You are here: Home > Participate > Join a Discussion > RIPE Forum
This mailing list interface will be retired once we upgrade our mailing list system. Click here to use the new RIPE NCC Forum.

Anti-Abuse Working Group

Threaded
Collapse

[anti-abuse-wg] Yet another BGP hijacking towards AS16509

User Image

Siyuan Miao

2022-08-23 01:51:14 CET

Hi folks,

Recently I read a post regarding the recent incident of Celer Network and
noticed a very interesting and successful BGP hijacking towards AS16509.

The attacker AS209243 added AS16509 to their AS-SET and a more specific
route object for the /24 where the victim's website is in ALTDB:
(Below is our IRRd4 server NRTM logging, UTC timezone)

irrd.log-20220817.gz:31106270-ADD 96126

irrd.log-20220817.gz:31106280-

irrd.log-20220817.gz:31106281-as-set:     AS-SET209243

irrd.log-20220817.gz:31106306-descr:      quickhost set

irrd.log-20220817.gz:31106332-members:    AS209243, AS16509

irrd.log-20220817.gz:31106362:mnt-by:     MAINT-QUICKHOSTUK

irrd.log-20220817.gz:31106392-changed:    crussell _at_ quickhostuk _dot_ net 20220816

irrd.log-20220817.gz:31106438-source:     ALTDB

irrd.log-20220817.gz:31147549-ADD 96127

irrd.log-20220817.gz:31147559-

irrd.log-20220817.gz:31147560-route:      44.235.216.0/24

irrd.log-20220817.gz:31147588-descr:      route

irrd.log-20220817.gz:31147606-origin:     AS16509

irrd.log-20220817.gz:31147626:mnt-by:     MAINT-QUICKHOSTUK

irrd.log-20220817.gz:31147656-changed:    crussell _at_ quickhostuk _dot_ net 20220816

irrd.log-20220817.gz:31147702-source:     ALTDB


Then they started announcing the prefix ... under another AWS ASN (AS14618)
I guess AS1299 Arelion doesn't check if the origin AS of an announcement is
in the customer's AS-SET but it's pretty normal and understandable.

https://stat.ripe.net/widget/bgplay#w.resource=44.235.216.0/24&w.ignoreReannouncements=true&w.starttime=1660694458&w.endtime=1661032798&w.rrcs=0&w.instant=null&w.type=bgp


Type: A > announce Involving: 44.235.216.0/24
Short description: The new route 34854 1299 209243 14618 has been announced
Path: 34854, 1299, 209243, 14618,
Community: 1299:35000,34854:3001
Date and time: 2022-08-17 19:39:50 Collected by: 00-2.56.11.1

Hjacking didn't last too long. AWS started announcing a more specific
announcement to prevent hijacking around 3 hours later. Kudos to Amazon's
security team :-)

Type: A > announce Involving: 44.235.216.0/24
Short description: The new route 58057 34549 5511 1299 16509 has been
announced
Path: 58057, 34549, 5511, 1299, 16509,
Community: 5511:521,5511:666,5511:710,5511:5511,34549:100,34549:5511
Date and time: 2022-08-17 23:08:47 Collected by: 00-194.50.92.251

The attacker cleaned up the IRR objects on 17 Aug and surprisingly no one
seems to notice them ...

irrd.log-20220819.gz:26517714-ADD 96196

irrd.log-20220819.gz:26517724-

irrd.log-20220819.gz:26517725:as-set:     AS-SET209243

irrd.log-20220819.gz:26517750-descr:      quickhost set

irrd.log-20220819.gz:26517776-members:    AS209243, AS35437, AS37497

irrd.log-20220819.gz:26517815-mnt-by:     MAINT-QUICKHOSTUK

irrd.log-20220819.gz:26517845-changed:    crussell _at_ quickhostuk _dot_ net 20220817

irrd.log-20220819.gz:26517891-source:     ALTDB



irrd.log-20220819.gz:26517910-DEL 96197

irrd.log-20220819.gz:26517920-

irrd.log-20220819.gz:26517921-route:      44.235.216.0/24

irrd.log-20220819.gz:26517949-descr:      route

irrd.log-20220819.gz:26517967-origin:     AS16509

irrd.log-20220819.gz:26517987-mnt-by:     MAINT-QUICKHOSTUK

irrd.log-20220819.gz:26518017-changed:    crussell _at_ quickhostuk _dot_ net 20220816

irrd.log-20220819.gz:26518063-source:     ALTDB



Nowadays hijacking a service by forging AS path is pretty easy and RPKI
won't be able to solve this (as it validates origin AS and prefixes only)
:-(

