This mailing list interface will be retired once we upgrade our mailing list system. Click here to use the new RIPE NCC Forum.
Anti-Abuse Working Group
Threaded
Collapse
[anti-abuse-wg] Yet another BGP hijacking towards AS16509
Hi folks, Recently I read a post regarding the recent incident of Celer Network and noticed a very interesting and successful BGP hijacking towards AS16509. The attacker AS209243 added AS16509 to their AS-SET and a more specific route object for the /24 where the victim's website is in ALTDB: (Below is our IRRd4 server NRTM logging, UTC timezone) irrd.log-20220817.gz:31106270-ADD 96126 irrd.log-20220817.gz:31106280- irrd.log-20220817.gz:31106281-as-set: AS-SET209243 irrd.log-20220817.gz:31106306-descr: quickhost set irrd.log-20220817.gz:31106332-members: AS209243, AS16509 irrd.log-20220817.gz:31106362:mnt-by: MAINT-QUICKHOSTUK irrd.log-20220817.gz:31106392-changed: crussell _at_ quickhostuk _dot_ net 20220816 irrd.log-20220817.gz:31106438-source: ALTDB irrd.log-20220817.gz:31147549-ADD 96127 irrd.log-20220817.gz:31147559- irrd.log-20220817.gz:31147560-route: 44.235.216.0/24 irrd.log-20220817.gz:31147588-descr: route irrd.log-20220817.gz:31147606-origin: AS16509 irrd.log-20220817.gz:31147626:mnt-by: MAINT-QUICKHOSTUK irrd.log-20220817.gz:31147656-changed: crussell _at_ quickhostuk _dot_ net 20220816 irrd.log-20220817.gz:31147702-source: ALTDB Then they started announcing the prefix ... under another AWS ASN (AS14618) I guess AS1299 Arelion doesn't check if the origin AS of an announcement is in the customer's AS-SET but it's pretty normal and understandable. https://stat.ripe.net/widget/bgplay#w.resource=44.235.216.0/24&w.ignoreReannouncements=true&w.starttime=1660694458&w.endtime=1661032798&w.rrcs=0&w.instant=null&w.type=bgp Type: A > announce Involving: 44.235.216.0/24 Short description: The new route 34854 1299 209243 14618 has been announced Path: 34854, 1299, 209243, 14618, Community: 1299:35000,34854:3001 Date and time: 2022-08-17 19:39:50 Collected by: 00-2.56.11.1 Hjacking didn't last too long. AWS started announcing a more specific announcement to prevent hijacking around 3 hours later. Kudos to Amazon's security team :-) Type: A > announce Involving: 44.235.216.0/24 Short description: The new route 58057 34549 5511 1299 16509 has been announced Path: 58057, 34549, 5511, 1299, 16509, Community: 5511:521,5511:666,5511:710,5511:5511,34549:100,34549:5511 Date and time: 2022-08-17 23:08:47 Collected by: 00-194.50.92.251 The attacker cleaned up the IRR objects on 17 Aug and surprisingly no one seems to notice them ... irrd.log-20220819.gz:26517714-ADD 96196 irrd.log-20220819.gz:26517724- irrd.log-20220819.gz:26517725:as-set: AS-SET209243 irrd.log-20220819.gz:26517750-descr: quickhost set irrd.log-20220819.gz:26517776-members: AS209243, AS35437, AS37497 irrd.log-20220819.gz:26517815-mnt-by: MAINT-QUICKHOSTUK irrd.log-20220819.gz:26517845-changed: crussell _at_ quickhostuk _dot_ net 20220817 irrd.log-20220819.gz:26517891-source: ALTDB irrd.log-20220819.gz:26517910-DEL 96197 irrd.log-20220819.gz:26517920- irrd.log-20220819.gz:26517921-route: 44.235.216.0/24 irrd.log-20220819.gz:26517949-descr: route irrd.log-20220819.gz:26517967-origin: AS16509 irrd.log-20220819.gz:26517987-mnt-by: MAINT-QUICKHOSTUK irrd.log-20220819.gz:26518017-changed: crussell _at_ quickhostuk _dot_ net 20220816 irrd.log-20220819.gz:26518063-source: ALTDB Nowadays hijacking a service by forging AS path is pretty easy and RPKI won't be able to solve this (as it validates origin AS and prefixes only) :-( Regards, Siyuan
