<div dir="ltr">Hi folks,<div><br></div><div>Recently I read a post regarding the recent incident of Celer Network and noticed a very interesting and successful BGP hijacking towards AS16509. </div><div><br></div><div>The attacker AS209243 added AS16509 to their AS-SET and a more specific route object for the /24 where the victim's website is in ALTDB:</div><div>(Below is our IRRd4 server NRTM logging, UTC timezone)</div><div><br></div><div>





<p class="gmail-p1" style="margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-stretch:normal;font-size:12px;line-height:normal;font-family:".AppleSystemUIFontMonospaced"">irrd.log-20220817.gz:31106270-ADD 96126</p>
<p class="gmail-p1" style="margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-stretch:normal;font-size:12px;line-height:normal;font-family:".AppleSystemUIFontMonospaced"">irrd.log-20220817.gz:31106280-</p>
<p class="gmail-p1" style="margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-stretch:normal;font-size:12px;line-height:normal;font-family:".AppleSystemUIFontMonospaced"">irrd.log-20220817.gz:31106281-as-set: <span class="gmail-Apple-converted-space">    </span>AS-SET209243</p>
<p class="gmail-p1" style="margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-stretch:normal;font-size:12px;line-height:normal;font-family:".AppleSystemUIFontMonospaced"">irrd.log-20220817.gz:31106306-descr:<span class="gmail-Apple-converted-space">      </span>quickhost set</p>
<p class="gmail-p1" style="margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-stretch:normal;font-size:12px;line-height:normal;font-family:".AppleSystemUIFontMonospaced"">irrd.log-20220817.gz:31106332-members:<span class="gmail-Apple-converted-space">    </span>AS209243, AS16509</p>
<p class="gmail-p1" style="margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-stretch:normal;font-size:12px;line-height:normal;font-family:".AppleSystemUIFontMonospaced"">irrd.log-20220817.gz:31106362:mnt-by: <span class="gmail-Apple-converted-space">    </span>MAINT-QUICKHOSTUK</p>
<p class="gmail-p1" style="margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-stretch:normal;font-size:12px;line-height:normal;font-family:".AppleSystemUIFontMonospaced"">irrd.log-20220817.gz:31106392-changed:<span class="gmail-Apple-converted-space">    </span><a href="mailto:crussell@quickhostuk.net">crussell@quickhostuk.net</a> 20220816</p>
<p class="gmail-p1" style="margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-stretch:normal;font-size:12px;line-height:normal;font-family:".AppleSystemUIFontMonospaced"">irrd.log-20220817.gz:31106438-source: <span class="gmail-Apple-converted-space">    </span>ALTDB</p></div><div><br></div><div>





<p class="gmail-p1" style="margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-stretch:normal;font-size:12px;line-height:normal;font-family:".AppleSystemUIFontMonospaced"">irrd.log-20220817.gz:31147549-ADD 96127</p>
<p class="gmail-p1" style="margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-stretch:normal;font-size:12px;line-height:normal;font-family:".AppleSystemUIFontMonospaced"">irrd.log-20220817.gz:31147559-</p>
<p class="gmail-p1" style="margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-stretch:normal;font-size:12px;line-height:normal;font-family:".AppleSystemUIFontMonospaced"">irrd.log-20220817.gz:31147560-route:<span class="gmail-Apple-converted-space">      </span><a href="http://44.235.216.0/24">44.235.216.0/24</a></p>
<p class="gmail-p1" style="margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-stretch:normal;font-size:12px;line-height:normal;font-family:".AppleSystemUIFontMonospaced"">irrd.log-20220817.gz:31147588-descr:<span class="gmail-Apple-converted-space">      </span>route</p>
