Any organization connected to the Internet may become the victim of an IP hijack. Government agencies, critical infrastructure companies, financial organizations and other companies that provide external users with access to sensitive information are especially vulnerable.
In recent years, there have been reports of IP hijacking of nations and large companies. Among the companies suffering attacks are: Amazon, JPMorgan Chase & Co., Google, Bank of America, Twitter, Apple, HSBC Hong Kong, Yahoo!, and Time Warner Cable.
IP hijack attacks have become a commonly employed technique by hostile governments and criminal organizations. The attackers impersonate to the victim on the Internet, allowing eavesdropping, recording and manipulating of Internet traffic. The attacker can implement various man-in-the-middle attacks against the attacked organization and its users, even when strong encryption is used.
The Internet Infrastructure
The Internet consists of tens of thousands of independently managed, interconnected networks. Each of these networks is called an Autonomous System (AS), and is assigned a unique Autonomous System Number (ASN) to identify it.
Examples of ASNs are:
- AS174 – belongs to Cogent, a tier-1 Internet Service Provider (ISP)
- AS3300- belongs to British Telecom, a tier-2 ISP
- AS8551- belongs to Bezeq International, a local Israeli ISP
- AS25046, which belongs to Check Point Software, a leading cyber security company
- AS15169 belongs to Google.
The ‘glue’ holding the Internet together uses two protocols:
- the Internet Protocol (IP)
- the Border Gateway Protocol (BGP)
IP defines how information is exchanged between end systems at the network level, and requires that every device connected to the Internet (such as a computer or router) has a unique global address – the IP address. The source and destination IP addresses are placed in each packet of information sent, similar to the addresses on letters sent with by mail.
IP addresses are assigned in blocks of consecutive numbers to Autonomous Systems (if the AS is an ISP, it assigns individual IP addresses to home customers, or chunks of an address block to business customers). Information packets propagate through the Internet individually. Each router in the network looks at the destination IP address in the packet and forwards it according to a forwarding table.
The forwarding tables are built with the Border Gateway Protocol (BGP), the Internet routing protocol. With BGP, each AS announces to its neighbors the IP address blocks that it owns. These announcements ripple through the network. If AS1 announces that it owns an IP block that actually is owned by network AS2 (due to an error or as a result of malicious intent), traffic from a portion of the Internet destined for AS2 will actually be routed to AS1. This is called a BGP hijack. The amount of traffic routed from AS1 to AS2 depends on a variety of factors, but the amount can be very large.
BGP hijacks can be detected by listening to BGP announcements. In recent years, hundreds of malicious attacks have been detected on the Internet every month. To monitor the attacks, it is necessary to connect to an AS with a dedicated communication channel. This requires approval of the AS. Since an AS is reluctant to let an outside source connect with a dedicated communications channel, only a small portion of the BGP announcements can be monitored, and many hijack events go unnoticed.
It is difficult for an attacker to know which BGP hijack attacks will be noticed by today’s monitoring systems. The attacker must assume that his attack will be noticed, so he will keep his hijack attack very short – probably no more than a few hours. This is enough time to create significant damage to the attacked network, but may not be suitable for cases when there is a need for a long-lasting attack.
To make stealth attacks, attackers have started using data-plane hijack attacks. Instead of using the BGP protocol to divert packets towards the attacker, the attacker directly changes the forwarding table in the relevant routers on the way. Gaining access to ISP routers can be accomplished in one of several ways:
- Running a penetration attack on the routers
- Gaining the router password from an inside collaborator
- Using backdoors in routers
This is called an IP hijack attack. “IP hijack attack” is also misleadingly used as a generic term for many different kinds of IP address hijacks, regardless of the technique: data-plane, BGP, or DNS. It is very hard to detect IP hijack attacks without a sophisticated monitoring system and only a few such attacks have been exposed publicly. However, there is clear evidence that such attacks are used.
Hijack attacks expose an organization’s network to potentially unlimited damage:
- Man-in-the-middle attacks can penetrate the organization’s firewall. This gives the malicious attacker access to the organization’s network for stealing valuable data, planting Trojan virus files, and corrupting valuable data.
- Impersonation attacks allow the malicious attacker to harvest passwords of the company’s web site users.
- Attacks can disconnect part of the company’s network from the Internet; take the company website offline; prevent company employees from remotely logging in to services; disrupt control loops; etc.
In addition, an attacker can hijack the IP address of a company’s service provider and spy on its intellectual property. This may include:
- Mail server traffic
- VoIP and conference call traffic
- Backup traffic
Even seemingly benign traffic such as web searches can expose the company’s future interests and technology directions.
One challenge in identifying attacks is that they may be quite local in their effect: the hijack may affect only users coming from a distinct set of networks while users from other networks are not affected. Identifying such attacks and taking corrective action to fight them is not trivial.