Just noticed another thing: ➜ ~ whois -h whois.ripe.net -- "--list-versions AS1299" | tail -n10 2862 2022-07-11T14:44:49Z ADD/UPD 2863 2022-07-27T11:17:25Z ADD/UPD 2864 2022-08-02T08:43:02Z ADD/UPD 2865 2022-08-10T12:11:29Z ADD/UPD *2866 2022-08-17T10:47:43Z ADD/UPD2867 2022-08-18T12:53:37Z ADD/UPD* % This query was served by the RIPE Database Query Service version 1.103 (WAGYU) ➜ ~ whois -h whois.ripe.net -- "--show-version 2865 AS1299" | grep 209243 ➜ ~ whois -h whois.ripe.net -- "--show-version 2866 AS1299" | grep 209243 import: from AS209243 accept AS209243 mp-import: afi ipv6 from AS209243 accept AS209243 *➜ ~ whois -h whois.ripe.net -- "--show-version 2867 AS1299" | grep 209243import: from AS209243 accept AS-SET209243mp-import: afi ipv6 from AS209243 accept AS-SET209243* Looks like the first thing that AS209243 had done after they got AS1299 transit is ... hijacking an Amazon prefix ..? On Tue, Aug 23, 2022 at 1:51 AM Siyuan Miao <siyuan _at_ misaka _dot_ io> wrote: > Hi folks, > > Recently I read a post regarding the recent incident of Celer Network and > noticed a very interesting and successful BGP hijacking towards AS16509. > > The attacker AS209243 added AS16509 to their AS-SET and a more specific > route object for the /24 where the victim's website is in ALTDB: > (Below is our IRRd4 server NRTM logging, UTC timezone) > > irrd.log-20220817.gz:31106270-ADD 96126 > > irrd.log-20220817.gz:31106280- > > irrd.log-20220817.gz:31106281-as-set: AS-SET209243 > > irrd.log-20220817.gz:31106306-descr: quickhost set > > irrd.log-20220817.gz:31106332-members: AS209243, AS16509 > > irrd.log-20220817.gz:31106362:mnt-by: MAINT-QUICKHOSTUK > > irrd.log-20220817.gz:31106392-changed: crussell _at_ quickhostuk _dot_ net > 20220816 > > irrd.log-20220817.gz:31106438-source: ALTDB > > irrd.log-20220817.gz:31147549-ADD 96127 > > irrd.log-20220817.gz:31147559- > > irrd.log-20220817.gz:31147560-route: 44.235.216.0/24 > > irrd.log-20220817.gz:31147588-descr: route > > irrd.log-20220817.gz:31147606-origin: AS16509 > > irrd.log-20220817.gz:31147626:mnt-by: MAINT-QUICKHOSTUK > > irrd.log-20220817.gz:31147656-changed: crussell _at_ quickhostuk _dot_ net > 20220816 > > irrd.log-20220817.gz:31147702-source: ALTDB > > > Then they started announcing the prefix ... under another AWS ASN (AS14618) > I guess AS1299 Arelion doesn't check if the origin AS of an announcement > is in the customer's AS-SET but it's pretty normal and understandable. > > > https://stat.ripe.net/widget/bgplay#w.resource=44.235.216.0/24&w.ignoreReannouncements=true&w.starttime=1660694458&w.endtime=1661032798&w.rrcs=0&w.instant=null&w.type=bgp > > > Type: A > announce Involving: 44.235.216.0/24 > Short description: The new route 