<p class="gmail-p1" style="margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-stretch:normal;font-size:12px;line-height:normal;font-family:".AppleSystemUIFontMonospaced"">irrd.log-20220817.gz:31147606-origin: <span class="gmail-Apple-converted-space">    </span>AS16509</p>
<p class="gmail-p1" style="margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-stretch:normal;font-size:12px;line-height:normal;font-family:".AppleSystemUIFontMonospaced"">irrd.log-20220817.gz:31147626:mnt-by: <span class="gmail-Apple-converted-space">    </span>MAINT-QUICKHOSTUK</p>
<p class="gmail-p1" style="margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-stretch:normal;font-size:12px;line-height:normal;font-family:".AppleSystemUIFontMonospaced"">irrd.log-20220817.gz:31147656-changed:<span class="gmail-Apple-converted-space">    </span><a href="mailto:crussell@quickhostuk.net">crussell@quickhostuk.net</a> 20220816</p>
<p class="gmail-p1" style="margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-stretch:normal;font-size:12px;line-height:normal;font-family:".AppleSystemUIFontMonospaced"">irrd.log-20220817.gz:31147702-source: <span class="gmail-Apple-converted-space">    </span>ALTDB</p><br><br>Then they started announcing the prefix ... under another AWS ASN (AS14618)</div><div>I guess AS1299 Arelion doesn't check if the origin AS of an announcement is in the customer's AS-SET but it's pretty normal and understandable.</div><div><br><a href="https://stat.ripe.net/widget/bgplay#w.resource=44.235.216.0/24&w.ignoreReannouncements=true&w.starttime=1660694458&w.endtime=1661032798&w.rrcs=0&w.instant=null&w.type=bgp">https://stat.ripe.net/widget/bgplay#w.resource=44.235.216.0/24&w.ignoreReannouncements=true&w.starttime=1660694458&w.endtime=1661032798&w.rrcs=0&w.instant=null&w.type=bgp</a><p class="gmail-p1" style="margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-stretch:normal;font-size:12px;line-height:normal;font-family:".AppleSystemUIFontMonospaced""><br></p><div style="box-sizing:border-box"><div style="color:rgb(51,51,51);font-family:Verdana,sans-serif;font-size:10px;box-sizing:border-box"><span style="box-sizing:border-box;font-weight:700">Type:</span> A > announce <span style="box-sizing:border-box;font-weight:700">Involving:</span> <a href="http://44.235.216.0/24">44.235.216.0/24</a></div><div style="color:rgb(51,51,51);font-family:Verdana,sans-serif;font-size:10px;box-sizing:border-box"><span style="box-sizing:border-box;font-weight:700">Short description:</span> The new route 34854 1299 209243 14618 has been announced</div><div style="color:rgb(51,51,51);font-family:Verdana,sans-serif;font-size:10px;box-sizing:border-box"><span style="box-sizing:border-box;font-weight:700">Path:</span> <a class="gmail-bgplayAsLink" style="box-sizing:border-box;background:0px 0px;color:rgb(255,146,74);font-weight:bold">34854</a>, <a class="gmail-bgplayAsLink" style="box-sizing:border-box;background:0px 0px;color:rgb(255,146,74);font-weight:bold">1299</a>, <a class="gmail-bgplayAsLink" style="box-sizing:border-box;background:0px 0px;color:rgb(255,146,74);font-weight:bold">209243</a>, <a class="gmail-bgplayAsLink" style="box-sizing:border-box;background:0px 0px;color:rgb(255,146,74);font-weight:bold">14618</a>,</div><div style="color:rgb(51,51,51);font-family:Verdana,sans-serif;font-size:10px;box-sizing:border-box"><span style="box-sizing:border-box;font-weight:700">Community:</span> 1299:35000,34854:3001</div><div style="color:rgb(51,51,51);font-family:Verdana,sans-serif;font-size:10px;box-sizing:border-box"><span style="box-sizing:border-box;font-weight:700">Date and time:</span> 2022-08-17 19:39:50 <span style="box-sizing:border-box;font-weight:700">Collected by:</span> 00-2.56.11.1</div><div style="color:rgb(51,51,51);font-family:Verdana,sans-serif;font-size:10px;box-sizing:border-box"><br></div>Hjacking