Skip to main content

Net monitors: Massive amounts of data redirected in "man in the middle" attacks

Enormous amounts of data have been hijacked using so-called 'man in the middle' (MITM) attacks, including data from governments and banks, according to Internet-monitoring company Renesys.

The attacks, which involve "targeted Internet traffic misdirection," see Internet traffic redirected remotely through an attacker's servers, allowing data in transit to be observed or even changed, before reaching its intended recipient.

Renesys claimed that it had seen traffic intended to travel only the short distance across one US city get redirected halfway around the world before arriving at its destination. The redirect results in a slight delay, but not usually enough to alert the suspicions of the hijacked party.

The Internet monitors have observed such attacks taking place on more than 60 days this year, according to its recently released report.

"About 1,500 individual IP blocks have been hijacked," Renesys reported, "in events lasting from minutes to days, by attackers working from various countries."

Renesys released a map showing the locations around the world of the 150 cities in which the route hijacking attacks had been observed. The targeted cities were overwhelmingly within the United States.

The victims have been diverse: financial institutions, Voice over IP (VoIP) providers like Skype, and world governments have been "prominent targets."

The companies that have had their data hijacked have been informed, according to the report.

Renesys revealed that some of the biggest attacks this year involved traffic being redirected to Internet companies in Belarus and Iceland. One Icelandic Internet service provider (ISP) claimed that the reroutes had been the result of a software bug, and that the attacks were not malicious.

However, the Belarusian company has declined to comment.

One particularly heinous example saw traffic from Guadalajara, Mexico reach Washington, DC after being erroneously and secretly routed through Belarus and Russia.

"These facts are not in doubt," Renesys wrote. "They are well-supported by the data. What's not known is the exact mechanism, motivation, or actors."

The company concluded that man in the middle route hijacking attacks have now "moved from a theoretical concern to something that happens fairly regularly," adding that the "potential for traffic interception is very real."

"Everyone on the Internet," Renesys warned, "certainly the largest global carriers, certainly any bank or credit card processing company or government agency — should now be monitoring the global routing of their advertised IP prefixes."

Top image: Flickr (davnull)