<div dir="ltr">Just noticed another thing:<div><br></div><div>➜ ~ whois -h <a href="http://whois.ripe.net" target="_blank">whois.ripe.net</a> -- "--list-versions AS1299" | tail -n10<br>2862 2022-07-11T14:44:49Z ADD/UPD<br>2863 2022-07-27T11:17:25Z ADD/UPD<br>2864 2022-08-02T08:43:02Z ADD/UPD<br>2865 2022-08-10T12:11:29Z ADD/UPD<br><b>2866 2022-08-17T10:47:43Z ADD/UPD<br>2867 2022-08-18T12:53:37Z ADD/UPD<br></b><br>% This query was served by the RIPE Database Query Service version 1.103 (WAGYU)<br><br>➜ ~ whois -h <a href="http://whois.ripe.net" target="_blank">whois.ripe.net</a> -- "--show-version 2865 AS1299" | grep 209243<br>➜ ~ whois -h <a href="http://whois.ripe.net" target="_blank">whois.ripe.net</a> -- "--show-version 2866 AS1299" | grep 209243<br>import: from AS209243 accept AS209243<br>mp-import: afi ipv6 from AS209243 accept AS209243<br><b>➜ ~ whois -h <a href="http://whois.ripe.net" target="_blank">whois.ripe.net</a> -- "--show-version 2867 AS1299" | grep 209243<br>import: from AS209243 accept AS-SET209243<br>mp-import: afi ipv6 from AS209243 accept AS-SET209243</b><br></div><div><b><br></b></div><div>Looks like the first thing that AS209243 had done after they got AS1299 transit is ... hijacking an Amazon prefix ..?</div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Tue, Aug 23, 2022 at 1:51 AM Siyuan Miao <<a href="mailto:siyuan@misaka.io" target="_blank">siyuan@misaka.io</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr">Hi folks,<div><br></div><div>Recently I read a post regarding the recent incident of Celer Network and noticed a very interesting and successful BGP hijacking towards AS16509. </div><div><br></div><div>The attacker AS209243 added AS16509 to their AS-SET and a more specific route object for the /24 where the victim's website is in ALTDB:</div><div>(Below is our IRRd4 server NRTM logging, UTC timezone)</div><div><br></div><div>
<p style="margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-stretch:normal;font-size:12px;line-height:normal;font-family:".AppleSystemUIFontMonospaced"">irrd.log-20220817.gz:31106270-ADD 96126</p>
<p style="margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-stretch:normal;font-size:12px;line-height:normal;font-family:".AppleSystemUIFontMonospaced"">irrd.log-20220817.gz:31106280-</p>
<p style="margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-stretch:normal;font-size:12px;line-height:normal;font-family:".AppleSystemUIFontMonospaced"">irrd.log-20220817.gz:31106281-as-set: <span> </span>AS-SET209243</p>
<p style="margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-stretch:normal;font-size:12px;line-height:normal;font-family:".AppleSystemUIFontMonospaced"">irrd.log-20220817.gz:31106306-descr:<span> </span>quickhost set</p>
<p style="margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-stretch:normal;font-size:12px;line-height:normal;font-family:".AppleSystemUIFontMonospaced"">irrd.log-20220817.gz:31106332-members:<span> </span>AS209243, AS16509</p>
<p style="margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-stretch:normal;font-size:12px;line-height:normal;font-family:".AppleSystemUIFontMonospaced"">irrd.log-20220817.gz:31106362:mnt-by: <span> </span>MAINT-QUICKHOSTUK</p>
<p style="margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-stretch:normal;font-size:12px;line-height:normal;font-family:".AppleSystemUIFontMonospaced"">irrd.log-20220817.gz:31106392-changed:<span> </span><a href="mailto:crussell@quickhostuk.net" target="_blank">crussell@quickhostuk.net</a> 20220816</p>
<p style="margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-stretch:normal;font-size:12px;line-height:normal;font-family:".AppleSystemUIFontMonospaced"">irrd.log-20220817.gz:31106438-source: <span> </span>ALTDB</p></div><div><br></div><div>
