning talk at APRICOT 2016:
— Dyn Research (@DynResearch) February 24, 2016
Although GTT blocked the specific routes hijacking APRICOT 2016 IP space from its customer AS260 (Xconnect24), this entity continues to announce bogus routes via GTT out to parts of the Internet using bogus origins, just as it did with APRICOT.
Unfortunately, fighting this type of activity is difficult because the perpetrators are getting more advanced at hiding their activity from basic BGP analysis, but also because even when nefarious activity is identified and upstream providers are alerted, the fraudulent routes continue to be circulated. This is why we support the Internet Society‘s Mutually Agreed Norms for Routing Security (MANRS) project and recommend that companies monitor their IP address space (routed and unrouted) with tools like those found in Dyn’s Internet Intelligence family of products. For more information about this type of phenomenon, see last year’s coverage of our analysis in the Washington Post and the Wall Street Journal.