BGP multiple banking addresses hijacked

Published: 2013-07-29. Last Updated: 2013-07-30 00:29:00 UTC
by Adrien de Beaupre (Version: 1)
11 comment(s)

BGP multiple banking addresses hijacked

On 24 July 2013 a significant number of Internet Protocol (IP) addresses that belong to banks suddenly were routed to somewhere else. An IP address is how packets are routed to their destination across the Internet. Why is this important you ask? Well, imagine the Internet suddenly decided that you were living in the middle of Asia and all traffic that should go to you ends up traveling through a number of other countries to get to you, but you aren't there. You are still at home and haven't moved at all. All packets that should happily route to you now route elsewhere. Emails sent to you bounce as undeliverable, or are read by other people. Banking transactions fail. HTTPS handshakes get invalid certificate errors. This defeats the confidentiality, integrity, and availability of all applications running in the hijacked address spaces for the time that the hijack is running. In fact this sounds like a nifty way to attack an organization doesn't it? The question then would be how to pull it off, hijack someone else's address? The Autonomous System (AS) in question is owned by NedZone Internet BV in the Netherlands. This can be found by querying whois for the AS 25459. According to RIPE this AS originated 369 prefixes in the last 30 days, of these 310 had unusually small prefixes. Typically a BGP advertisement is at least a /24 or 256 unique Internet addressable IPs. A large number of these were /32 or single IP addresses. The short answer is that any Internet Service Provider (ISP) that is part of the global Border Gateway Protocol (BGP) network can advertise a route to a prefix that it owns. It simply updates the routing tables to point to itself, and then the updates propagate throughout the Internet. If an ISP announces for a prefix it does not own, traffic may be routed to it, instead of to the owner. The more specific prefix, or the one with the shortest apparent route wins. That's all it takes to disrupt traffic to virtually anyone on the Internet, connectivity and willingness to announce a route that does not belong to you. This is not a new attack, it has happened numerous times in the past, both malicious attacks and accidental typos have been the cause.

The announcements from AS 25459 can be seen at:
http://www.ris.ripe.net/mt/asdashboard.html?as=25459

A sampling of some of the owners of the IP addresses that were hijacked follow:
1  AMAZON-AES - Amazon.com, Inc.
2  AS-7743 - JPMorgan Chase & Co.
1  ASN-BBT-ASN - Branch Banking and Trust Company
2  BANK-OF-AMERICA Bank of America
1  CEGETEL-AS Societe Francaise du Radiotelephone S.A
1  FIRSTBANK - FIRSTBANK
1  HSBC-HK-AS HSBC HongKong
1  PFG-ASN-1 - The Principal Financial Group
2  PNCBANK - PNC Bank
1  REGIONS-ASN-1 - REGIONS FINANCIAL CORPORATION

Some on the list were owned by that ISP, the prefix size is what was odd about them. The bulk of the IP addresses were owned by various hosting providers. So, the question is:

What happened?

Makes you wonder about the fundamental (in)security of this set of experimental protocols we use called the Internet doesn't it?

Cheers,
Adrien de Beaupré
Intru-shun.ca Inc.

My SANS Teaching Schedule


 

Keywords: bpg hijack
11 comment(s)

Comments

AS286 provides IP Transit to AS25459. What happened is that both AS286 and AS25459 did not have proper filtering in place. AS286 leaked AS25459's blackhole routes to it's peers, and a handful accepted those more specifics. This lasted a few minutes before they realized what was going on and a fix was put into place.

Describing "5 minute accidental blackhole route leakage" as "Multiple banking addresses hijacked" makes for a better and more sensational head line. I fully understand if you must blow this event out of proportion.
Well, I can't imagine the affected networks being too happy about their traffic being rerouted to the Netherlands.

