Recent Routing Incidents: Using BGP to Hijack DNS and more · BGP/DNS Hijacks Target Payment...
Transcript of Recent Routing Incidents: Using BGP to Hijack DNS and more · BGP/DNS Hijacks Target Payment...
![Page 1: Recent Routing Incidents: Using BGP to Hijack DNS and more · BGP/DNS Hijacks Target Payment Systems (July 2018) • But most hijacks were brief and didn’t propagate far… 1. Brief](https://reader030.fdocuments.us/reader030/viewer/2022041115/5f2661800d58251c543d9c6b/html5/thumbnails/1.jpg)
RecentRoutingIncidents:UsingBGPtoHijackDNSandmore
DougMadoryDirectorofInternetAnalysis,OracleLACNIC30Rosario,ArgentinaSeptember2018
Copyright©2017,Oracleand/oritsaffiliates.Allrightsreserved.| 1
![Page 2: Recent Routing Incidents: Using BGP to Hijack DNS and more · BGP/DNS Hijacks Target Payment Systems (July 2018) • But most hijacks were brief and didn’t propagate far… 1. Brief](https://reader030.fdocuments.us/reader030/viewer/2022041115/5f2661800d58251c543d9c6b/html5/thumbnails/2.jpg)
Copyright©2017,Oracleand/oritsaffiliates.Allrightsreserved.|
RecentRoutingIncidents
• Amazon/Route53BGPhijack(April2018)
• BGP/DNShijacksofPaymentProcessors(July2018)
• TakedownofBitcanal(July2018)
![Page 3: Recent Routing Incidents: Using BGP to Hijack DNS and more · BGP/DNS Hijacks Target Payment Systems (July 2018) • But most hijacks were brief and didn’t propagate far… 1. Brief](https://reader030.fdocuments.us/reader030/viewer/2022041115/5f2661800d58251c543d9c6b/html5/thumbnails/3.jpg)
Copyright©2017,Oracleand/oritsaffiliates.Allrightsreserved.|
BGPHijackofAmazonDNStoStealCryptoCurrency(April2018)
![Page 4: Recent Routing Incidents: Using BGP to Hijack DNS and more · BGP/DNS Hijacks Target Payment Systems (July 2018) • But most hijacks were brief and didn’t propagate far… 1. Brief](https://reader030.fdocuments.us/reader030/viewer/2022041115/5f2661800d58251c543d9c6b/html5/thumbnails/4.jpg)
Copyright©2017,Oracleand/oritsaffiliates.Allrightsreserved.|
BGPHijackofAmazonDNStoStealCryptoCurrency(April2018)
1)WenoticedaBGPhijackofAmazonIPspaceandputoutthefollowingtweet:
(followusat@InternetIntel)
2)IsawreportsofMyEtherWalletbeingsubjectedtoaDNShijackandtheorizedthatthetwoeventsmayberelated.
![Page 5: Recent Routing Incidents: Using BGP to Hijack DNS and more · BGP/DNS Hijacks Target Payment Systems (July 2018) • But most hijacks were brief and didn’t propagate far… 1. Brief](https://reader030.fdocuments.us/reader030/viewer/2022041115/5f2661800d58251c543d9c6b/html5/thumbnails/5.jpg)
Copyright©2017,Oracleand/oritsaffiliates.Allrightsreserved.|
BGPHijackofAmazonDNStoStealCryptoCurrency(April2018)
Whathappened?eNet/XLHost(AS10297)ofOhiosufferedabreach.• AttackersreconfiguredAS10297’sCiscoASR9000tohijackAmazon’sRoute53
authoritativeDNSIPspaceforabouttwohours.205.251.192.0/24Amazon.com,Inc. 205.251.197.0/24Amazon.com,Inc.205.251.193.0/24Amazon.com,Inc. 205.251.199.0/24Amazon.com,Inc.205.251.195.0/24Amazon.com,Inc.
Routesweren’tgloballypropagated,butwerepickedupbypopularpublicDNSserviceslikeGoogleDNS,amplifyingitseffect.
