Over the past decade, many attackers have exploited design weaknesses in the Internet’s global routing system. Most commonly, the Border Gateway Protocol (BGP) is abused to divert gigabytes, or possibly even petabytes, of high-value traffic to ISPs inside Russia or China, sometimes for years at a time, so that the data can be analyzed or manipulated. Other times, attackers have used BGP hijackings more surgically to achieve specific aims, such as stealing cryptocurrency or regaining control of computers monitored in a police investigation.

Late last month came word of a new scheme. In one of the most sophisticated uses of BGP hijacking yet, criminals used the technique to generate $29 million in fraudulent ad revenue, in part by taking control of IP addresses belonging to the US Air Force and other reputable organizations.

In all, "3ve," as researchers dubbed the ad fraud gang, used BGP attacks to hijack more than 1.5 million IP addresses over a 12-month span beginning in April 2017. The hijacking was notable for the precision and sophistication of the attackers, who clearly had experience with BGP—and a huge amount of patience.

A novel attack

Members of 3ve (pronounced “eve”) used their large reservoir of trusted IP addresses to conceal a fraud that otherwise would have been easy for advertisers to detect. The scheme employed a thousand servers hosted inside data centers to impersonate real human beings who purportedly "viewed" ads that were hosted on bogus pages run by the scammers themselves—who then received a check from ad networks for these billions of fake ad impressions. Normally, a scam of this magnitude coming from such a small pool of server-hosted bots would have stuck out to defrauded advertisers. To camouflage the scam, 3ve operators funneled the servers’ fraudulent page requests through millions of compromised IP addresses.

About one million of those IP addresses belonged to computers, primarily based in the US and the UK, that attackers had infected with botnet software strains known as Boaxxe and Kovter. But at the scale employed by 3ve, not even that number of IP addresses was enough. And that’s where the BGP hijacking came in. The hijacking gave 3ve a nearly limitless supply of high-value IP addresses. Combined with the botnets, the ruse made it seem like millions of real people from some of the most affluent parts of the world were viewing the ads.

In all, the hijacking required more than three years of work to pull off. It was the product of engineers who understood not only the technical nuances of BGP but, equally important, knew the unwritten social contracts that govern large networks—known in the BGP world as autonomous systems (AS)—and the large backbone providers that connect them. Matthew Hardeman, a networking engineer who analyzed 3ve for this article, called the hijacking a troubling lesson in just how susceptible the Internet’s global routing system is to fraud and malice.

Even if the affected networks deployed common BGP defenses, those measures wouldn’t have been enough to stop 3ve’s massive hijacking scheme. Using Internet route registries to create BGP filters and following the Mutually Agreed Norms for Routing Security would have done nothing. Had the affected networks cryptographically signed routing records using the Resource Public Key Infrastructure, 3ve could easily have tweaked its techniques to get around the measure. Hardeman wrote:

This is the first BGP hijack of note in which a relatively small actor or set of actors succeeded in hijacking substantial amounts of IP space in a rolling fashion successfully without burning all their upstreams. They did this by excellent operating skill and knowledge. Essentially, they've demonstrated that even a small actor or individual with appropriate knowledge and operation experience can, in today's climate, execute a hijack that withstands initial scrutiny and complaint from the proper IP address holders. They've abused some of the anti-hijacking and anti-route-leak tools (IRR records) to a perverse consequence: supporting their use of stolen IP space. This may have been done before, but I've seen no reporting on that angle and it illustrates a real and extant vulnerability in the ecosystem.

A paper jointly published last month by Google and security firm White Ops agreed with the assessment that the systematic hijacking represents a major threat to a trustworthy Internet.

“Acquiring IP addresses this way is significant because it constitutes a particularly blatant form of fraud, used to corrupt large groups of IPs by interfering directly with an exterior routing protocol,” the paper, titled "The Hunt for 3ve," warned. “If one of these stolen IP addresses was detected as the source of fraudulent activity, it was easily burned and recycled, while the same bots continued running in the data centers behind it. The operation’s ability to continuously find new IPs through which to proxy gave it a layer of protection and isolation, avoiding any ‘single point of failure’ that could allow us to easily eradicate it.”

BGP in a nutshell

As a refresher, the Internet is a network of many independent networks that are known as autonomous systems. Each AS is assigned large chunks of IP addresses that connect smaller networks or computers that are geographically close to each other. The ASes, in turn, use BGP to determine the shortest route to connect to each other. When a computer belonging to one AS wants to communicate with a computer belonging to a different AS, the two ASes use a large table called the "routing information base" to ensure that packets sent from one IP address are correctly delivered to the other IP address.

BGP mishaps occur when an AS configures its edge router to accept traffic destined for IP addresses that have not been assigned to it. Harkening back to the old Arpanet, when all nodes were known and "trusted," fellow ASes and upstream transit providers—the large ISPs that move the AS’ traffic to other ASes—often accept these network “announcements” with no questions asked.

Sometimes these mishaps are the result of human errors, as was the case last month when a Nigerian ISP inadvertently updated routing tables that improperly declared it was a legitimate path for reaching millions of IP addresses assigned to Google. Transit provider China Telecom quickly accepted the route without first verifying its legitimacy, a move that, in turn, prompted Russia-based Transtelecom and other large service providers to also follow the improper route. As Ars reported at the time, the event caused traffic to Google to take a circuitous path through China and Russia due to the misannounced routes. As a result, Google’s main search engine and other core services were intermittently unavailable for more than an hour. Spotify and other Google cloud customers also experienced problems. While the event was the result of an error, it remained troubling, in part because it took more than an hour for outside Internet monitoring services to detect it.

When improperly announced routes are inadvertent, they’re called IP prefix leaks. BGP hijacks, by contrast, happen when an AS or transit provider intentionally announces IP addresses not legitimately assigned to it. These hijacks can serve a variety of nefarious purposes. Often, hijackings merely route traffic onto a roundabout path—but ultimately allow data to reach its intended destination. These hijackings sometimes cause the traffic to pass through an ISP in China or Russia, where plaintext or weakly encrypted data may be monitored or tampered with.

Other BGP hijackings are used to take control of a high-value IP address so that the attacker can impersonate the website, server, or service that normally uses that address. One of the most recent examples of such a hijacking occurred in April as attackers took control of IP addresses that Amazon uses for its Route 53 DNS service. The hijackers used their access to set up a rogue domain resolver that redirected traffic destined to MyEtherWallet.com. The attackers then stole about $150,000 worth of digital coins from visitors who were tricked into accepting a self-signed TLS certificate presented by the impersonating site.

Most BGP hijackings are the networking equivalent of a smash and grab operation. Attackers announce an improper route and access as much traffic as possible until network operators detect the hijacking and stop it. But not 3ve; the hackers here were far more patient.