Threat Level: green Handler on Duty: Russ McRee

SANS ISC: Are large scale Man in The Middle attacks underway? - SANS Internet Storm Center SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Are large scale Man in The Middle attacks underway?

Renesys is reporting two separate incidents where they observed  traffic for 1500 IP blocks being diverted for extended periods of time.   They observed the traffic redirection for more than 2 months over the last year.    Does it seem unusual for internet traffic between Ashburn Virginia (63.218.44.78) and Washington DC (63.234.113.110) to go through Russia to Belarus?    That is exactly what they observed.   Once traffic flows through your routers there are countless opportunities to capture and modify the traffic with classic MiTM attacks.   In my humble opinion we should put very little stock in the safety of SSL traffic as it flows through them.    Attacks such as the SSL Crime attack, Oracle Padding attacks, Beast and others have shown SSL to be untrustworthy in circumstances such as this.

Advertising false BGP routes to affect the flow of traffic isn't new.   You may remember when Pakistan "accidently" took down Youtube for a small portion of the internet when they attempted to blackhole the website within their country.  (Maybe they knew the "twerking" fad was coming)   But this is an excellent article that documents two cases where it has happened for extended periods of time. 

http://www.renesys.com/2013/11/mitm-internet-hijacking/

Shameless self promotion:

Build a custom penetration testing backdoor that evades antivirus!  Write your own SQL Injection, Password attack tools and more.  Want to code your own tools in Python? Check out SEC573 Python for Penetration Testers.  I am teaching it in Reston VA March 17th!  Click HERE for more information.

Follow me on twitter?  @MarkBaggett

Mark

81 Posts
ISC Handler
It might be an idea to log full tcp SYN packet headers entering your network, to allowed/specific ports for actual services you host, and if you have the resources to do so. I'd expect TTL values to drop during an incident like this. While there, if you also log the following SYN/ACK you could later calculate the round-trip latency of the 3-way handshake for every connection, which is useful performance data in itself (to analyse latency, whether localised to specific IP ranges, or maybe affecting your whole network due to a problem on your side).
Anonymous

Sign Up for Free or Log In to start participating in the conversation!