![Page 6: Recent Routing Incidents: Using BGP to Hijack DNS and more · BGP/DNS Hijacks Target Payment Systems (July 2018) • But most hijacks were brief and didn’t propagate far… 1. Brief](https://reader030.fdocuments.us/reader030/viewer/2022041115/5f2661800d58251c543d9c6b/html5/thumbnails/6.jpg)
Copyright©2017,Oracleand/oritsaffiliates.Allrightsreserved.|
BGPHijackofAmazonDNStoStealCryptoCurrency(April2018)
• Whenqueriedformyetherwallet.com,animposterauthoritativeDNSservicereturnedanIPineasternUkraine(LuhanskPeople'sRepublic).
• HostedonthisIPwasafakecopyofthemyetherwallet.comsitereadytostealtheircurrencyassoonastheylogin.
RecursiveDNSserver
LegitimateAuthoritativeDNSserver
Whatismyetherwallet.com?
Users
root.com
ImposterAuthoritativeDNSserver
BGPhijack
myetherwallet.comisnowineasternUkraine
Imposterwebsite
![Page 7: Recent Routing Incidents: Using BGP to Hijack DNS and more · BGP/DNS Hijacks Target Payment Systems (July 2018) • But most hijacks were brief and didn’t propagate far… 1. Brief](https://reader030.fdocuments.us/reader030/viewer/2022041115/5f2661800d58251c543d9c6b/html5/thumbnails/7.jpg)
Copyright©2017,Oracleand/oritsaffiliates.Allrightsreserved.|
BGPHijackofAmazonDNStoStealCryptoCurrency(April2018)
MyEtherWallet issues statement acknowledging that many of their users had been redirected to a fraudulent site.
![Page 8: Recent Routing Incidents: Using BGP to Hijack DNS and more · BGP/DNS Hijacks Target Payment Systems (July 2018) • But most hijacks were brief and didn’t propagate far… 1. Brief](https://reader030.fdocuments.us/reader030/viewer/2022041115/5f2661800d58251c543d9c6b/html5/thumbnails/8.jpg)
Copyright©2017,Oracleand/oritsaffiliates.Allrightsreserved.|
Afewmonthslater,authoritativeDNSserviceshijackedagain!!1!Thistime,thetargetwasn’tcryptocurrencywalletservice,butmajorUSpaymentprocessers.
![Page 9: Recent Routing Incidents: Using BGP to Hijack DNS and more · BGP/DNS Hijacks Target Payment Systems (July 2018) • But most hijacks were brief and didn’t propagate far… 1. Brief](https://reader030.fdocuments.us/reader030/viewer/2022041115/5f2661800d58251c543d9c6b/html5/thumbnails/9.jpg)
Copyright©2017,Oracleand/oritsaffiliates.Allrightsreserved.|
BGP/DNSHijacksTargetPaymentSystems(July2018)• At 23:37:18 UTC on 6 July 2018, Digital Wireless Indonesia (AS38146)
announced the following prefixes for ~30min • 64.243.142.0/24 Savvis • 64.57.150.0/24 Vantiv, LLC • 64.57.154.0/24 Vantiv, LLC • 69.46.100.0/24 Q9 Networks Inc. • 216.220.36.0/24 Q9 Networks Inc
Prefixes didn't propagate very far
• At 22:17:37 UTC on 10 July 2018, Malaysian operator Extreme Broadband (AS38182) announced the exact same five prefixes
• Why these prefixes? Because they contained authoritative nameservers.
See:https://internetintel.oracle.com/blog-single.html?id=BGP+/+DNS+Hijacks+Target+Payment+Systems
![Page 10: Recent Routing Incidents: Using BGP to Hijack DNS and more · BGP/DNS Hijacks Target Payment Systems (July 2018) • But most hijacks were brief and didn’t propagate far… 1. Brief](https://reader030.fdocuments.us/reader030/viewer/2022041115/5f2661800d58251c543d9c6b/html5/thumbnails/10.jpg)
Copyright©2017,Oracleand/oritsaffiliates.Allrightsreserved.|
BGP/DNSHijacksTargetPaymentSystems(July2018)• Datawire is a "connectivity service that transports financial transactions
securely and reliably over the public Internet to payment processing systems."