34854 1299 209243 14618 has been > announced > Path: 34854, 1299, 209243, 14618, > Community: 1299:35000,34854:3001 > Date and time: 2022-08-17 19:39:50 Collected by: 00-2.56.11.1 > > Hjacking didn't last too long. AWS started announcing a more specific > announcement to prevent hijacking around 3 hours later. Kudos to Amazon's > security team :-) > > Type: A > announce Involving: 44.235.216.0/24 > Short description: The new route 58057 34549 5511 1299 16509 has been > announced > Path: 58057, 34549, 5511, 1299, 16509, > Community: 5511:521,5511:666,5511:710,5511:5511,34549:100,34549:5511 > Date and time: 2022-08-17 23:08:47 Collected by: 00-194.50.92.251 > > The attacker cleaned up the IRR objects on 17 Aug and surprisingly no one > seems to notice them ... > > irrd.log-20220819.gz:26517714-ADD 96196 > > irrd.log-20220819.gz:26517724- > > irrd.log-20220819.gz:26517725:as-set: AS-SET209243 > > irrd.log-20220819.gz:26517750-descr: quickhost set > > irrd.log-20220819.gz:26517776-members: AS209243, AS35437, AS37497 > > irrd.log-20220819.gz:26517815-mnt-by: MAINT-QUICKHOSTUK > > irrd.log-20220819.gz:26517845-changed: crussell _at_ quickhostuk _dot_ net > 20220817 > > irrd.log-20220819.gz:26517891-source: ALTDB > > > > irrd.log-20220819.gz:26517910-DEL 96197 > > irrd.log-20220819.gz:26517920- > > irrd.log-20220819.gz:26517921-route: 44.235.216.0/24 > > irrd.log-20220819.gz:26517949-descr: route > > irrd.log-20220819.gz:26517967-origin: AS16509 > > irrd.log-20220819.gz:26517987-mnt-by: MAINT-QUICKHOSTUK > > irrd.log-20220819.gz:26518017-changed: crussell _at_ quickhostuk _dot_ net > 20220816 > > irrd.log-20220819.gz:26518063-source: ALTDB > > > > Nowadays hijacking a service by forging AS path is pretty easy and RPKI > won't be able to solve this (as it validates origin AS and prefixes only) > :-( > > Regards, > Siyuan > > >
In message <CAO3CAMoT9gC_Evd-CcZg06A-o_MajmLtxLHbXFnauDoMyqoSYg _at_ mail.gmail _dot_ com>, Siyuan Miao <siyuan _at_ misaka _dot_ io> wrote: >Hjacking didn't last too long. AWS started announcing a more specific >announcement to prevent hijacking around 3 hours later. Kudos to Amazon's >security team :-) Sorry. I'm missing something here. If the hijack was of 44.235.216.0/24, then how did AWS propagate a "more specific" than that? Regards, rfg
Amazon was only announcing 44.224.0.0/11 at first. https://bgp.tools/prefix/44.235.216.0/24 On Tue, Aug 23, 2022 at 4:03 AM Ronald F. Guilmette <rfg _at_ tristatelogic _dot_ com> wrote: > In message < > CAO3CAMoT9gC_Evd-CcZg06A-o_MajmLtxLHbXFnauDoMyqoSYg _at_ mail.gmail _dot_ com>, > Siyuan Miao <siyuan _at_ misaka _dot_ io> wrote: > > >Hjacking didn't last too long. AWS started announcing a more specific > >announcement to prevent hijacking around 3 hours later. Kudos to Amazon's > >security team :-) > > Sorry. I'm missing something here. If the hijack was of 44.235.216.0/24, > then > how did AWS propagate a "more specific" than that? > > > Regards, > rfg > > -- > > To unsubscribe from this mailing list, get a password reminder, or change > your subscription options, please visit: > https://lists.ripe.net/mailman/listinfo/anti-abuse-wg >