didn't last too long. AWS started announcing a more specific announcement to prevent hijacking around 3 hours later. Kudos to Amazon's security team :-) </div><div style="box-sizing:border-box">  <div style="color:rgb(51,51,51);font-family:Verdana,sans-serif;font-size:10px;box-sizing:border-box"><span style="box-sizing:border-box;font-weight:700">Type:</span> A > announce <span style="box-sizing:border-box;font-weight:700">Involving:</span> <a href="http://44.235.216.0/24">44.235.216.0/24</a></div><div style="color:rgb(51,51,51);font-family:Verdana,sans-serif;font-size:10px;box-sizing:border-box"><span style="box-sizing:border-box;font-weight:700">Short description:</span> The new route 58057 34549 5511 1299 16509 has been announced</div><div style="color:rgb(51,51,51);font-family:Verdana,sans-serif;font-size:10px;box-sizing:border-box"><span style="box-sizing:border-box;font-weight:700">Path:</span> <a class="gmail-bgplayAsLink" style="box-sizing:border-box;background:0px 0px;color:rgb(255,146,74);font-weight:bold">58057</a>, <a class="gmail-bgplayAsLink" style="box-sizing:border-box;background:0px 0px;color:rgb(255,146,74);font-weight:bold">34549</a>, <a class="gmail-bgplayAsLink" style="box-sizing:border-box;background:0px 0px;color:rgb(255,146,74);font-weight:bold">5511</a>, <a class="gmail-bgplayAsLink" style="box-sizing:border-box;background:0px 0px;color:rgb(255,146,74);font-weight:bold">1299</a>, <a class="gmail-bgplayAsLink" style="box-sizing:border-box;background:0px 0px;color:rgb(255,146,74);font-weight:bold">16509</a>,</div><div style="color:rgb(51,51,51);font-family:Verdana,sans-serif;font-size:10px;box-sizing:border-box"><span style="box-sizing:border-box;font-weight:700">Community:</span> 5511:521,5511:666,5511:710,5511:5511,34549:100,34549:5511</div><div style="color:rgb(51,51,51);font-family:Verdana,sans-serif;font-size:10px;box-sizing:border-box"><span style="box-sizing:border-box;font-weight:700">Date and time:</span> 2022-08-17 23:08:47 <span style="box-sizing:border-box;font-weight:700">Collected by:</span> 00-194.50.92.251</div><div style="color:rgb(51,51,51);font-family:Verdana,sans-serif;font-size:10px;box-sizing:border-box"><br></div>The attacker cleaned up the IRR objects on 17 Aug and surprisingly no one seems to notice them ... </div><div style="box-sizing:border-box"><br></div><div style="box-sizing:border-box">





<p class="gmail-p1" style="margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-stretch:normal;font-size:12px;line-height:normal;font-family:".AppleSystemUIFontMonospaced"">irrd.log-20220819.gz:26517714-ADD 96196</p>
<p class="gmail-p1" style="margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-stretch:normal;font-size:12px;line-height:normal;font-family:".AppleSystemUIFontMonospaced"">irrd.log-20220819.gz:26517724-</p>
<p class="gmail-p1" style="margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-stretch:normal;font-size:12px;line-height:normal;font-family:".AppleSystemUIFontMonospaced"">irrd.log-20220819.gz:26517725:as-set: <span class="gmail-Apple-converted-space">    </span>AS-SET209243</p>
<p class="gmail-p1" style="margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-stretch:normal;font-size:12px;line-height:normal;font-family:".AppleSystemUIFontMonospaced"">irrd.log-20220819.gz:26517750-descr:<span class="gmail-Apple-converted-space">      </span>quickhost set</p>
<p class="gmail-p1" style="margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-stretch:normal;font-size:12px;line-height:normal;font-family:".AppleSystemUIFontMonospaced"">irrd.log-20220819.gz:26517776-members:<span class="gmail-Apple-converted-space">    </span>AS209243, AS35437, AS37497</p>