Datawire's nameservers: ns1.datawire.net (216.220.36.76)
ns2.datawire.net (69.46.100.71)
![Page 11: Recent Routing Incidents: Using BGP to Hijack DNS and more · BGP/DNS Hijacks Target Payment Systems (July 2018) • But most hijacks were brief and didn’t propagate far… 1. Brief](https://reader030.fdocuments.us/reader030/viewer/2022041115/5f2661800d58251c543d9c6b/html5/thumbnails/11.jpg)
Copyright©2017,Oracleand/oritsaffiliates.Allrightsreserved.|
BGP/DNSHijacksTargetPaymentSystems(July2018)
• Users begin reporting problems accessing Datawire services…
• BGP/DNS hijacking continues to other payment processers….
![Page 12: Recent Routing Incidents: Using BGP to Hijack DNS and more · BGP/DNS Hijacks Target Payment Systems (July 2018) • But most hijacks were brief and didn’t propagate far… 1. Brief](https://reader030.fdocuments.us/reader030/viewer/2022041115/5f2661800d58251c543d9c6b/html5/thumbnails/12.jpg)
Copyright©2017,Oracleand/oritsaffiliates.Allrightsreserved.|
BGP/DNSHijacksTargetPaymentSystems(July2018)
• Mercury Payment Systems is a credit card processing service also owned by Worldpay (formerly Vantiv).
• Mercury's nameservers:
ns1.mercurypay.com (209.235.25.13)
ns2.mercurypay.com (63.111.40.13)
• Vantiv (now Worldpay) is a major US payment processing service.
(Nameservers above)
ns1.ftpsllc.net (64.57.150.53)
ns2.ftpsllc.net (64.57.154.53)
![Page 13: Recent Routing Incidents: Using BGP to Hijack DNS and more · BGP/DNS Hijacks Target Payment Systems (July 2018) • But most hijacks were brief and didn’t propagate far… 1. Brief](https://reader030.fdocuments.us/reader030/viewer/2022041115/5f2661800d58251c543d9c6b/html5/thumbnails/13.jpg)
Copyright©2017,Oracleand/oritsaffiliates.Allrightsreserved.|
BGP/DNSHijacksTargetPaymentSystems(July2018)
• PassiveDNSobservationsshowed*.datawire.netdomainsresolvingtoIPaddressspaceregisteredasbeinginCuraçao,butactuallyroutedoutofeasternUkraine.(sameatRoute53hijack)
![Page 14: Recent Routing Incidents: Using BGP to Hijack DNS and more · BGP/DNS Hijacks Target Payment Systems (July 2018) • But most hijacks were brief and didn’t propagate far… 1. Brief](https://reader030.fdocuments.us/reader030/viewer/2022041115/5f2661800d58251c543d9c6b/html5/thumbnails/14.jpg)
Copyright©2017,Oracleand/oritsaffiliates.Allrightsreserved.|
BGP/DNSHijacksTargetPaymentSystems(July2018)• Butmosthijackswerebriefanddidn’tpropagatefar…
1. BriefBGPhijack:AslongasamajorpublicDNSserviceacceptedthe
route,affectedpopulationcouldbeverylarge.2. AttackerscouldtimequeriestopublicDNSservicetoensurebogusrecord
wascached.3. TTLsofforgedresponseswere~1week(normally600sec).