<p style="margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-stretch:normal;font-size:12px;line-height:normal;font-family:".AppleSystemUIFontMonospaced"">irrd.log-20220817.gz:31147549-ADD 96127</p>
<p style="margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-stretch:normal;font-size:12px;line-height:normal;font-family:".AppleSystemUIFontMonospaced"">irrd.log-20220817.gz:31147559-</p>
<p style="margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-stretch:normal;font-size:12px;line-height:normal;font-family:".AppleSystemUIFontMonospaced"">irrd.log-20220817.gz:31147560-route:<span> </span><a href="http://44.235.216.0/24" target="_blank">44.235.216.0/24</a></p>
<p style="margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-stretch:normal;font-size:12px;line-height:normal;font-family:".AppleSystemUIFontMonospaced"">irrd.log-20220817.gz:31147588-descr:<span> </span>route</p>
<p style="margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-stretch:normal;font-size:12px;line-height:normal;font-family:".AppleSystemUIFontMonospaced"">irrd.log-20220817.gz:31147606-origin: <span> </span>AS16509</p>
<p style="margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-stretch:normal;font-size:12px;line-height:normal;font-family:".AppleSystemUIFontMonospaced"">irrd.log-20220817.gz:31147626:mnt-by: <span> </span>MAINT-QUICKHOSTUK</p>
<p style="margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-stretch:normal;font-size:12px;line-height:normal;font-family:".AppleSystemUIFontMonospaced"">irrd.log-20220817.gz:31147656-changed:<span> </span><a href="mailto:crussell@quickhostuk.net" target="_blank">crussell@quickhostuk.net</a> 20220816</p>
<p style="margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-stretch:normal;font-size:12px;line-height:normal;font-family:".AppleSystemUIFontMonospaced"">irrd.log-20220817.gz:31147702-source: <span> </span>ALTDB</p><br><br>Then they started announcing the prefix ... under another AWS ASN (AS14618)</div><div>I guess AS1299 Arelion doesn't check if the origin AS of an announcement is in the customer's AS-SET but it's pretty normal and understandable.</div><div><br><a href="https://stat.ripe.net/widget/bgplay#w.resource=44.235.216.0/24&w.ignoreReannouncements=true&w.starttime=1660694458&w.endtime=1661032798&w.rrcs=0&w.instant=null&w.type=bgp" target="_blank">https://stat.ripe.net/widget/bgplay#w.resource=44.235.216.0/24&w.ignoreReannouncements=true&w.starttime=1660694458&w.endtime=1661032798&w.rrcs=0&w.instant=null&w.type=bgp</a><p style="margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-stretch:normal;font-size:12px;line-height:normal;font-family:".AppleSystemUIFontMonospaced""><br></p><div style="box-sizing:border-box"><div style="color:rgb(51,51,51);font-family:Verdana,sans-serif;font-size:10px;box-sizing:border-box"><span style="box-sizing:border-box;font-weight:700">Type:</span> A > announce <span style="box-sizing:border-box;font-weight:700">Involving:</span> <a href="http://44.235.216.0/24" target="_blank">44.235.216.0/24</a></div><div style="color:rgb(51,51,51);font-family:Verdana,sans-serif;font-size:10px;box-sizing:border-box"><span style="box-sizing:border-box;font-weight:700">Short description:</span> The new route 34854 1299 209243 14618 has been announced</div><div style="color:rgb(51,51,51);font-family:Verdana,sans-serif;font-size:10px;box-sizing:border-box"><span style="box-sizing:border-box;font-weight:700">Path:</span> <a style="box-sizing:border-box;background:0px 0px;color:rgb(255,146,74);font-weight:bold">34854</a>, <a style="box-sizing:border-box;background:0px 0px;color:rgb(255,146,74);font-weight:bold">1299</a>, <a