Several Internet transit providers —companies that route global Internet traffic between local ISPs, end users, and data centers— have banded together to ban a fellow transit provider that has carried out at least 130 Internet route (BGP) hijacks in the past few years, most of which, experts say, were with malicious intent.
Currently, Internet transit providers such as BICS, GTT, Cogent, Meerfarbig, Hurricane Electric, and IPTelecom, have dropped the offending company, a Portugal-based data center and Internet transit provider named Bitcanal, off their networks.
Similarly, Internet exchange points (large, national-level data centers that interconnect Internet infrastructure), have also dropped Bitcanal. The list currently includes DE-CIX (Frankfurt, Germany),
LINX (London, UK), AMSIX (Amsterdam, the Netherlands), and ESPANIX (Madrid, Spain).
Some of these companies have dropped Bitcanal since 2017, but most of them have stopped collaborating with the Portuguese ISP after a June 25 message posted on the NANOG (North American Network Operators' Group) mailing list.
The message included evidence and a recount of at least 130 incidents during which Bitcanal appears to have intentionally carried out BGP hijacks.
BGP hijacks take place when an ISP announces the wrong Internet route to a specific destination. In most cases, BGP hijacks are accidents, such as typos, and result in worldwide Internet providers sending large swaths of traffic to the wrong servers.
But there are also incidents when malicious ISPs intentionally announce a wrong BGP route in order to hijack traffic meant for particular targets, such as crucial DNS servers, financial services, government sites, military domains, and more. The purpose of these malicious BGP hijacks is the have traffic meant for those targets flow through the malicious ISP's network, where it can sniff its content or carry out Man-in-the-Middle attacks.
Based on the evidence presented in the NANOG mailing list message, Bitcanal appears to have been the biggest BGP hijack offender in recent years, earning the nickname of "BGP hijack factory."
"I mean seriously, WTF?," Ronald F. Guilmette started his NANOG message.
Guilmette alleges that Bitcanal is doing all of this —hijacking BGP routes— for the purpose of re-selling the hijacked IP addresses to spammer groups, which in turn use them to send out new spam campaigns from IPs not found in spam blacklists.
According to a blog post from Oracle's Internet Research division (formerly Dyn Research), enough was enough, and Internet transit providers and Internet exchange points banded together in the past weeks to take Bitcanal offline by completely disconnecting the company's infrastructure.
Doug Madory, Director of Internet Analysis at Oracle's Internet Intelligence team, and the author of the aforementioned blog post, says there are lessons to be learned from the past couple of weeks, for both Internet traffic transit providers, but also for Internet exchange points operators.
BGP hijacks have been becoming rampant in recent years [1, 2, 3, 4, 5] and seeing Internet transit providers and exchange points finally taking action is a sigh of relief, as there hasn't been a similar case when they banded together like this to give the boot to a repeat offender.
With the first such collective ban being applied, maybe we can now look forward to quicker bans to other known offenders.
Other measures are also being cooked up to deal with BGP hijacks.