BGP.guru

BGP.guru

Nerd blog.

10 Aug 2014

BGP Hijacking In News Again

Its been 4 months since I last wrote about global BGP hijacking, when Indosat advertised 320k prefixes. This time The Dell SecureWorks Counter Threat Unit has documented 51 hijacked more specific prefixes which were used along with overly trusting network code decisions in cryptocoin mining pool software (no TLS) to redirect miners to an alternate mining server running on a bogon route @ 206.223.224.225.

The article doesn’t mention the specific Canadian ISP which originated the hijacking, nor the upstream, but it is not hard to discover both through Ripe.net’s ripestat service, here is 54.214.242.0/24 and its history from January 1 through May 31. 54.214.242.0/24 was the first, and most often hijacked network listed in Appendix A of the SecureWorks article.

206.223.224.0/24 is a BOGON/un-allocated prefix. One of AS21548’s peers, AS6939, did not filter its connection, and subsequently, allowed the more specific /24’s to propagate the internet, as well as accepting the BOGON, and propagating it. This route is still actively propagated from AS21548 via AS6939 at time of writing.

I took the list from Appendix A and ran it through sort, awk, sort, and uniq to determine how many times each network was reported to been hijacked. I have posted this to a gist.

I feel for Digital Ocean customers in 162.243.226.0/24 and 162.243.142.0/24, service would have been affected 14+ times for short blips. This would have been frustrating for both sides to troubleshoot to say the least, with short 10-15 minute hijackings. There were 9 prefixes in total from Digital Ocean hijacked.


Update 2014-08-12: BGPMon has an article up about the hijackings: http://www.bgpmon.net/the-canadian-bitcoin-hijack/


Theodore Baschak - Theo is a network engineer with experience operating core internet technologies like HTTP, HTTPS and DNS. He has extensive experience running service provider networks with OSPF, MPLS, and BGP.