<p class="gmail-p1" style="margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-stretch:normal;font-size:12px;line-height:normal;font-family:".AppleSystemUIFontMonospaced"">irrd.log-20220819.gz:26517815-mnt-by: <span class="gmail-Apple-converted-space">    </span>MAINT-QUICKHOSTUK</p>
<p class="gmail-p1" style="margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-stretch:normal;font-size:12px;line-height:normal;font-family:".AppleSystemUIFontMonospaced"">irrd.log-20220819.gz:26517845-changed:<span class="gmail-Apple-converted-space">    </span><a href="mailto:crussell@quickhostuk.net">crussell@quickhostuk.net</a> 20220817</p>
<p class="gmail-p1" style="margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-stretch:normal;font-size:12px;line-height:normal;font-family:".AppleSystemUIFontMonospaced"">irrd.log-20220819.gz:26517891-source: <span class="gmail-Apple-converted-space">    </span>ALTDB</p><p class="gmail-p1" style="margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-stretch:normal;font-size:12px;line-height:normal;font-family:".AppleSystemUIFontMonospaced""><br></p><p class="gmail-p1" style="margin:0px;font:12px ".AppleSystemUIFontMonospaced";min-height:15px"><br></p><p class="gmail-p2" style="margin:0px;font:12px ".AppleSystemUIFontMonospaced"">irrd.log-20220819.gz:26517910-DEL 96197</p><p class="gmail-p2" style="margin:0px;font:12px ".AppleSystemUIFontMonospaced"">irrd.log-20220819.gz:26517920-</p><p class="gmail-p2" style="margin:0px;font:12px ".AppleSystemUIFontMonospaced"">irrd.log-20220819.gz:26517921-route:<span class="gmail-Apple-converted-space">      </span><a href="http://44.235.216.0/24">44.235.216.0/24</a></p><p class="gmail-p2" style="margin:0px;font:12px ".AppleSystemUIFontMonospaced"">irrd.log-20220819.gz:26517949-descr:<span class="gmail-Apple-converted-space">      </span>route</p><p class="gmail-p2" style="margin:0px;font:12px ".AppleSystemUIFontMonospaced"">irrd.log-20220819.gz:26517967-origin: <span class="gmail-Apple-converted-space">    </span>AS16509</p><p class="gmail-p2" style="margin:0px;font:12px ".AppleSystemUIFontMonospaced"">irrd.log-20220819.gz:26517987-mnt-by: <span class="gmail-Apple-converted-space">    </span>MAINT-QUICKHOSTUK</p><p class="gmail-p2" style="margin:0px;font:12px ".AppleSystemUIFontMonospaced"">irrd.log-20220819.gz:26518017-changed:<span class="gmail-Apple-converted-space">    </span><a href="mailto:crussell@quickhostuk.net">crussell@quickhostuk.net</a> 20220816</p><p class="gmail-p1" style="margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-stretch:normal;font-size:12px;line-height:normal;font-family:".AppleSystemUIFontMonospaced"">













</p><p class="gmail-p2" style="margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-stretch:normal;font-size:12px;line-height:normal;font-family:".AppleSystemUIFontMonospaced"">irrd.log-20220819.gz:26518063-source: <span class="gmail-Apple-converted-space">    </span>ALTDB</p><p class="gmail-p2" style="margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-stretch:normal;font-size:12px;line-height:normal;font-family:".AppleSystemUIFontMonospaced""><br></p><p class="gmail-p2" style="margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-stretch:normal;font-size:12px;line-height:normal;font-family:".AppleSystemUIFontMonospaced""><br></p>Nowadays hijacking a service by forging AS path is pretty easy and RPKI won't be able to solve this (as it validates origin AS and prefixes only) :-(</div><div style="box-sizing:border-box"><br></div><div style="box-sizing:border-box">Regards,<br>Siyuan<div style="color:rgb(51,51,51);font-family:Verdana,sans-serif;font-size:10px;box-sizing:border-box"><br></div><div style="color:rgb(51,51,51);font-family:Verdana,sans-serif;font-size:10px;box-sizing:border-box"><br></div></div></div></div>