BGP hijacker booted off the Internet's backbone

A year-long effort to stop an accused “bad actor” who hijacked border gateway protocol (BGP) routes has borne fruit, with giant Hurricane Electric and Portugal's IPTelecom joining in cutting off an organisation called Bitcanal.

Dyn detailed the process, which is nearing completion a year after German Internet exchange DE-CIX expelled Bitcanal from its exchanges.

The most recent effort, Dyn notes, was launched by security researcher Ronald Guilmette, who in June documented 39 “deliberately hijacked routes” announced via Hurricane Electric alone.

BGP borked? Blame the net's big boppers

READ MORE

“According to the more complete and up-to-the-minute data that I just now fetched from RIPEstat, the real number of hijacked routes is more on the order of 130 separate hijacked routes for a total of 224,512 IPv4 addresses”, Guilmette wrote.

He also accused the company of “reselling their stolen IP space to spammers”.

In response to that post, Dyn noted, transit providers GTT Communications and Cogent disconnected Bitcanal – but the organisation was still able to announce routes through other providers.

The hijacks gave Bitcanal huge slabs of in-short-supply IPv4 addresses belonging to others, for example in its announcement of addresses owned by Beijing Jingdong 360 Degree E-commerce. The hijack of a /16 block temporarily puts the owner in control of around 64,000 addresses.

After disconnection by Cogent, Bitcanal moved to Belgium's BICS, was disconnected, moved to Germany's Meerfarbig, and was disconnected again.

The Hurricane Electric and IPTelecom disconnections leave Bitcanal “effectively cutoff from the global internet”, Dyn's post explained.

“Bitcanal’s IPv6 route (2a00:4c80::/29) was also withdrawn at 16:04 UTC today. According to Spamhaus, it was also the source of large amounts of spam email and is listed on their IPv6 Drop list.”

Dyn's Doug Madory concludes his post by asking for greater participation from IXPs to get bad actors off their networks. ®