ISP ‘hijack factory’ booted offline for selling stolen traffic routes

Inside the Bitcanal takedown

A security researcher who helped take down a Portuguese web hosting firm accused of wholesaling a spam service has said that the fight against such scams is far from over.

Earlier this month, several internet transit providers (ITP) banned an internet service provider (ISP) from their networks after it was reported to be carrying out border gateway protocol (BGP) hijacks on more than 130 occasions.

BGP hijacks happen when ISPs deliberately announce the wrong internet route to a destination, allowing them to take control of the address range.

Some of these hijacks are the result of typos, but some are carried out maliciously.

Bitcanal, it is claimed, intentionally hijacked traffic to resell stolen IPv4 address space, which is already in short supply, enabling spammers to send campaigns from addresses with a better reputation.

Because of the way internet routing works, this information will be accepted as genuine until contradicted. No allocation checks or confirmation happens in the first place.

Since 2017, Bitcanal has been steadily blacklisted by a number of transit providers.

But it was Ronald Guilmette’s meticulous documentation that dubbed the web hosting service a “hijack factory” – leading to an influx of bans.

Hijack

Hurricane Electric and Portugal's IPTelecom initially evicted the ISP, and Bitcanal was subsequently turfed out by other internet providers including German internet exchange DE-CIX as part of its month-long effort to clean up the web.

Over time Bitcanal found it harder and harder to obtain the upstream bandwidth it needed, prompting it to move onto GTT Communications, Cogent, and a succession of other providers, but they too pulled the plug on the company.

This takedown sequence was chronicled in a blog post by Oracle-owned internet performance firm Dyn.

RIPE Network Coordination Centre – one of the five global registries that provide Internet address allocations – recently published a report about this practice.

And Guilmette – who modestly played down his own role in chasing Bitcanal off the internet – said other unscrupulous web hosts are still using the same tactics, though not nearly on the same scale as Bitcanal supposedly did.

Tortuous takedown

Operations that hijack routes are difficult to shut down, according to Guilmette.

“Bitcanal had successfully inveigled itself ‘deeply’ into the fabric of the internet,” Guilmette told The Daily Swig.

“Indirectly, via their multiple connections in at least eight or nine different ‘IXes’ [internet exchanges] all around the world, they had, in effect, acquired dozens and dozens of ‘peers’.

“This was on top of the connections that they had contracted for directly with multiple ‘Tier-1’ provide, aka backbones.”

“Getting them disconnected was like excising a tumor that has already metastasized and spread all over the place,” he concluded.

Guilmette was surprised the takedown operation against Bitcanal happened within only a “few short weeks” from what he described as an “over-the-top public blasting of Bitcanal on NANOG”, a network administrator’s mailing list.

“The speed of the takedown totally surprised me,” Guilmette explained. “I expected Bitcanal to be somewhat hobbled at first, but then to find other connections and still struggle along – in a weakened and less connected state – for perhaps another six months or so.

“But as is now apparent, some well-known high-level networking people with big rolodexes had, like me, had enough of Bitcanal's longtime, well-documented, and unceasing misbehavior and I think that some of them took the time to make the case against Bitcanal in all the places where it needed to be made.”

Guilmette – who describes himself as a “noisy, arrogant, ill-mannered spammer chaser, not a well-connected networking guy” – credits others who “rolled up their sleeves and got to work” for the Bitcanal takedown.

“I can take essentially no credit for virtually any of this... much as I would like to,” he explained. “I just threw a match into the pile of rags that was already well soaked with gasoline. The knowledge has been out there for a long time as to what Bitcanal was up to.”

Guilmette continued: “The Tier-1 providers, to their credit, saw my pointed invective lambasting both them and Bitcanal and then they acted really quickly, particularly GTT, which was oblivious to there even being a problem until I came along.”

“Cogent dallied a bit, but nailed the door shut on Bitcanal within a week. Level3 [providers]… cut off Bitcanal quite quickly,” he added.

Bitcanal still has a couple of nominal connections, but even those may disappear before too long, Guilmette concluded.