Anyway why would an ISP want to deliberately blackhole IP ranges such as those?
Seriously, does anyone have to be concerned if they were actually doing online banking at that time? Logging in, etc.
One would think it would be advisable to change your password if you were actually on at that time if you were?
FYI, some of those IP addresses were for large banking sites like chase.com. No, you needn't worry about your security. BGP hijacking--unless itself leveraging MITM *and* as part of a triad of MITM and certificate fraud would only be useful for disrupting traffic to those IP addresses, not intercepting. If this was a valid (but momentarily leaked out) blackhole list used by that Nedzone, it would serve to deny systems only hosted at Nedzone from reaching those banking sites. If a bunch of systems hosted by Nedzone were historically engaged in banking fraud or attacks, it sounds like Nedzone might have been being proactive. After all, the typical person would not do their online banking from a Dutch data center. Unless of course it was leaked out of the ASN, the Nedzone blackhole list shouldn't be effecting anyone other than miscreants.
Assuming all of the facts in the story are accurate, what are you objecting to?
I did not say it was malicious, it all points to incompetence.
If it was malicious likely it would have been more successful and less obvious.
BGP best practices were not being adhered to, which is one of the points I should have emphasized more clearly.
"5 minute accidental blackhole route leakage" poses more questions than it answers.
For example why blackhole those IP addresses?
Why was there no mitigation in place?
No change control process?
No configuration management?
Why no public explanation or apology?

I am not a journalist, so the sensationalism or not of the title is irrelevant to me. Factual accuracy is.
I don't feel I blew it out of proportion at all. I could have written "Incredibly incompetence in BGP update", is that better?
I think the issue underscores the reliance we all have on essentially fragile protocols.

Cheers,
Adrien de Beaupre
SANS Internet Storm Center Handler
GIAC Certified (GXPN, GCIH, GCIA, GPEN, GWAPT, GSEC)
Have you tried contacting either of the involved parties to obtain the answers to your questions?
I recommend all organizations which manage their own Address space and/or BGP to use UCLA's Cyclops for monitoring and notification. It will report to you if someone other than your ASN is announcing your prefix(es), or if it/they is/are coming from another ISP other than your upstream ASN Peer(s):

http://cyclops.cs.ucla.edu/

Obviously you need the email notifications going to servers beyond just your own servers, if they reside within your normal Address space. You know, the same one(s) you use to notify you when your external monitoring system detects that your email system(s) is/are down.
[quote=comment#26692]FYI, some of those IP addresses were for large banking sites like chase.com. No, you needn't worry about your security. BGP hijacking--unless itself leveraging MITM *and* as part of a triad of MITM and certificate fraud would only be useful for disrupting traffic to those IP addresses, not intercepting. If this was a valid (but momentarily leaked out) blackhole list used by that Nedzone, it would serve to deny systems only hosted at Nedzone from reaching those banking sites. If a bunch of systems hosted by Nedzone were historically engaged in banking fraud or attacks, it sounds like Nedzone might have been being proactive. After all, the typical person would not do their online banking from a Dutch data center. Unless of course it was leaked out of the ASN, the Nedzone blackhole list shouldn't be effecting anyone other than miscreants.[/quote]

I believe you are mistaken when you say, "it would serve to deny systems only hosted at Nedzone from reaching those banking sites.". I haevn't looked at the details, but if someone is leaking BGP routes that are either as specific or more specific than the real owner/originator of those addresses, it will in fact impact those beyond Nedzone.

If the prefixes were as specific, then the shortest AS Path is going to be followed, and those closest to Nedzone will go that way, as that'll be the shortest AS Path.

If the prefixes were more specific, it will always go to Nedzone.

But you're correct, in that, unless it was malicious and they were trying to MITM and had fake Certificates ready to go (perhaps from a compromised Root CA), then a person is safe.

However, that being said, I'd still change my password anyway if I'd been online at the time. I recommend annual password changes for anything sensitive/financial, and unique passwords per site. I'd just use this as my time to perform that annual password change. KeePass ( http://keepass.info/ ) helps keep track of all those passwords and annual password change reminrders.
Another service that monitors your BGP prefixes and ASN for hijacks, policy violations and outages is http://www.bgpmon.net/
Using over 600 BGP feeds provides, this provides a pretty good overview of what's going on with your networks globally.

Regarding this specific event, the AS in question most likely was null-routing these prefixes internally, as part of DDOS mitigation.
These were leaked, together with a whole > 300 of their own more specific routes.
NedZone has its fair share of open recursive DNS resolvers, according to some searches of openresolverproject.org data. It's conceivable someone spoofed IP ranges of those banks to try to cause reflection attacks. And blackholing them may have been an attempt to mitigate backscatter.

Yes, Job, this is speculation: I see this as a thought exercise, thinking of possible causes, risks, and preparedness in case this happens someday to the rest of us; not a news article or press release. I expect those involved would want to stay quiet and play down the incident anyway, if they are potentially liable for disrupting these particular businesses' operations.

Diary Archives