How much would it matter to you if all of a sudden your company’s Internet traffic started going somewhere else? Maybe to your competitor, a criminal organization, or a foreign government? Sound bad?
In my last article, “The Great Network Forgery,” I explained how the Internet infrastructure industry allows mass forgery of IP addresses. That digital identity theft allows botnets to exist, and the consequences plague us all. Well, there’s another, grander sort of identity theft that the Internet also allows: theft of an entire organization’s Internet traffic.
How and why it happens
Consider the IP address on your laptop. It’s handed out of a block of addresses to your laptop by your company’s network devices. Your company’s ISP announces that block of addresses (a ‘route’) to the 60,000 telecom, enterprise, government, and education organizations networks that connect in a hierarchical mesh of routers and fiber, and *are* the Internet.
Each of those 60K Internet node organizations has a unique identifier called an “Autonomous System Number” (ASN), and uses the Internet standard Border Gateway Protocol (BGP), to announce routes to the rest of the Internet.
What happens when someone accidentally mis-configures one of their routers to announce another company’s routes? The victim company’s Internet traffic can become “black-holed.” This actually happens on a regular basis. Sometimes whole countries at the periphery of the Internet are taken offline accidentally.
And this has happened since the early days of the commercial Internet. The reason: there is no authoritative list of who is allowed to announce which Internet routes.
What if It’s not a mistake?
If you’re someone like me who personally owns an ASN and announces routes from your house, you could theoretically steal the traffic from a corporate network by announcing or ‘hijacking’ that network’s routes with malice, or accidentally with a typo.
Route hijacking can form one basis for what’s called a “man in the middle” attack. That ill-gotten traffic flows into the attacker’s network, and then they can create traffic “tunnels” to remote ISP(s) so that it keeps flowing to and fro on the Internet. Then, it’s technically feasible to set up servers to insinuate themselves into every email, and hack into traffic sessions — even, in some cases, secure HTTP. Or, to proxy email with a server that refuses to accept encrypted communication sessions.