Regards,
Siyuan
User Image

Siyuan Miao

2022-08-23 02:15:47 CET

Just noticed another thing:

➜  ~ whois -h whois.ripe.net -- "--list-versions AS1299" | tail -n10
2862  2022-07-11T14:44:49Z  ADD/UPD
2863  2022-07-27T11:17:25Z  ADD/UPD
2864  2022-08-02T08:43:02Z  ADD/UPD
2865  2022-08-10T12:11:29Z  ADD/UPD


*2866  2022-08-17T10:47:43Z  ADD/UPD2867  2022-08-18T12:53:37Z  ADD/UPD*
% This query was served by the RIPE Database Query Service version 1.103
(WAGYU)

➜  ~ whois -h whois.ripe.net -- "--show-version 2865 AS1299" | grep 209243
➜  ~ whois -h whois.ripe.net -- "--show-version 2866 AS1299" | grep 209243
import:         from  AS209243 accept AS209243
mp-import:      afi ipv6 from AS209243 accept AS209243


*➜  ~ whois -h whois.ripe.net  -- "--show-version
2867 AS1299" | grep 209243import:         from  AS209243 accept
AS-SET209243mp-import:      afi ipv6 from AS209243 accept AS-SET209243*

Looks like the first thing that AS209243 had done after they got AS1299
transit is ... hijacking an Amazon prefix ..?

On Tue, Aug 23, 2022 at 1:51 AM Siyuan Miao <siyuan _at_ misaka _dot_ io> wrote:

