Sunday, December 18, 2016

What lies behind the veil…



Preface: This article is solely for Security interests and research, nothing more. No political ideas or motivations shall be discussed herein.

Background/timeline information:
“On Friday October 21, 2016 from approximately 11:10 UTC to 13:20 UTC and then again from 15:50 UTC until 17:00 UTC, Dyn came under attack by two large and complex Distributed Denial of Service (DDoS) attacks against our Managed DNS infrastructure.” [1] [DYN website]

We all know about this DDoS attack and it has been discussed and analyzed by many, so this article will not address this attack, but rather I will discuss one of the events that was quietly going on in the background during this attack.

As a security researcher, the DDoS attack was interesting but I wanted to know if any other events were happening at the same time, so I headed over to BGP Stream [2] to see how/if any of the BGP routes might be affected by this attack. It did not take me very long to notice something very interesting. During the last part of the second attack on Dyn, there were a set of events that caught my attention. It appears that during this time, AS3267 State Institute of Information Technologies and Telecommunications (SIIT&T Informika) [3] controlled by the Russian Federation, was attempting to hijack several other AS routes between 10/21/2016  17:08:25 (UTC) and 10/21/2016  17:08:51 (UTC). In fact, all of the 42 events against 22 different AS’s occurred precisely at these times, with the advertisements starting at 17:08:25 (UTC) and all of them ending at 17:08:51 (UTC), a total of 26 seconds.

26 seconds doesn’t sound like a very long time, but for an AS, a tremendous amount of data can be gather during that brief time. It’s also short enough not to cause any serious outages and, most likely not to be noticed by many. I don’t pretend to know why this occurred, only that it did and during a time when much of the internet in the US was being affected by a larger scale attack. I’m not much of a believer in coincidences, especially when it comes to internet networking so in my mind this seemed to me to be some sort of test. (Pure speculation on my part)

Here is the breakdown, by country, of the AS’s affected by these hijack attempts:

Isle of Man (1)
United Kingdom (1)
Japan (1)
Slovakia (1)
Canada (2)
Ukraine (2)
Germany (2)
Netherlands (4)
United States (7)

As you can see from these stats, these events were not solely targeted at the US even though the US was the most targeted country. I will provide all of the AS’s affected at the end of this article for your own research, but so far as I can see, preliminarily, there isn’t a good solid connection between all of the AS’s that appear to have been targeted. Also interesting is the fact that all 22 AS’s were targeted twice in succession, all during the exact same time period.

Conspiracy theories abound these days and I have no intention of getting involved in those discussions, but I do believe that this information is relative due to the circumstances under which they occurred, but the inferences is yours to make, I’m just reporting on the data collected.

All data collected from BGP Stream:
                                          
Affected AS
Country
Expected Origin AS: Akamai Technologies, Inc. (AS 16625)
USA
Expected Origin AS: Akamai Technologies, Inc. (AS 35994)
USA
Expected Origin AS: Carolina Internet, Ltd. (AS 13618)
USA
Expected Origin AS: Contabo GmbH (AS 51167)
GER
Expected Origin AS: CW Vodafone Group PLC (AS 1273)
UK
Expected Origin AS: FOP Smirnov V'yacheslav Valentunovuch (AS 30860)
URK
Expected Origin AS: Host Europe GmbH (AS 8972)
GER
Expected Origin AS: Insitu, Inc (AS 27214)
USA
Expected Origin AS: Internet Initiative Japan Inc. (AS 2497)
JAP
Expected Origin AS: LeaseWeb Netherlands B.V. (AS 60781)
NED
Expected Origin AS: Lertas NET s.r.o. (AS 201924)
SLO
Expected Origin AS: Loco Digital LTD (AS 58277)
URK
Expected Origin AS: Mohawk Internet Technologies (AS 14537)
CAN
Expected Origin AS: Rackspace Hosting (AS 27357)
USA
Expected Origin AS: Rackspace Hosting (AS 33070)
USA
Expected Origin AS: Server Central Network (AS 23352)
USA
Expected Origin AS: Serverius Holding B.V. (AS 50673)
NED
Expected Origin AS: Velcom (AS 30407)
CAN
Expected Origin AS: Webhost Limited (AS 34738)
IOM
Expected Origin AS: Webzilla B.V. (AS 35415)
NED
Expected Origin AS: WIBO International s.r.o. (AS 59939)
NED


UPDATE: 12-19-16

@DynResearch responded with the following:

Explaining that will the advertisements were leaked, they were restricted to inside the AS3267 customer cone, meaning no one that wasn't already talking to AS3267 received the advertisements. (see links below for Tweets)

https://twitter.com/DynResearch/status/810949500323905537

https://twitter.com/DynResearch/status/810949822471671809


NOTE: Original data available on request. 




[1] http://hub.dyn.com/dyn-blog/dyn-analysis-summary-of-friday-october-21-attack
[2] https://bgpstream.com/
[3] http://bgp.he.net/AS3267