Several Internet transit providers —companies that route global Internet traffic between local ISPs, end users, and data centers— have banded together to ban a fellow transit provider that has carried out at least 130 Internet route (BGP) hijacks in the past few years, most of which, experts say, were with malicious intent.

Currently, Internet transit providers such as BICS, GTT, Cogent, Meerfarbig, Hurricane Electric, and IPTelecom, have dropped the offending company, a Portugal-based data center and Internet transit provider named Bitcanal, off their networks.

Similarly, Internet exchange points (large, national-level data centers that interconnect Internet infrastructure), have also dropped Bitcanal. The list currently includes DE-CIX (Frankfurt, Germany),

LINX (London, UK), AMSIX (Amsterdam, the Netherlands), and ESPANIX (Madrid, Spain).

NANOG mailing list message exposes Bitcanal's deeds

Some of these companies have dropped Bitcanal since 2017, but most of them have stopped collaborating with the Portuguese ISP after a June 25 message posted on the NANOG (North American Network Operators' Group) mailing list.

The message included evidence and a recount of at least 130 incidents during which Bitcanal appears to have intentionally carried out BGP hijacks.

BGP hijacks take place when an ISP announces the wrong Internet route to a specific destination. In most cases, BGP hijacks are accidents, such as typos, and result in worldwide Internet providers sending large swaths of traffic to the wrong servers.

But there are also incidents when malicious ISPs intentionally announce a wrong BGP route in order to hijack traffic meant for particular targets, such as crucial DNS servers, financial services, government sites, military domains, and more. The purpose of these malicious BGP hijacks is the have traffic meant for those targets flow through the malicious ISP's network, where it can sniff its content or carry out Man-in-the-Middle attacks.

Based on the evidence presented in the NANOG mailing list message, Bitcanal appears to have been the biggest BGP hijack offender in recent years, earning the nickname of "BGP hijack factory."

"I mean seriously, WTF?," Ronald F. Guilmette started his NANOG message.





That's 39 deliberately hijacked routes, at least going by the data visible on bgp.he.net. But even that data from bgp.he.net dramatically understates the case, I'm sorry to say. According to the more complete and up-to-the-minute data that I just now fetched from RIPEstat, the real number of hijacked routes is more on the order of 130 separate hijacked routes for a total of 224,512 IPv4 addresses:



https://pastebin.com/raw/Jw1my9Bb



In simpler terms, Bitcanal has made off with the rough equivalent of an entire /14 block of IPv4 addresses that never belonged to them. (And of course, they haven't paid a dime to anyone for any of that space.) As should be blatantly self-evident to pretty much everyone who has ever looked at any of the Internet's innumerable prior incidents of very deliberately engineered IP space hijackings, all of the routes currently being announced by AS3266 (Bitcanal, Portugal) except for the ones in 213/8 are bloody obvious hijacks. [...]That's 39 deliberately hijacked routes, at least going by the data visible on bgp.he.net. But even that data from bgp.he.net dramatically understates the case, I'm sorry to say. According to the more complete and up-to-the-minute data that I just now fetched from RIPEstat, the real number of hijacked routes is more on the order of 130 separate hijacked routes for a total of 224,512 IPv4 addresses:In simpler terms, Bitcanal has made off with the rough equivalent of an entire /14 block of IPv4 addresses that never belonged to them. (And of course, they haven't paid a dime to anyone for any of that space.)

Guilmette alleges that Bitcanal is doing all of this —hijacking BGP routes— for the purpose of re-selling the hijacked IP addresses to spammer groups, which in turn use them to send out new spam campaigns from IPs not found in spam blacklists.

Companies get together to boot Bitcanal off the Internet

According to a blog post from Oracle's Internet Research division (formerly Dyn Research), enough was enough, and Internet transit providers and Internet exchange points banded together in the past weeks to take Bitcanal offline by completely disconnecting the company's infrastructure.

Doug Madory, Director of Internet Analysis at Oracle's Internet Intelligence team, and the author of the aforementioned blog post, says there are lessons to be learned from the past couple of weeks, for both Internet traffic transit providers, but also for Internet exchange points operators.

1) Even if abuse didn’t take place across your exchange, you can still consider disconnection to mitigate future risk. If it had been widely known that DECIX kicked out Bitcanal last year, might other IXes have disconnected them? Or at least started scrutinizing their activity at the exchange?



2) IXPs are not just a neutral transport bus anymore. They facilitate a unique service that malicious actors can leverage. Like it or not, this makes IXPs responsible too.



3) Ensure that you have monitoring and analysis capabilities in place. Multiple IXPs contacted did not have MRT files of their route servers, or PCAP collection to verify any claim. If an IXP has a policy of requiring evidence of bad behavior, it must also be collecting that evidence and, most importantly, a process to review that evidence when a reasonable inquiry is made.

BGP hijacks have been becoming rampant in recent years [1, 2, 3, 4, 5] and seeing Internet transit providers and exchange points finally taking action is a sigh of relief, as there hasn't been a similar case when they banded together like this to give the boot to a repeat offender.

With the first such collective ban being applied, maybe we can now look forward to quicker bans to other known offenders.

Other measures are also being cooked up to deal with BGP hijacks.