Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

This is bad if true, but there aren't any technical details concerning the nature of the attack or how they discovered it.

Is it possible to claim that you are 8.8.8.8 from within Turkey using some sort of BGP wizardry?



Yes, but it isn't wizardry. Given the right kind of access, it's actually pretty easy. Take a look at http://www.bortzmeyer.org/dns-routing-hijack-turkey.html for more technical details.


They are using an BGP hijack attack: https://twitter.com/TelecomixTurkey/statuses/449924292914839...


Looks like this is actually being done through IGP: http://www.bortzmeyer.org/dns-routing-hijack-turkey.html


Yep, and it would appear that's what they're doing:

  A:34_acibadem_lg# ping 8.8.4.4 source 195.175.239.100
  64 bytes from 8.8.4.4: icmp_seq=1 ttl=250 time=6.58ms.
  64 bytes from 8.8.4.4: icmp_seq=2 ttl=250 time=6.55ms.
  64 bytes from 8.8.4.4: icmp_seq=3 ttl=250 time=6.52ms.
  64 bytes from 8.8.4.4: icmp_seq=4 ttl=250 time=6.93ms.
  64 bytes from 8.8.4.4: icmp_seq=5 ttl=250 time=6.57ms.

  ---- 8.8.4.4 PING Statistics ----
  5 packets transmitted, 5 packets received, 0.00% packet loss
  round-trip min = 6.52ms, avg = 6.63ms, max = 6.93ms, stddev = 0.154ms


  A:34_acibadem_lg# ping 8.8.8.8 source 195.175.239.100
  PING 8.8.8.8 56 data bytes
  64 bytes from 8.8.8.8: icmp_seq=1 ttl=250 time=6.58ms.
  64 bytes from 8.8.8.8: icmp_seq=2 ttl=250 time=6.51ms.
  64 bytes from 8.8.8.8: icmp_seq=3 ttl=250 time=6.54ms.
  64 bytes from 8.8.8.8: icmp_seq=4 ttl=250 time=6.52ms.
  64 bytes from 8.8.8.8: icmp_seq=5 ttl=250 time=6.51ms.

  ---- 8.8.8.8 PING Statistics ----
  5 packets transmitted, 5 packets received, 0.00% packet loss
  round-trip min = 6.51ms, avg = 6.53ms, max = 6.58ms, stddev = 0.044ms


  A:34_acibadem_lg# traceroute 8.8.4.4 source 195.175.239.100
  traceroute to 8.8.4.4 from 195.175.239.100, 30 hops max, 40 byte packets
  1 acbdm-2-1-acbdm-bgp-1.turktelekom.com.tr (212.156.120.49) 7.03 ms 3.57 ms 10.3 ms
  2 0.0.0.0 * * *
  3 195.175.166.207.static.turktelekom.com.tr (195.175.166.207) 10.3 ms 9.31 ms 12.0 ms
  4 cagis-ess1-t4-1-balikesir-t3-2.turktelekom.com.tr.252.156.212.in-addr.arpa (212.156.252.89) 10.4 ms 18.9 ms 12.6 ms
  5 ulus-t3-4-ulus-t2-1.turktelekom.com.tr.203.212.81.in-addr.arpa (81.212.203.78) 11.2 ms 10.8 ms 29.7 ms
  6 0.0.0.0 * * * 
  7 0.0.0.0 * * *
  ...
On a side note, it looks like TT does very little, if any, filtering of announcements they receive from peers so it'd be pretty trivial for one of their peers to do BGP hijacking. :/

Added: Interestingly enough, if I ask TT's LG for the routes it has for 8.8.4.0/24 or 8.8.8.0/24, it throws an error ("Please enter a valid IPv4/IPv6 address!"). I get the same result if I ask for a subnet that doesn't exist in BGP. That makes me guess that they're filtering out the routes from their peers.


Let's just hope they don't leak 100k+ routes again.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: