Hi folks,Recently I read a post regarding the recent incident of Celer Network and noticed a very interesting and successful BGP hijacking towards AS16509.The attacker AS209243 added AS16509 to their AS-SET and a more specific route object for the /24 where the victim's website is in ALTDB:(Below is our IRRd4 server NRTM logging, UTC timezone)irrd.log-20220817.gz:31106270-ADD 96126
irrd.log-20220817.gz:31106280-
irrd.log-20220817.gz:31106281-as-set: AS-SET209243
irrd.log-20220817.gz:31106306-descr: quickhost set
irrd.log-20220817.gz:31106332-members: AS209243, AS16509
irrd.log-20220817.gz:31106362:mnt-by: MAINT-QUICKHOSTUK
irrd.log-20220817.gz:31106392-changed: crussell@quickhostuk.net 20220816
irrd.log-20220817.gz:31106438-source: ALTDB
irrd.log-20220817.gz:31147549-ADD 96127
irrd.log-20220817.gz:31147559-
irrd.log-20220817.gz:31147560-route: 44.235.216.0/24
irrd.log-20220817.gz:31147588-descr: route
irrd.log-20220817.gz:31147606-origin: AS16509
irrd.log-20220817.gz:31147626:mnt-by: MAINT-QUICKHOSTUK
irrd.log-20220817.gz:31147656-changed: crussell@quickhostuk.net 20220816
irrd.log-20220817.gz:31147702-source: ALTDB
Then they started announcing the prefix ... under another AWS ASN (AS14618)I guess AS1299 Arelion doesn't check if the origin AS of an announcement is in the customer's AS-SET but it's pretty normal and understandable.
https://stat.ripe.net/widget/bgplay#w.resource=44.235.216.0/24&w.ignoreReannouncements=true&w.starttime=1660694458&w.endtime=1661032798&w.rrcs=0&w.instant=null&w.type=bgp
Short description: The new route 34854 1299 209243 14618 has been announcedCommunity: 1299:35000,34854:3001Date and time: 2022-08-17 19:39:50 Collected by: 00-2.56.11.1Hjacking didn't last too long. AWS started announcing a more specific announcement to prevent hijacking around 3 hours later. Kudos to Amazon's security team :-)Short description: The new route 58057 34549 5511 1299 16509 has been announcedCommunity: 5511:521,5511:666,5511:710,5511:5511,34549:100,34549:5511Date and time: 2022-08-17 23:08:47 Collected by: 00-194.50.92.251The attacker cleaned up the IRR objects on 17 Aug and surprisingly no one seems to notice them ...irrd.log-20220819.gz:26517714-ADD 96196
irrd.log-20220819.gz:26517724-
irrd.log-20220819.gz:26517725:as-set: AS-SET209243
irrd.log-20220819.gz:26517750-descr: quickhost set
irrd.log-20220819.gz:26517776-members: AS209243, AS35437, AS37497
irrd.log-20220819.gz:26517815-mnt-by: MAINT-QUICKHOSTUK
irrd.log-20220819.gz:26517845-changed: crussell@quickhostuk.net 20220817
irrd.log-20220819.gz:26517891-source: ALTDB
irrd.log-20220819.gz:26517910-DEL 96197
irrd.log-20220819.gz:26517920-
irrd.log-20220819.gz:26517921-route: 44.235.216.0/24
irrd.log-20220819.gz:26517949-descr: route
irrd.log-20220819.gz:26517967-origin: AS16509
irrd.log-20220819.gz:26517987-mnt-by: MAINT-QUICKHOSTUK
irrd.log-20220819.gz:26518017-changed: crussell@quickhostuk.net 20220816
irrd.log-20220819.gz:26518063-source: ALTDB
Nowadays hijacking a service by forging AS path is pretty easy and RPKI won't be able to solve this (as it validates origin AS and prefixes only) :-(
Regards,
Siyuan