This archive is retained to ensure existing URLs remain functional. It will not contain any emails sent to this mailing list after July 1, 2024. For all messages, including those sent before and after this date, please visit the new location of the archive at https://mailman.ripe.net/archives/list/[email protected]/

[anti-abuse-wg] Yet another BGP hijacking towards AS16509

Previous message (by thread): [anti-abuse-wg] Yet another BGP hijacking towards AS16509
Next message (by thread): [anti-abuse-wg] Yet another BGP hijacking towards AS16509

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Siyuan Miao siyuan at misaka.io
Tue Aug 23 02:15:47 CEST 2022

Just noticed another thing:

➜  ~ whois -h whois.ripe.net -- "--list-versions AS1299" | tail -n10
2862  2022-07-11T14:44:49Z  ADD/UPD
2863  2022-07-27T11:17:25Z  ADD/UPD
2864  2022-08-02T08:43:02Z  ADD/UPD
2865  2022-08-10T12:11:29Z  ADD/UPD


*2866  2022-08-17T10:47:43Z  ADD/UPD2867  2022-08-18T12:53:37Z  ADD/UPD*
% This query was served by the RIPE Database Query Service version 1.103
(WAGYU)

➜  ~ whois -h whois.ripe.net -- "--show-version 2865 AS1299" | grep 209243
➜  ~ whois -h whois.ripe.net -- "--show-version 2866 AS1299" | grep 209243
import:         from  AS209243 accept AS209243
mp-import:      afi ipv6 from AS209243 accept AS209243


*➜  ~ whois -h whois.ripe.net <http://whois.ripe.net> -- "--show-version
2867 AS1299" | grep 209243import:         from  AS209243 accept
AS-SET209243mp-import:      afi ipv6 from AS209243 accept AS-SET209243*

Looks like the first thing that AS209243 had done after they got AS1299
transit is ... hijacking an Amazon prefix ..?

On Tue, Aug 23, 2022 at 1:51 AM Siyuan Miao <siyuan at misaka.io> wrote:

> Hi folks,
>
> Recently I read a post regarding the recent incident of Celer Network and
> noticed a very interesting and successful BGP hijacking towards AS16509.
>
> The attacker AS209243 added AS16509 to their AS-SET and a more specific
> route object for the /24 where the victim's website is in ALTDB:
> (Below is our IRRd4 server NRTM logging, UTC timezone)
>
> irrd.log-20220817.gz:31106270-ADD 96126
>
> irrd.log-20220817.gz:31106280-
>
> irrd.log-20220817.gz:31106281-as-set:     AS-SET209243
>
> irrd.log-20220817.gz:31106306-descr:      quickhost set
>
> irrd.log-20220817.gz:31106332-members:    AS209243, AS16509
>
> irrd.log-20220817.gz:31106362:mnt-by:     MAINT-QUICKHOSTUK
>
> irrd.log-20220817.gz:31106392-changed:    crussell at quickhostuk.net
> 20220816
>
> irrd.log-20220817.gz:31106438-source:     ALTDB
>
> irrd.log-20220817.gz:31147549-ADD 96127
>
> irrd.log-20220817.gz:31147559-
>
> irrd.log-20220817.gz:31147560-route:      44.235.216.0/24
>
> irrd.log-20220817.gz:31147588-descr:      route
>
> irrd.log-20220817.gz:31147606-origin:     AS16509
>
> irrd.log-20220817.gz:31147626:mnt-by:     MAINT-QUICKHOSTUK
>
> irrd.log-20220817.gz:31147656-changed:    crussell at quickhostuk.net
> 20220816
>
> irrd.log-20220817.gz:31147702-source:     ALTDB
>
>
> Then they started announcing the prefix ... under another AWS ASN (AS14618)
> I guess AS1299 Arelion doesn't check if the origin AS of an announcement
> is in the customer's AS-SET but it's pretty normal and understandable.
>
>
> https://stat.ripe.net/widget/bgplay#w.resource=44.235.216.0/24&w.ignoreReannouncements=true&w.starttime=1660694458&w.endtime=1661032798&w.rrcs=0&w.instant=null&w.type=bgp
>
>
> Type: A > announce Involving: 44.235.216.0/24
> Short description: The new route 34854 1299 209243 14618 has been
> announced
> Path: 34854, 1299, 209243, 14618,
> Community: 1299:35000,34854:3001
> Date and time: 2022-08-17 19:39:50 Collected by: 00-2.56.11.1
>
> Hjacking didn't last too long. AWS started announcing a more specific
> announcement to prevent hijacking around 3 hours later. Kudos to Amazon's
> security team :-)
>
> Type: A > announce Involving: 44.235.216.0/24
> Short description: The new route 58057 34549 5511 1299 16509 has been
> announced
> Path: 58057, 34549, 5511, 1299, 16509,
> Community: 5511:521,5511:666,5511:710,5511:5511,34549:100,34549:5511
> Date and time: 2022-08-17 23:08:47 Collected by: 00-194.50.92.251
>
> The attacker cleaned up the IRR objects on 17 Aug and surprisingly no one
> seems to notice them ...
>
> irrd.log-20220819.gz:26517714-ADD 96196
>
> irrd.log-20220819.gz:26517724-
>
> irrd.log-20220819.gz:26517725:as-set:     AS-SET209243
>
> irrd.log-20220819.gz:26517750-descr:      quickhost set
>
> irrd.log-20220819.gz:26517776-members:    AS209243, AS35437, AS37497
>
> irrd.log-20220819.gz:26517815-mnt-by:     MAINT-QUICKHOSTUK
>
> irrd.log-20220819.gz:26517845-changed:    crussell at quickhostuk.net
> 20220817
>
> irrd.log-20220819.gz:26517891-source:     ALTDB
>
>
>
> irrd.log-20220819.gz:26517910-DEL 96197
>
> irrd.log-20220819.gz:26517920-
>
> irrd.log-20220819.gz:26517921-route:      44.235.216.0/24
>
> irrd.log-20220819.gz:26517949-descr:      route
>
> irrd.log-20220819.gz:26517967-origin:     AS16509
>
> irrd.log-20220819.gz:26517987-mnt-by:     MAINT-QUICKHOSTUK
>
> irrd.log-20220819.gz:26518017-changed:    crussell at quickhostuk.net
> 20220816
>
> irrd.log-20220819.gz:26518063-source:     ALTDB
>
>
>
> Nowadays hijacking a service by forging AS path is pretty easy and RPKI
> won't be able to solve this (as it validates origin AS and prefixes only)
> :-(
>
> Regards,
> Siyuan
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: </ripe/mail/archives/anti-abuse-wg/attachments/20220823/941af22f/attachment-0001.html>

Previous message (by thread): [anti-abuse-wg] Yet another BGP hijacking towards AS16509
Next message (by thread): [anti-abuse-wg] Yet another BGP hijacking towards AS16509

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

[ anti-abuse-wg Archives ]