BGP multiple banking addresses hijacked
BGP multiple banking addresses hijacked
On 24 July 2013 a significant number of Internet Protocol (IP) addresses that belong to banks suddenly were routed to somewhere else. An IP address is how packets are routed to their destination across the Internet. Why is this important you ask? Well, imagine the Internet suddenly decided that you were living in the middle of Asia and all traffic that should go to you ends up traveling through a number of other countries to get to you, but you aren't there. You are still at home and haven't moved at all. All packets that should happily route to you now route elsewhere. Emails sent to you bounce as undeliverable, or are read by other people. Banking transactions fail. HTTPS handshakes get invalid certificate errors. This defeats the confidentiality, integrity, and availability of all applications running in the hijacked address spaces for the time that the hijack is running. In fact this sounds like a nifty way to attack an organization doesn't it? The question then would be how to pull it off, hijack someone else's address? The Autonomous System (AS) in question is owned by NedZone Internet BV in the Netherlands. This can be found by querying whois for the AS 25459. According to RIPE this AS originated 369 prefixes in the last 30 days, of these 310 had unusually small prefixes. Typically a BGP advertisement is at least a /24 or 256 unique Internet addressable IPs. A large number of these were /32 or single IP addresses. The short answer is that any Internet Service Provider (ISP) that is part of the global Border Gateway Protocol (BGP) network can advertise a route to a prefix that it owns. It simply updates the routing tables to point to itself, and then the updates propagate throughout the Internet. If an ISP announces for a prefix it does not own, traffic may be routed to it, instead of to the owner. The more specific prefix, or the one with the shortest apparent route wins. That's all it takes to disrupt traffic to virtually anyone on the Internet, connectivity and willingness to announce a route that does not belong to you. This is not a new attack, it has happened numerous times in the past, both malicious attacks and accidental typos have been the cause.
The announcements from AS 25459 can be seen at:
http://www.ris.ripe.net/mt/asdashboard.html?as=25459
A sampling of some of the owners of the IP addresses that were hijacked follow:
1 AMAZON-AES - Amazon.com, Inc.
2 AS-7743 - JPMorgan Chase & Co.
1 ASN-BBT-ASN - Branch Banking and Trust Company
2 BANK-OF-AMERICA Bank of America
1 CEGETEL-AS Societe Francaise du Radiotelephone S.A
1 FIRSTBANK - FIRSTBANK
1 HSBC-HK-AS HSBC HongKong
1 PFG-ASN-1 - The Principal Financial Group
2 PNCBANK - PNC Bank
1 REGIONS-ASN-1 - REGIONS FINANCIAL CORPORATION
Some on the list were owned by that ISP, the prefix size is what was odd about them. The bulk of the IP addresses were owned by various hosting providers. So, the question is:
What happened?
Makes you wonder about the fundamental (in)security of this set of experimental protocols we use called the Internet doesn't it?
Cheers,
Adrien de Beaupré
Intru-shun.ca Inc.
Comments
Describing "5 minute accidental blackhole route leakage" as "Multiple banking addresses hijacked" makes for a better and more sensational head line. I fully understand if you must blow this event out of proportion.
Anonymous
Jul 30th 2013
1 decade ago
Anyway why would an ISP want to deliberately blackhole IP ranges such as those?
Anonymous
Jul 30th 2013
1 decade ago
One would think it would be advisable to change your password if you were actually on at that time if you were?
Anonymous
Jul 30th 2013
1 decade ago
Anonymous
Jul 30th 2013
1 decade ago
I did not say it was malicious, it all points to incompetence.
If it was malicious likely it would have been more successful and less obvious.
BGP best practices were not being adhered to, which is one of the points I should have emphasized more clearly.
"5 minute accidental blackhole route leakage" poses more questions than it answers.
For example why blackhole those IP addresses?
Why was there no mitigation in place?
No change control process?
No configuration management?
Why no public explanation or apology?
I am not a journalist, so the sensationalism or not of the title is irrelevant to me. Factual accuracy is.
I don't feel I blew it out of proportion at all. I could have written "Incredibly incompetence in BGP update", is that better?
I think the issue underscores the reliance we all have on essentially fragile protocols.
Cheers,
Adrien de Beaupre
SANS Internet Storm Center Handler
GIAC Certified (GXPN, GCIH, GCIA, GPEN, GWAPT, GSEC)
Anonymous
Jul 30th 2013
1 decade ago
Anonymous
Jul 30th 2013
1 decade ago
http://cyclops.cs.ucla.edu/
Obviously you need the email notifications going to servers beyond just your own servers, if they reside within your normal Address space. You know, the same one(s) you use to notify you when your external monitoring system detects that your email system(s) is/are down.
Anonymous
Jul 30th 2013
1 decade ago
I believe you are mistaken when you say, "it would serve to deny systems only hosted at Nedzone from reaching those banking sites.". I haevn't looked at the details, but if someone is leaking BGP routes that are either as specific or more specific than the real owner/originator of those addresses, it will in fact impact those beyond Nedzone.
If the prefixes were as specific, then the shortest AS Path is going to be followed, and those closest to Nedzone will go that way, as that'll be the shortest AS Path.
If the prefixes were more specific, it will always go to Nedzone.
But you're correct, in that, unless it was malicious and they were trying to MITM and had fake Certificates ready to go (perhaps from a compromised Root CA), then a person is safe.
However, that being said, I'd still change my password anyway if I'd been online at the time. I recommend annual password changes for anything sensitive/financial, and unique passwords per site. I'd just use this as my time to perform that annual password change. KeePass ( http://keepass.info/ ) helps keep track of all those passwords and annual password change reminrders.
Anonymous
Jul 30th 2013
1 decade ago
Using over 600 BGP feeds provides, this provides a pretty good overview of what's going on with your networks globally.
Regarding this specific event, the AS in question most likely was null-routing these prefixes internally, as part of DDOS mitigation.
These were leaked, together with a whole > 300 of their own more specific routes.
Anonymous
Jul 30th 2013
1 decade ago
Yes, Job, this is speculation: I see this as a thought exercise, thinking of possible causes, risks, and preparedness in case this happens someday to the rest of us; not a news article or press release. I expect those involved would want to stay quiet and play down the incident anyway, if they are potentially liable for disrupting these particular businesses' operations.
Anonymous
Jul 30th 2013
1 decade ago