Re: Someone’s Been Siphoning Data Through a Huge Security Hole in the Internet

[Jared Mauch <jared () puck nether net>]

On Dec 6, 2013, at 2:57 PM, Stephane Bortzmeyer <bortzmeyer () nic fr> wrote:

> On Fri, Dec 06, 2013 at 01:05:54PM -0500,
> Jared Mauch <jared () puck nether net> wrote 
> a message of 36 lines which said:
>
> > I've detected 11.6 million of these events since 2008 just looking at the
> > route-views data.  Most recently the past two days 701 has done a large MITM of
> > traffic.
>
> The big novelty in the Renesys paper is the proof (with traceroute)
> that there was a return path, something which did not exist in the
> famous Pakistan Telecom case, or in most (all?) other BGP
> hijackings. This return path allows to attacker to really get access
> to the data with little chance of the victim noticing. That's
> something new.

I've been sending the traceroutes to networks for years to get them to clean up their acts.  I guess the lesson is 
publish often?

Folks can see the prefixes involved here:

http://puck.nether.net/bgp/leakinfo.cgi

The ASN search works best.  I'll work on optimizing the prefix stuff as it's not returning "promptly".

- Jared