It’s a new year, but some things never change. In the past few days we have observed a spate of incidents of routing misbehavior including two man-in-the-middle routing hijacks conducted in the past couple of days by A2B Internet out of the Netherlands.
Beginning at 00:33:44 UTC on Thursday, 8 January, we began observing a routing hijack of IP address space normally announced by Mada Telecom (AS51047), a Palestinian ISP with presence in both Gaza and the West Bank. Beginning at that time, A2B Internet B.V. (AS51088) began announcing 220.127.116.11/24, which is a more-specific route of 18.104.22.168/23, normally announced by Mada.
Traceroutes directed to this address space are presently being re-directed to A2B Internet’s network in the Netherlands before continuing on to Palestine. For example:
trace from Cyberjava, Malaysia to Mada Telecom, PS on Jan 09, 2015
2 x.x.x.x (Cyberjaya, Malaysia) 3.442
3 22.214.171.124 (Extreme Broadband, Malaysia) 0.696
4 126.96.36.199 (Extreme Broadband, Malaysia) 1.222
5 188.8.131.52 global.hgc.com.hk 35.854
6 184.108.40.206 global.hgc.com.hk 36.742
7 220.127.116.11 (Hutchison, Singapore) 41.628
8 18.104.22.168 (Hutchison, Amsterdam) 190.787
9 22.214.171.124 (Tata, Amsterdam, NL) 213.494
10 126.96.36.199 (A2B Internet, NL) 200.990
11 188.8.131.52 (GTT, Amsterdam) 268.366
12 184.108.40.206 xe-5-0-1.edge3.Amsterdam.Level3.net 300.909
13 220.127.116.11 ae-236-3612.edge5.London1.Level3.net 268.586
14 18.104.22.168 ae-234-3610.edge5.london1.Level3.net 269.017
15 22.214.171.124 ADOBE-SYSTE.edge3.London15.Level3.net 362.157
16 126.96.36.199 (Mada Telecom, Palestine) 329.861
17 188.8.131.52 (Mada Telecom, Palestine) 408.753
The on-demand traceroute functionality in Dyn Internet Intelligence shows the redirection through A2B Internet. The view from Vienna is highlighted below:
Below is a topological view of our traceroutes going through A2B Internet en-route to Mada Telecom.
This isn’t the first MITM hijack we have observed involving AS51088 in the last couple of days. About two hours earlier starting at 22:23:09 UTC on 7 January, we observed AS51088 announce 184.108.40.206/21 – a network that hosts over 3,000 domains including IPs associated with Bitcoin.
Below is a sampling of our traceroutes from yesterday that were redirected through AS51088 en-route to SIT Internetdiensten (AS61044).
We’ve alerted the impacted parties and will update this blog if we receive any additional information.
As I noted in my September blog,
Regardless of the cause of each of these incidents, the problem is a very real and growing one. Perhaps documenting these incidents will promote a greater understanding of the extent and nature of the problems around the trust-based Internet routing system in global use today.
About the Author
Doug Madory is a Director of Internet Analysis at Dyn where he works on Internet infrastructure analysis projects. Doug has a special interest in mapping the logical Internet to the physical lines that connect it together, with a special interest on submarine cables.Follow on Twitter More Content by Doug Madory