Neededtobeflushedtostopthemisdirection.
tBGPDNS
1
2 3
![Page 15: Recent Routing Incidents: Using BGP to Hijack DNS and more · BGP/DNS Hijacks Target Payment Systems (July 2018) • But most hijacks were brief and didn’t propagate far… 1. Brief](https://reader030.fdocuments.us/reader030/viewer/2022041115/5f2661800d58251c543d9c6b/html5/thumbnails/15.jpg)
Copyright©2017,Oracleand/oritsaffiliates.Allrightsreserved.|
BGP/DNSHijacksLessonsLearned
• AttackersusingBGPhijackstointerceptauthoritativeDNSquerieswiththeintenttoredirectuserstomalicioussites.
• HijacksneednotbelonglastingorwidelypropagatedtobeeffectiveifmajorrecursiveDNSservicesacceptroutes.
• WemayreducetheriskifmajorauthoritativeDNSservicessignedroutesandmajorpublicDNSservicesrejectedinvalids.(viaRPKI)
MajorpublicDNSservices
MajorAuthoritativeDNSservices
8.8.8.8,1.1.1.1,9.9.9.9,etc
Route53,Dyn,Ultra,etc
![Page 16: Recent Routing Incidents: Using BGP to Hijack DNS and more · BGP/DNS Hijacks Target Payment Systems (July 2018) • But most hijacks were brief and didn’t propagate far… 1. Brief](https://reader030.fdocuments.us/reader030/viewer/2022041115/5f2661800d58251c543d9c6b/html5/thumbnails/16.jpg)
Copyright©2017,Oracleand/oritsaffiliates.Allrightsreserved.|
Onapositive(?)note…
ShuttingdowntheBGPHijackFactory(July2018)
![Page 17: Recent Routing Incidents: Using BGP to Hijack DNS and more · BGP/DNS Hijacks Target Payment Systems (July 2018) • But most hijacks were brief and didn’t propagate far… 1. Brief](https://reader030.fdocuments.us/reader030/viewer/2022041115/5f2661800d58251c543d9c6b/html5/thumbnails/17.jpg)
Copyright©2017,Oracleand/oritsaffiliates.Allrightsreserved.|
ShuttingdowntheBGPHijackFactory(July2018)CommunityactionbeganwithanemailtotheNANOGlist…
…butBitcanal(akaEbonyHorizons)hasayears-longhistoryofhijacks.See“Case2”in“TheVastWorldofFraudulentRouting.”
https://dyn.com/blog/vast-world-of-fraudulent-routing/
![Page 18: Recent Routing Incidents: Using BGP to Hijack DNS and more · BGP/DNS Hijacks Target Payment Systems (July 2018) • But most hijacks were brief and didn’t propagate far… 1. Brief](https://reader030.fdocuments.us/reader030/viewer/2022041115/5f2661800d58251c543d9c6b/html5/thumbnails/18.jpg)
Copyright©2017,Oracleand/oritsaffiliates.Allrightsreserved.|
ShuttingdowntheBGPHijackFactory(July2018)Disconnectiontimeline(1/3):• InitialNANOGemail(26June)• GTTandCogentdisconnectedBitcanal(AS197426)
(On28Juneand30June,respectively)• BitcanalbrieflyreturnsviaBICS(2July)
(Disconnectedon4Julywhenpresentedwithhijackingevidence)
![Page 19: Recent Routing Incidents: Using BGP to Hijack DNS and more · BGP/DNS Hijacks Target Payment Systems (July 2018) • But most hijacks were brief and didn’t propagate far… 1. Brief](https://reader030.fdocuments.us/reader030/viewer/2022041115/5f2661800d58251c543d9c6b/html5/thumbnails/19.jpg)
Copyright©2017,Oracleand/oritsaffiliates.Allrightsreserved.|
ShuttingdowntheBGPHijackFactory(July2018)Disconnectiontimeline(2/3):• AgoraITprefixespreviouslyannouncedbyBitcanal,movedto
Meerfarbig(4July)(Disconnectedon6Julywhenpresentedwithspamminghistory)
• BitcanalcustomerRoutedSolutions(AS39536)switchedtotransitfromM247(AS9009)(Activated3July,disconnectedon12July)
