This archive is retained to ensure existing URLs remain functional. It will not contain any emails sent to this mailing list after July 1, 2024. For all messages, including those sent before and after this date, please visit the new location of the archive at https://mailman.ripe.net/archives/list/[email protected]/
[anti-abuse-wg] Yet another BGP hijacking towards AS16509
- Previous message (by thread): [anti-abuse-wg] Autoresponders
- Next message (by thread): [anti-abuse-wg] Yet another BGP hijacking towards AS16509
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Siyuan Miao
siyuan at misaka.io
Tue Aug 23 01:51:14 CEST 2022
Hi folks, Recently I read a post regarding the recent incident of Celer Network and noticed a very interesting and successful BGP hijacking towards AS16509. The attacker AS209243 added AS16509 to their AS-SET and a more specific route object for the /24 where the victim's website is in ALTDB: (Below is our IRRd4 server NRTM logging, UTC timezone) irrd.log-20220817.gz:31106270-ADD 96126 irrd.log-20220817.gz:31106280- irrd.log-20220817.gz:31106281-as-set: AS-SET209243 irrd.log-20220817.gz:31106306-descr: quickhost set irrd.log-20220817.gz:31106332-members: AS209243, AS16509 irrd.log-20220817.gz:31106362:mnt-by: MAINT-QUICKHOSTUK irrd.log-20220817.gz:31106392-changed: crussell at quickhostuk.net 20220816 irrd.log-20220817.gz:31106438-source: ALTDB irrd.log-20220817.gz:31147549-ADD 96127 irrd.log-20220817.gz:31147559- irrd.log-20220817.gz:31147560-route: 44.235.216.0/24 irrd.log-20220817.gz:31147588-descr: route irrd.log-20220817.gz:31147606-origin: AS16509 irrd.log-20220817.gz:31147626:mnt-by: MAINT-QUICKHOSTUK irrd.log-20220817.gz:31147656-changed: crussell at quickhostuk.net 20220816 irrd.log-20220817.gz:31147702-source: ALTDB Then they started announcing the prefix ... under another AWS ASN (AS14618) I guess AS1299 Arelion doesn't check if the origin AS of an announcement is in the customer's AS-SET but it's pretty normal and understandable. https://stat.ripe.net/widget/bgplay#w.resource=44.235.216.0/24&w.ignoreReannouncements=true&w.starttime=1660694458&w.endtime=1661032798&w.rrcs=0&w.instant=null&w.type=bgp Type: A > announce Involving: 44.235.216.0/24 Short description: The new route 34854 1299 209243 14618 has been announced Path: 34854, 1299, 209243, 14618, Community: 1299:35000,34854:3001 Date and time: 2022-08-17 19:39:50 Collected by: 00-2.56.11.1 Hjacking didn't last too long. AWS started announcing a more specific announcement to prevent hijacking around 3 hours later. Kudos to Amazon's security team :-) Type: A > announce Involving: 44.235.216.0/24 Short description: The new route 58057 34549 5511 1299 16509 has been announced Path: 58057, 34549, 5511, 1299, 16509, Community: 5511:521,5511:666,5511:710,5511:5511,34549:100,34549:5511 Date and time: 2022-08-17 23:08:47 Collected by: 00-194.50.92.251 The attacker cleaned up the IRR objects on 17 Aug and surprisingly no one seems to notice them ... irrd.log-20220819.gz:26517714-ADD 96196 irrd.log-20220819.gz:26517724- irrd.log-20220819.gz:26517725:as-set: AS-SET209243 irrd.log-20220819.gz:26517750-descr: quickhost set irrd.log-20220819.gz:26517776-members: AS209243, AS35437, AS37497 irrd.log-20220819.gz:26517815-mnt-by: MAINT-QUICKHOSTUK irrd.log-20220819.gz:26517845-changed: crussell at quickhostuk.net 20220817 irrd.log-20220819.gz:26517891-source: ALTDB irrd.log-20220819.gz:26517910-DEL 96197 irrd.log-20220819.gz:26517920- irrd.log-20220819.gz:26517921-route: 44.235.216.0/24 irrd.log-20220819.gz:26517949-descr: route irrd.log-20220819.gz:26517967-origin: AS16509 irrd.log-20220819.gz:26517987-mnt-by: MAINT-QUICKHOSTUK irrd.log-20220819.gz:26518017-changed: crussell at quickhostuk.net 20220816 irrd.log-20220819.gz:26518063-source: ALTDB Nowadays hijacking a service by forging AS path is pretty easy and RPKI won't be able to solve this (as it validates origin AS and prefixes only) :-( Regards, Siyuan -------------- next part -------------- An HTML attachment was scrubbed... URL: </ripe/mail/archives/anti-abuse-wg/attachments/20220823/534b3c84/attachment.html>
- Previous message (by thread): [anti-abuse-wg] Autoresponders
- Next message (by thread): [anti-abuse-wg] Yet another BGP hijacking towards AS16509
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]