Preface:
This article is solely for Security interests and research, nothing more. No
political ideas or motivations shall be discussed herein.
Background/timeline information:
“On Friday October 21, 2016 from approximately
11:10 UTC to 13:20 UTC and then again from 15:50 UTC until 17:00 UTC, Dyn came
under attack by two large and complex Distributed Denial of Service (DDoS)
attacks against our Managed DNS infrastructure.” [1] [DYN website]
We all know about this DDoS attack and it has
been discussed and analyzed by many, so this article will not address this
attack, but rather I will discuss one of the events that was quietly going on in
the background during this attack.
As a security researcher, the DDoS
attack was interesting but I wanted to know if any other events were happening
at the same time, so I headed over to BGP Stream [2] to see how/if any of the
BGP routes might be affected by this attack. It did not take me very long to notice
something very interesting. During the last part of the second attack on Dyn,
there were a set of events that caught my attention. It appears that during
this time, AS3267 State Institute of Information Technologies and
Telecommunications (SIIT&T Informika) [3] controlled by the Russian
Federation, was attempting to hijack several other AS routes between 10/21/2016 17:08:25 (UTC) and 10/21/2016 17:08:51 (UTC). In fact, all of the 42
events against 22 different AS’s occurred precisely at these times, with the advertisements
starting at 17:08:25 (UTC) and all of them ending at 17:08:51 (UTC), a
total of 26 seconds.
26 seconds doesn’t sound like a very long time,
but for an AS, a tremendous amount of data can be gather during that brief
time. It’s also short enough not to cause any serious outages and, most likely
not to be noticed by many. I don’t pretend to know why this occurred, only that
it did and during a time when much of the internet in the US was being affected
by a larger scale attack. I’m not much of a believer in coincidences,
especially when it comes to internet networking so in my mind this seemed to me
to be some sort of test. (Pure speculation on my part)
Here is the breakdown, by country, of the AS’s affected
by these hijack attempts:
Isle of Man (1)
United Kingdom (1)
Japan (1)
Slovakia (1)
Canada (2)
Ukraine (2)
Germany (2)
Netherlands (4)
United States (7)
As you can see from these stats, these events
were not solely targeted at the US even though the US was the most targeted
country. I will provide all of the AS’s affected at the end of this article for
your own research, but so far as I can see, preliminarily, there isn’t a good
solid connection between all of the AS’s that appear to have been targeted.
Also interesting is the fact that all 22 AS’s were targeted twice in succession,
all during the exact same time period.
Conspiracy theories abound these days and I
have no intention of getting involved in those discussions, but I do believe
that this information is relative due to the circumstances under which they
occurred, but the inferences is yours to make, I’m just reporting on the data collected.
All
data collected from BGP Stream:
Affected AS
|
Country
|
Expected Origin AS: Akamai Technologies, Inc. (AS 16625)
|
USA
|
Expected Origin AS: Akamai Technologies, Inc. (AS 35994)
|
USA
|
Expected Origin AS: Carolina Internet, Ltd. (AS 13618)
|
USA
|
Expected Origin AS: Contabo GmbH (AS 51167)
|
GER
|
Expected Origin AS: CW Vodafone Group PLC (AS 1273)
|
UK
|
Expected Origin AS: FOP Smirnov V'yacheslav Valentunovuch
(AS 30860)
|
URK
|
Expected Origin AS: Host Europe GmbH (AS 8972)
|
GER
|
Expected Origin AS: Insitu, Inc (AS 27214)
|
USA
|
Expected Origin AS: Internet Initiative Japan Inc. (AS 2497)
|
JAP
|
Expected Origin AS: LeaseWeb Netherlands B.V. (AS 60781)
|
NED
|
Expected Origin AS: Lertas NET s.r.o. (AS 201924)
|
SLO
|
Expected Origin AS: Loco Digital LTD (AS 58277)
|
URK
|
Expected Origin AS: Mohawk Internet Technologies (AS 14537)
|
CAN
|
Expected Origin AS: Rackspace Hosting (AS 27357)
|
USA
|
Expected Origin AS: Rackspace Hosting (AS 33070)
|
USA
|
Expected Origin AS: Server Central Network (AS 23352)
|
USA
|
Expected Origin AS: Serverius Holding B.V. (AS 50673)
|
NED
|
Expected Origin AS: Velcom (AS 30407)
|
CAN
|
Expected Origin AS: Webhost Limited (AS 34738)
|
IOM
|
Expected Origin AS: Webzilla B.V. (AS 35415)
|
NED
|
Expected Origin AS: WIBO International s.r.o. (AS 59939)
|
NED
|
UPDATE: 12-19-16
@DynResearch responded with the following:
Explaining that will the advertisements were leaked, they were restricted to inside the AS3267 customer cone, meaning no one that wasn't already talking to AS3267 received the advertisements. (see links below for Tweets)
https://twitter.com/DynResearch/status/810949500323905537
https://twitter.com/DynResearch/status/810949822471671809
NOTE: Original data available on request.