style="box-sizing:border-box;background:0px 0px;color:rgb(255,146,74);font-weight:bold">209243</a>, <a style="box-sizing:border-box;background:0px 0px;color:rgb(255,146,74);font-weight:bold">14618</a>,</div><div style="color:rgb(51,51,51);font-family:Verdana,sans-serif;font-size:10px;box-sizing:border-box"><span style="box-sizing:border-box;font-weight:700">Community:</span> 1299:35000,34854:3001</div><div style="color:rgb(51,51,51);font-family:Verdana,sans-serif;font-size:10px;box-sizing:border-box"><span style="box-sizing:border-box;font-weight:700">Date and time:</span> 2022-08-17 19:39:50 <span style="box-sizing:border-box;font-weight:700">Collected by:</span> 00-2.56.11.1</div><div style="color:rgb(51,51,51);font-family:Verdana,sans-serif;font-size:10px;box-sizing:border-box"><br></div>Hjacking didn't last too long. AWS started announcing a more specific announcement to prevent hijacking around 3 hours later. Kudos to Amazon's security team :-) </div><div style="box-sizing:border-box"> <div style="color:rgb(51,51,51);font-family:Verdana,sans-serif;font-size:10px;box-sizing:border-box"><span style="box-sizing:border-box;font-weight:700">Type:</span> A > announce <span style="box-sizing:border-box;font-weight:700">Involving:</span> <a href="http://44.235.216.0/24" target="_blank">44.235.216.0/24</a></div><div style="color:rgb(51,51,51);font-family:Verdana,sans-serif;font-size:10px;box-sizing:border-box"><span style="box-sizing:border-box;font-weight:700">Short description:</span> The new route 58057 34549 5511 1299 16509 has been announced</div><div style="color:rgb(51,51,51);font-family:Verdana,sans-serif;font-size:10px;box-sizing:border-box"><span style="box-sizing:border-box;font-weight:700">Path:</span> <a style="box-sizing:border-box;background:0px 0px;color:rgb(255,146,74);font-weight:bold">58057</a>, <a style="box-sizing:border-box;background:0px 0px;color:rgb(255,146,74);font-weight:bold">34549</a>, <a style="box-sizing:border-box;background:0px 0px;color:rgb(255,146,74);font-weight:bold">5511</a>, <a style="box-sizing:border-box;background:0px 0px;color:rgb(255,146,74);font-weight:bold">1299</a>, <a style="box-sizing:border-box;background:0px 0px;color:rgb(255,146,74);font-weight:bold">16509</a>,</div><div style="color:rgb(51,51,51);font-family:Verdana,sans-serif;font-size:10px;box-sizing:border-box"><span style="box-sizing:border-box;font-weight:700">Community:</span> 5511:521,5511:666,5511:710,5511:5511,34549:100,34549:5511</div><div style="color:rgb(51,51,51);font-family:Verdana,sans-serif;font-size:10px;box-sizing:border-box"><span style="box-sizing:border-box;font-weight:700">Date and time:</span> 2022-08-17 23:08:47 <span style="box-sizing:border-box;font-weight:700">Collected by:</span> 00-194.50.92.251</div><div style="color:rgb(51,51,51);font-family:Verdana,sans-serif;font-size:10px;box-sizing:border-box"><br></div>The attacker cleaned up the IRR objects on 17 Aug and surprisingly no one seems to notice them ... </div><div style="box-sizing:border-box"><br></div><div style="box-sizing:border-box">
<p style="margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-stretch:normal;font-size:12px;line-height:normal;font-family:".AppleSystemUIFontMonospaced"">irrd.log-20220819.gz:26517714-ADD 96196</p>
<p style="margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-stretch:normal;font-size:12px;line-height:normal;font-family:".AppleSystemUIFontMonospaced"">irrd.log-20220819.gz:26517724-</p>
<p style="margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-stretch:normal;font-size:12px;line-height:normal;font-family:".AppleSystemUIFontMonospaced"">irrd.log-20220819.gz:26517725:as-set: <span> </span>AS-SET209243</p>