> Hi folks,
>
> Recently I read a post regarding the recent incident of Celer Network and
> noticed a very interesting and successful BGP hijacking towards AS16509.
>
> The attacker AS209243 added AS16509 to their AS-SET and a more specific
> route object for the /24 where the victim's website is in ALTDB:
> (Below is our IRRd4 server NRTM logging, UTC timezone)
>
> irrd.log-20220817.gz:31106270-ADD 96126
>
> irrd.log-20220817.gz:31106280-
>
> irrd.log-20220817.gz:31106281-as-set:     AS-SET209243
>
> irrd.log-20220817.gz:31106306-descr:      quickhost set
>
> irrd.log-20220817.gz:31106332-members:    AS209243, AS16509
>
> irrd.log-20220817.gz:31106362:mnt-by:     MAINT-QUICKHOSTUK
>
> irrd.log-20220817.gz:31106392-changed:    crussell _at_ quickhostuk _dot_ net
> 20220816
>
> irrd.log-20220817.gz:31106438-source:     ALTDB
>
> irrd.log-20220817.gz:31147549-ADD 96127
>
> irrd.log-20220817.gz:31147559-
>
> irrd.log-20220817.gz:31147560-route:      44.235.216.0/24
>
> irrd.log-20220817.gz:31147588-descr:      route
>
> irrd.log-20220817.gz:31147606-origin:     AS16509
>
> irrd.log-20220817.gz:31147626:mnt-by:     MAINT-QUICKHOSTUK
>
> irrd.log-20220817.gz:31147656-changed:    crussell _at_ quickhostuk _dot_ net
> 20220816
>
> irrd.log-20220817.gz:31147702-source:     ALTDB
>
>
> Then they started announcing the prefix ... under another AWS ASN (AS14618)
> I guess AS1299 Arelion doesn't check if the origin AS of an announcement
> is in the customer's AS-SET but it's pretty normal and understandable.
>
>
> https://stat.ripe.net/widget/bgplay#w.resource=44.235.216.0/24&w.ignoreReannouncements=true&w.starttime=1660694458&w.endtime=1661032798&w.rrcs=0&w.instant=null&w.type=bgp
>
>
> Type: A > announce Involving: 44.235.216.0/24
> Short description: The new route 34854 1299 209243 14618 has been
> announced
> Path: 34854, 1299, 209243, 14618,
> Community: 1299:35000,34854:3001
> Date and time: 2022-08-17 19:39:50 Collected by: 00-2.56.11.1
>
> Hjacking didn't last too long. AWS started announcing a more specific
> announcement to prevent hijacking around 3 hours later. Kudos to Amazon's
> security team :-)
>
> Type: A > announce Involving: 44.235.216.0/24
> Short description: The new route 58057 34549 5511 1299 16509 has been
> announced
> Path: 58057, 34549, 5511, 1299, 16509,
> Community: 5511:521,5511:666,5511:710,5511:5511,34549:100,34549:5511
> Date and time: 2022-08-17 23:08:47 Collected by: 00-194.50.92.251
>
> The attacker cleaned up the IRR objects on 17 Aug and surprisingly no one
> seems to notice them ...
>
> irrd.log-20220819.gz:26517714-ADD 96196
>
> irrd.log-20220819.gz:26517724-
>
> irrd.log-20220819.gz:26517725:as-set:     AS-SET209243
>
> irrd.log-20220819.gz:26517750-descr:      quickhost set
>
> irrd.log-20220819.gz:26517776-members:    AS209243, AS35437, AS37497
>
> irrd.log-20220819.gz:26517815-mnt-by:     MAINT-QUICKHOSTUK
>
> irrd.log-20220819.gz:26517845-changed:    crussell _at_ quickhostuk _dot_ net
> 20220817
>
> irrd.log-20220819.gz:26517891-source:     ALTDB
>
>
>
> irrd.log-20220819.gz:26517910-DEL 96197
>
> irrd.log-20220819.gz:26517920-
>
> irrd.log-20220819.gz:26517921-route:      44.235.216.0/24
>
> irrd.log-20220819.gz:26517949-descr:      route
>
> irrd.log-20220819.gz:26517967-origin:     AS16509
>
> irrd.log-20220819.gz:26517987-mnt-by:     MAINT-QUICKHOSTUK
>
> irrd.log-20220819.gz:26518017-changed:    crussell _at_ quickhostuk _dot_ net
> 20220816
>
> irrd.log-20220819.gz:26518063-source:     ALTDB
>
>
>
> Nowadays hijacking a service by forging AS path is pretty easy and RPKI
> won't be able to solve this (as it validates origin AS and prefixes only)
> :-(
>
> Regards,
> Siyuan
>
>
>

Ronald F. Guilmette

2022-08-23 04:03:19 CET

In message <CAO3CAMoT9gC_Evd-CcZg06A-o_MajmLtxLHbXFnauDoMyqoSYg _at_ mail.gmail _dot_ com>, 
Siyuan Miao <siyuan _at_ misaka _dot_ io> wrote:

>Hjacking didn't last too long. AWS started announcing a more specific
>announcement to prevent hijacking around 3 hours later. Kudos to Amazon's
>security team :-)

Sorry.  I'm missing something here.  If the hijack was of 44.235.216.0/24, then
how did AWS propagate a "more specific" than that?


Regards,
rfg
User Image

Siyuan Miao

2022-08-23 04:05:16 CET

Amazon was only announcing 44.224.0.0/11 at first.

https://bgp.tools/prefix/44.235.216.0/24

On Tue, Aug 23, 2022 at 4:03 AM Ronald F. Guilmette <rfg _at_ tristatelogic _dot_ com>
wrote:

> In message <
> CAO3CAMoT9gC_Evd-CcZg06A-o_MajmLtxLHbXFnauDoMyqoSYg _at_ mail.gmail _dot_ com>,
> Siyuan Miao <siyuan _at_ misaka _dot_ io> wrote:
>
> >Hjacking didn't last too long. AWS started announcing a more specific
> >announcement to prevent hijacking around 3 hours later. Kudos to Amazon's
> >security team :-)
>
> Sorry.  I'm missing something here.  If the hijack was of 44.235.216.0/24,
> then
> how did AWS propagate a "more specific" than that?
>
>
> Regards,
> rfg
>
> --
>
> To unsubscribe from this mailing list, get a password reminder, or change
> your subscription options, please visit:
> https://lists.ripe.net/mailman/listinfo/anti-abuse-wg
>
Anti-Abuse Working Group