The title of the paper Who controls the Internet? Analyzing global threats using property traversal graphs is enough to ensnare any Internet researcher. The control plane for a number of attacks, as the paper points out, is the DNS due to the role it plays in mapping names to resources. MX records in the DNS control the flow of mail, CNAME records are used to implement content delivery networks (CDN) services, and TXT records are used to confirm access to and control over a namespace when implementing third party services. This post will cover an interesting case where control is exercised first via the DNS and then using BGP.
Below the DNS, in the depths of internet plumbing, is the lizard brain of internet routing, which is governed by the border gateway protocol (BGP). A common term to describe BGP routing is “hot potato” routing. BGP conversations occur between autonomous systems, ASes, which are identified by their autonomous system number ASN. The ASN represents a system of networks and the policy associated with their routing. ASes are issued regionally by Regional Internet Registries (RIRs), which receive blocks of AS numbers to hand out from the Internet Assigned Numbers Authority (IANA). To be part of the Internet, an AS connects to at least one other network and they exchange network information with each other. A network operator advertises what networks are accessible through the operator’s networks, including both networks that originate within the operator’s AS and networks that are reachable passing traffic through that network. The advertisements are BGP announcements, and they say (very roughly), “I will carry traffic to AS-number, and I will send it from here through these other networks.” The set of other networks could be empty, in which case the network is a peer of the target network. The advertisements establish a number of potential ways for a packet to reach from originating AS to destination AS, which is part of what makes the Internet as a whole more resilient than many other kinds of network. The names — stored and distributed by the DNS — and numbers, IP addresses, and autonomous system numbers we have come to rely on are only accessible if they are properly resolved or routed.
What better way to understand control than with an example of the system’s shortcomings, the hijacking of autonomous systems, and access to the IP space they contain leased or lent for nefarious purposes?
We will review the commandeering of AS34991 Wireless Network Solutions. The current theory is that control over AS34991 was seized when someone registered the expired domain name, wirelessnetbg.info on April 11, 2017. We can confirm the domain appears in passive DNS on April 12, 2017 resolving to 184.108.40.206 and hadn’t been observed in the DNS in some time. Looking for more detail, we reviewed the company and contact information available on the website www.wirelessnetbg.info (220.127.116.11). The name, address, and phone number listed in the contact information of the DNS registration data directory service (RDDS, currently provided by whois) don’t match the detail in the RIPE NCC database ( or the website ). With control over the contact email address, the actor gained control over the autonomous system (As an aside, we note that this is probably a flaw in the RIR access recovery policy). Control over a registered AS is a start, but to make use of it the actor needs to establish peering. Connectivity was established via an internet exchange in Bulgaria (BIX.BG) and peering with AS206776 Histate Global Corp. With these steps executed, the actor now has control over AS34991 and can start making announcements to peers about the IP space they are responsible for routing.
It came to our attention in late May that AS34991 had decided to announce a collection of LACNIC networks which weren’t seen or being routed on the Internet. These ranges include networks owned by a Colombian University, Telecom providers, and other businesses. We reached out to the owners of the IP space being announced but received no reply. On June 5th, the hijacking was mentioned on the NANOG (North American Network Operators Group) mailing list. One of the list members was asking how something like this is actually orchestrated.
On the following day, June 6th, a mayday was sent to the RIPE Anti-Abuse Working group mailing list mentioning the hijacking of the ASN and specifically calling out the victim networks. In the post to the RIPE Anti-abuse working group, the author made note that the commandeered IP space was being sub-leased to spammers.
This circles us back to the question posed by the research paper: who controls the internet? In the case of BGP, control over the network is distributed; individual ASNs can announce and filter as they see fit with a consensus held amongst peers. The terms and agreements are maintained in routing tables with alterations being passed amongst peers. In the event of such a hijack, the path to resolution is unclear. RIRs operate according to community-established policies, and are not in a position to act contrary to those policies as long as they’re being followed. The community has historically avoided rules that permitted shut downs due to content, for the obvious reason that RIRs would then become global censors. Similarly, IXes generally work according to a community agreement that explicitly disallows the IX itself to make choices about what content is allowed. IX members can, of course, refuse to accept any traffic they like; but the IX itself needs to be neutral, or it can’t perform its function.
The promise of a solution relies on implementation and wider adoption of a cryptographically secure system. The technical term for this architecture is Resource Public Key Infrastructure, RPKI. When an autonomous system announces that it is originating routes for a network, its peer’s RPKI provides a means to verify that the autonomous system has approval of the owner to do so. This is done through the use of resource certificates (X.509), which are issued by the RIR to prove ownership over the networks you seek to originate. The resource certificate is a cryptographic proof of ownership held by the RIR. The networks are then associated with the ASN to create a route object authorization (ROA). The ROA is signed with the resource holder’s private key, creating a cryptographic proof. If RPKI was implemented then when AS34991 started announcing networks owned by the Colombian University, Telecom … etc others would reject the route because it wouldn’t have a valid ROA signed by the owners of the commandeered networks.
Who controls the internet? In the example covering the recent hijacking of an autonomous system, you start to see how complex this question is to answer. By commandeering an autonomous system, you can impact internet routing by announcing someone else’s network as if it is your own. At the same time, the autonomous system was taken over by gaining access to a domain and configuring MX records. The IP routing layer introduces some additional nuances as well as questions of sphere of impact and control. In routing there are a number of variables such as network ownership, route leaks, propagation / number of peers impacted, which increase the complexity of defining control.
Author’s note: After this post went live I received some valuable feedback and wanted to make a clarification. The statement “others would reject the route because it wouldn’t have a valid ROA signed by the owners” is incorrect. Currently network operators most likely have their configuration default to prefer the valid route vs. disallowing the unvalidated routes.
RFC7115 clarifies that deployment of RPKI and adoption are expected to take some time. “As origin validation will be rolled out incrementally, coverage will be incomplete for a long time. Therefore, routing on NotFound validity state SHOULD be done for a long time.”
In the future, once RPKI deployment is wide enough, configurations tested and infrastructure failure modes vetted...the default might be changed to block / not allow the route.