<p style="margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-stretch:normal;font-size:12px;line-height:normal;font-family:".AppleSystemUIFontMonospaced"">irrd.log-20220819.gz:26517750-descr:<span> </span>quickhost set</p>
<p style="margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-stretch:normal;font-size:12px;line-height:normal;font-family:".AppleSystemUIFontMonospaced"">irrd.log-20220819.gz:26517776-members:<span> </span>AS209243, AS35437, AS37497</p>
<p style="margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-stretch:normal;font-size:12px;line-height:normal;font-family:".AppleSystemUIFontMonospaced"">irrd.log-20220819.gz:26517815-mnt-by: <span> </span>MAINT-QUICKHOSTUK</p>
<p style="margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-stretch:normal;font-size:12px;line-height:normal;font-family:".AppleSystemUIFontMonospaced"">irrd.log-20220819.gz:26517845-changed:<span> </span><a href="mailto:crussell@quickhostuk.net" target="_blank">crussell@quickhostuk.net</a> 20220817</p>
<p style="margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-stretch:normal;font-size:12px;line-height:normal;font-family:".AppleSystemUIFontMonospaced"">irrd.log-20220819.gz:26517891-source: <span> </span>ALTDB</p><p style="margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-stretch:normal;font-size:12px;line-height:normal;font-family:".AppleSystemUIFontMonospaced""><br></p><p style="margin:0px;font:12px ".AppleSystemUIFontMonospaced";min-height:15px"><br></p><p style="margin:0px;font:12px ".AppleSystemUIFontMonospaced"">irrd.log-20220819.gz:26517910-DEL 96197</p><p style="margin:0px;font:12px ".AppleSystemUIFontMonospaced"">irrd.log-20220819.gz:26517920-</p><p style="margin:0px;font:12px ".AppleSystemUIFontMonospaced"">irrd.log-20220819.gz:26517921-route:<span> </span><a href="http://44.235.216.0/24" target="_blank">44.235.216.0/24</a></p><p style="margin:0px;font:12px ".AppleSystemUIFontMonospaced"">irrd.log-20220819.gz:26517949-descr:<span> </span>route</p><p style="margin:0px;font:12px ".AppleSystemUIFontMonospaced"">irrd.log-20220819.gz:26517967-origin: <span> </span>AS16509</p><p style="margin:0px;font:12px ".AppleSystemUIFontMonospaced"">irrd.log-20220819.gz:26517987-mnt-by: <span> </span>MAINT-QUICKHOSTUK</p><p style="margin:0px;font:12px ".AppleSystemUIFontMonospaced"">irrd.log-20220819.gz:26518017-changed:<span> </span><a href="mailto:crussell@quickhostuk.net" target="_blank">crussell@quickhostuk.net</a> 20220816</p><p style="margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-stretch:normal;font-size:12px;line-height:normal;font-family:".AppleSystemUIFontMonospaced"">
</p><p style="margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-stretch:normal;font-size:12px;line-height:normal;font-family:".AppleSystemUIFontMonospaced"">irrd.log-20220819.gz:26518063-source: <span> </span>ALTDB</p><p style="margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-stretch:normal;font-size:12px;line-height:normal;font-family:".AppleSystemUIFontMonospaced""><br></p><p style="margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-stretch:normal;font-size:12px;line-height:normal;font-family:".AppleSystemUIFontMonospaced""><br></p>Nowadays hijacking a service by forging AS path is pretty easy and RPKI won't be able to solve this (as it validates origin AS and prefixes only) :-(</div><div style="box-sizing:border-box"><br></div><div style="box-sizing:border-box">Regards,<br>Siyuan<div style="color:rgb(51,51,51);font-family:Verdana,sans-serif;font-size:10px;box-sizing:border-box"><br></div><div style="color:rgb(51,51,51);font-family:Verdana,sans-serif;font-size:10px;box-sizing:border-box"><br></div></div></div></div>
</blockquote></div>