Know where your traffic actually goes

Security teams tend to focus on the areas that can be controlled directly, such as devices, networks and individuals within an organisation.

What happens outside the perimeter is usually "someone else’s problem", but is that a wise approach?

Unless your organisation is isolated from the internet, it probably pays to look beyond the wall to secure your communication channels.

The internet may have been built to survive a nuclear war by routing around damage, but in parts, it still remains surprising vulnerable to disruption and traffic interception.

When traffic leaves your network for a certain destination, do you know which way it goes? Which other networks pass your organisation’s traffic? Which routes the traffic landing on your network took?

Those are questions that lately have become a necessity to consider as the largely trust-based routing system between network providers that directs data traffic on the internet is accidentally or deliberately subverted.

Route hijacks via the border gateway protocol (BGP) used by networks to tell each other where to send data occur regularly.

They shouldn’t happen nowadays as there are standard techniques and measures providers can take to prevent bogus routes from being accepted.

But they do. Like in July this year when United States solutions provider AxCelX leaked routes for Amazon Web Services, and other providers accepted these routes. This in turn cut access for over 40 minutes to well-known internet services such as Netflix, Tinder, Experian and Yelp.

That a fairly small network provider like AxCelX can take out access to a giant like AWS should be a wake-up call.

Identifying what has happened in case of a fault isn’t easy since there’s little visibility from most internet endpoints as to how providers agree to pass data among each other, and internet routing is an opaque, difficult topic.

And good luck explaining a BGP mishap to customers and users who are left without access even though their internet connections seem fine.

You can get a feeling for what can be done by abusing BGP when you read what Italian malware and surveillance tool vendor Hacking Team did two years ago.

A unit of Italy’s National Military police had lost network access to a server forwarding surveillance data, rendering the software it had bought from Hacking Team, presumably at great expense, worthless. The server in question may also have stored sensitive information on the targets under police surveillance, which risked ending up in the wrong hands.

What to do? Easy: Hacking Team and the Italian cops organised a route hijack via BGP announcements from a large network operator.

Other networks accepted and didn’t filter out the announcements, so traffic not intended for them flowed through their networks. The police and Hacking Team had access to the remote spyware again.

The thing is, though, if Hacking Team hadn’t been hacked and the spyware vendor's emails published on the web, we wouldn’t have known the traffic was subverted.

As long as the route hijack doesn’t create any noticeable issues, it could be used for traffic interception or impersonation of sites for nefarious purposes. Nobody would be any the wiser.

It's important to know where your organisation’s data goes to on the internet - and from where it arrives.

Work with your network provider to establish route monitoring and route diversity for that moment when someone fat-fingers a configuration file and the bytes hit the bitbucket.