Last week, we reported via Twitter that the Iranian state telecom TIC hijacked address space containing a number of pornographic websites. The relevant BGP announcement was likely intended to stay within the borders of Iran, but had leaked out of the country in a manner reminiscent of Pakistan's block of Youtube via BGP hijack in 2008. Over the weekend, TIC performed BGP hijacks of additional IP address space hosting adult content as well as IP addresses associated with Apple's iTunes service.
— Dyn Research (@DynResearch) January 6, 2017
In addition, in 2015 on this blog we reported that a new DNS root server instance in Tehran was being leaked outside Iran, a situation that was quickly rectified at that time. Despite the fact that the Tehran K-root is intended to only be accessible within Iran, as we will see below, it is currently being accessed by one of the largest US telecommunications companies.
Iranian BGP-based Censorship
Last week, Iranian state telecom announced a BGP hijack of address space (18.104.22.168/24) hosting numerous pornographic websites. This was likely intended to stay within Iran, but like Pakistan's BGP hijack of Youtube in 2008, it was inadvertently leaked out of the country, preventing internet users in many countries from being able to visit these sites. In his coverage of this incident, Russell Brandom of The Verge wrote arguably the most memorable opening sentence in tech journalism this year (so far).
We alerted the hosting operation and they were able to regain control of the address space back from the Iranians. They began announcing the same /24 and then were able to get Omantel to stop announcing the route to the outside world. In the graphic below, we can see the timeline of the announcement of this route, which was a more-specific hijack of 22.214.171.124/17. TIC announced the route using a private ASN AS65050, and as Stéphane Bortzmeyer astutely pointed out, some peers saw this as being originated by AS12880 (TIC) itself, probably because it is the practice of some organizations to strip private ASNs from the AS path. Hence, in the diagram below the hijack is represented by both origins AS12880 and AS65050. Soon after AS27589 began announcing this same route, Omantel stopped announcing it to the outside world. This all happened within an hour of our notification to them.
It is interesting that the more-specific BGP hijack wasn't more widely adopted. Omantel never announced it to its transit providers (including Level 3, Telia and Hurricane Electric) and only to some of its settlement-free peers (including some at AMSIX). It is hard to know for certain whether this was due to filters in place by many of Omantel's upstreams, or, more likely, it was just being announced to the peers based on something in its routing policy.
Using a looking glass inside Iran, it was clear that the hijacked route was still visible inside the country after Omantel stopped passing it on to the outside world.
On Saturday, TIC was back at it again, this time announcing BGP hijacks of the address space hosting www.sex.com (among numerous other adult content websites). Below are screenshots from Dyn's Internet Intelligence showing the propagation of this BGP hijack.
In addition, TIC announced BGP hijacks for 20 individual IPs associated with Apple's iTunes service. These too were carried by Omantel to the outside world, albeit with a smaller footprint due to the fact that BGP routes for /32's typically don't propagate very far.
Again, below are screenshots from Dyn's Internet Intelligence analyzing these BGP hijacks:
This second round of BGP hijacks from TIC lasted a little less than 3 hours, but lends credence to the conclusion that the state telecom of Iran is exploring the use of BGP as a means of enforcing internet censorship of, at least, pornographic material. In addition, TIC performed a more-specific BGP hijack on 22 December 2016 of a Server Stack address range (illustrated below), which also hosts adult content. The hijack lasted less than 10 minutes.
In the past month, similar hijacks were performed against other individual IP addresses including:
126.96.36.199/32 XLHost.com Inc Columbus US
188.8.131.52/32 eNET Inc. Columbus US
184.108.40.206/32 Gotys Productions Inc. Miami US
220.127.116.11/32 Akamai International, BV Amsterdam NL
18.104.22.168 is an IP in the /24 that was hijacked last week and is associated with www.pichunter.com, an adult content website. 22.214.171.124 is a U.S.-based IP address hosting website of a Iranian telecommunications company (http://novinmehr.com, http://nepox.com). The relevance of the other two IP addresses is unclear.
More leaks of K-root instance in Tehran
In 2015 on this blog, we reported on the establishment of the first Iranian root server of the global DNS system. The objective of this root server was to provide faster query response times to internet users in Iran. Despite the fact that this instance of K-root was intended to only be visible from within Iran, we observed that it had leaked to telecommunications companies in India. (Shortly afterward, K-root's operator RIPE published a responding blog post to further describe the operation of the Tehran root server.)
The Tehran K-root is being leaked again. Presently U.S. telecommunications firm Cogent (often featured on the annual Baker's Dozen blog post about trends among the largest transit providers in the world) is accepting the BGP route of the Tehran instance of K-root — suggesting a non-trivial number of their root queries are currently being answered by Iran.
Below is a traceroute measurement performed from Cogent's looking glass utility showing a measurement to 126.96.36.199/24 (K-root) from Washington D.C.. It is ultimately directed to Rostelecom (state telecom of Russia) in Moscow before traveling to Delta Telecom (188.8.131.52) in Baku, Azerbaijan and on to IPM in Iran.
Below is a visualization of measurements to K-root from one of our measurement servers located in Ashburn, VA, utilizing Cogent transit. Over time, the measurements shift from the US-based K-root in Miami to one hosted in Russia (accessed via Rascom), then to one hosted in Kazakhstan before finally settling on the K-root in Tehran.
What are the implications of sending queries to a root server in Tehran? Well, there is the performance hit of having to send DNS queries thousands of miles away to Tehran. But all-in-all root server latency has a small impact on overall performance — these queries only occur during a cache miss and there are 13 root server IPs that one might be directed to at any given time. As far as security implications, the root server has visibility into the DNS queries being made to it, so there would be some ability to monitor the web pages being visited.
As we have stated many times on this blog, the underlying protocols of the internet still rely primarily on trust. Given Iran's track record for internet censorship (which includes DNS tampering), it is reasonable to be concerned about a repeat of the 2010 incident when a BGP leak of I-root caused internet users outside of China to experience the censorship of China's Great Firewall.