![Page 20: Recent Routing Incidents: Using BGP to Hijack DNS and more · BGP/DNS Hijacks Target Payment Systems (July 2018) • But most hijacks were brief and didn’t propagate far… 1. Brief](https://reader030.fdocuments.us/reader030/viewer/2022041115/5f2661800d58251c543d9c6b/html5/thumbnails/20.jpg)
Copyright©2017,Oracleand/oritsaffiliates.Allrightsreserved.|
ShuttingdowntheBGPHijackFactory(July2018)Disconnectiontimeline(3/3):• DECIXdisconnectedBitcanal(Summer2017)• LINXdisconnectedBitcanal(5July)• AMSIXdisconnectedBitcanal(7July)• HE(AS6939)disconnectedBitcanal(9July)• GigaPixdisconnectedBitcanal(10July)• IPTelecomdisconnectedBitcanal(10July)BitcanalASNsnolongerrouted(AS197426,etc)
However,EbonyhorizonaddressspacenoworiginatedbyAS48262viaAS50113(SuperServers)inRU(began14August)
![Page 21: Recent Routing Incidents: Using BGP to Hijack DNS and more · BGP/DNS Hijacks Target Payment Systems (July 2018) • But most hijacks were brief and didn’t propagate far… 1. Brief](https://reader030.fdocuments.us/reader030/viewer/2022041115/5f2661800d58251c543d9c6b/html5/thumbnails/21.jpg)
Copyright©2017,Oracleand/oritsaffiliates.Allrightsreserved.|
ShuttingdowntheBGPHijackFactory(July2018)
LessonsLearned:• Unfortunatelytheremovalofonebadactorisjustadropinthebucket• IXPsarenotjustaneutraltransportbusanymore
• Wouldbenefitfrombettercoordinationaboutbannedmembers(otherwisebadactorseasilymoveontonextIXP)
• IfIXPpoliciesrequireevidenceofbadbehavior,thentheymusthaveon-goingprocesstocollectMRTorPCAPfiles.
![Page 22: Recent Routing Incidents: Using BGP to Hijack DNS and more · BGP/DNS Hijacks Target Payment Systems (July 2018) • But most hijacks were brief and didn’t propagate far… 1. Brief](https://reader030.fdocuments.us/reader030/viewer/2022041115/5f2661800d58251c543d9c6b/html5/thumbnails/22.jpg)
Copyright©2017,Oracleand/oritsaffiliates.Allrightsreserved.|
IXPRouteServerAnalysisProject(intheworks)
• Freecloud-basedtoolforIXPstohelpreview/improvefiltering.
• LookingforadditionalIXPstoparticipate.Cometalktome.
![Page 23: Recent Routing Incidents: Using BGP to Hijack DNS and more · BGP/DNS Hijacks Target Payment Systems (July 2018) • But most hijacks were brief and didn’t propagate far… 1. Brief](https://reader030.fdocuments.us/reader030/viewer/2022041115/5f2661800d58251c543d9c6b/html5/thumbnails/23.jpg)
Copyright©2017,Oracleand/oritsaffiliates.Allrightsreserved.|
SafeHarborStatementTheprecedingisintendedtooutlineourgeneralproductdirection.Itisintendedforinformationpurposesonly,andmaynotbeincorporatedintoanycontract.Itisnotacommitmenttodeliveranymaterial,code,orfunctionality,andshouldnotberelieduponinmakingpurchasingdecisions.Thedevelopment,release,andtimingofanyfeaturesorfunctionalitydescribedforOracle’sproductsremainsatthesolediscretionofOracle.
23
![Page 24: Recent Routing Incidents: Using BGP to Hijack DNS and more · BGP/DNS Hijacks Target Payment Systems (July 2018) • But most hijacks were brief and didn’t propagate far… 1. Brief](https://reader030.fdocuments.us/reader030/viewer/2022041115/5f2661800d58251c543d9c6b/html5/thumbnails/24.jpg)
Copyright©2017,Oracleand/oritsaffiliates.Allrightsreserved.| 24
Thankyou!
[email protected]@dougmadory