Upload File

recent routing incidents: using bgp to hijack dns and more · bgp/dns hijacks target payment...

  • Home
  • Documents
  • Recent Routing Incidents: Using BGP to Hijack DNS and more · BGP/DNS Hijacks Target Payment Systems (July 2018) • But most hijacks were brief and didn’t propagate far… 1. Brief
24
Recent Routing Incidents: Using BGP to Hijack DNS and more Doug Madory Director of Internet Analysis, Oracle LACNIC 30 Rosario, Argentina September 2018 Copyright © 2017, Oracle and/or its affiliates. All rights reserved. | 1

Upload: others

Post on 06-Jul-2020

7 views

Category:

Documents


0 download

Report

TRANSCRIPT

Page 1: Recent Routing Incidents: Using BGP to Hijack DNS and more · BGP/DNS Hijacks Target Payment Systems (July 2018) • But most hijacks were brief and didn’t propagate far… 1. Brief

RecentRoutingIncidents:UsingBGPtoHijackDNSandmore

DougMadoryDirectorofInternetAnalysis,OracleLACNIC30Rosario,ArgentinaSeptember2018

Copyright©2017,Oracleand/oritsaffiliates.Allrightsreserved.| 1

Page 2: Recent Routing Incidents: Using BGP to Hijack DNS and more · BGP/DNS Hijacks Target Payment Systems (July 2018) • But most hijacks were brief and didn’t propagate far… 1. Brief

Copyright©2017,Oracleand/oritsaffiliates.Allrightsreserved.|

RecentRoutingIncidents

•  Amazon/Route53BGPhijack(April2018)

•  BGP/DNShijacksofPaymentProcessors(July2018)

•  TakedownofBitcanal(July2018)

Page 3: Recent Routing Incidents: Using BGP to Hijack DNS and more · BGP/DNS Hijacks Target Payment Systems (July 2018) • But most hijacks were brief and didn’t propagate far… 1. Brief

Copyright©2017,Oracleand/oritsaffiliates.Allrightsreserved.|

BGPHijackofAmazonDNStoStealCryptoCurrency(April2018)

Page 4: Recent Routing Incidents: Using BGP to Hijack DNS and more · BGP/DNS Hijacks Target Payment Systems (July 2018) • But most hijacks were brief and didn’t propagate far… 1. Brief

Copyright©2017,Oracleand/oritsaffiliates.Allrightsreserved.|

BGPHijackofAmazonDNStoStealCryptoCurrency(April2018)

1)WenoticedaBGPhijackofAmazonIPspaceandputoutthefollowingtweet:

(followusat@InternetIntel)

2)IsawreportsofMyEtherWalletbeingsubjectedtoaDNShijackandtheorizedthatthetwoeventsmayberelated.

Page 5: Recent Routing Incidents: Using BGP to Hijack DNS and more · BGP/DNS Hijacks Target Payment Systems (July 2018) • But most hijacks were brief and didn’t propagate far… 1. Brief

Copyright©2017,Oracleand/oritsaffiliates.Allrightsreserved.|

BGPHijackofAmazonDNStoStealCryptoCurrency(April2018)

Whathappened?eNet/XLHost(AS10297)ofOhiosufferedabreach.•  AttackersreconfiguredAS10297’sCiscoASR9000tohijackAmazon’sRoute53

authoritativeDNSIPspaceforabouttwohours.205.251.192.0/24Amazon.com,Inc. 205.251.197.0/24Amazon.com,Inc.205.251.193.0/24Amazon.com,Inc. 205.251.199.0/24Amazon.com,Inc.205.251.195.0/24Amazon.com,Inc.

Routesweren’tgloballypropagated,butwerepickedupbypopularpublicDNSserviceslikeGoogleDNS,amplifyingitseffect.

Page 6: Recent Routing Incidents: Using BGP to Hijack DNS and more · BGP/DNS Hijacks Target Payment Systems (July 2018) • But most hijacks were brief and didn’t propagate far… 1. Brief

Copyright©2017,Oracleand/oritsaffiliates.Allrightsreserved.|

BGPHijackofAmazonDNStoStealCryptoCurrency(April2018)

•  Whenqueriedformyetherwallet.com,animposterauthoritativeDNSservicereturnedanIPineasternUkraine(LuhanskPeople'sRepublic).

•  HostedonthisIPwasafakecopyofthemyetherwallet.comsitereadytostealtheircurrencyassoonastheylogin.

RecursiveDNSserver

LegitimateAuthoritativeDNSserver

Whatismyetherwallet.com?

Users

root.com

ImposterAuthoritativeDNSserver

BGPhijack

myetherwallet.comisnowineasternUkraine

Imposterwebsite

Page 7: Recent Routing Incidents: Using BGP to Hijack DNS and more · BGP/DNS Hijacks Target Payment Systems (July 2018) • But most hijacks were brief and didn’t propagate far… 1. Brief

Copyright©2017,Oracleand/oritsaffiliates.Allrightsreserved.|

BGPHijackofAmazonDNStoStealCryptoCurrency(April2018)

MyEtherWallet issues statement acknowledging that many of their users had been redirected to a fraudulent site.

Page 8: Recent Routing Incidents: Using BGP to Hijack DNS and more · BGP/DNS Hijacks Target Payment Systems (July 2018) • But most hijacks were brief and didn’t propagate far… 1. Brief

Copyright©2017,Oracleand/oritsaffiliates.Allrightsreserved.|

Afewmonthslater,authoritativeDNSserviceshijackedagain!!1!Thistime,thetargetwasn’tcryptocurrencywalletservice,butmajorUSpaymentprocessers.

Page 9: Recent Routing Incidents: Using BGP to Hijack DNS and more · BGP/DNS Hijacks Target Payment Systems (July 2018) • But most hijacks were brief and didn’t propagate far… 1. Brief

Copyright©2017,Oracleand/oritsaffiliates.Allrightsreserved.|

BGP/DNSHijacksTargetPaymentSystems(July2018)•  At 23:37:18 UTC on 6 July 2018, Digital Wireless Indonesia (AS38146)

announced the following prefixes for ~30min •  64.243.142.0/24 Savvis •  64.57.150.0/24 Vantiv, LLC •  64.57.154.0/24 Vantiv, LLC •  69.46.100.0/24 Q9 Networks Inc. •  216.220.36.0/24 Q9 Networks Inc

Prefixes didn't propagate very far

•  At 22:17:37 UTC on 10 July 2018, Malaysian operator Extreme Broadband (AS38182) announced the exact same five prefixes

•  Why these prefixes? Because they contained authoritative nameservers.

See:https://internetintel.oracle.com/blog-single.html?id=BGP+/+DNS+Hijacks+Target+Payment+Systems

Page 10: Recent Routing Incidents: Using BGP to Hijack DNS and more · BGP/DNS Hijacks Target Payment Systems (July 2018) • But most hijacks were brief and didn’t propagate far… 1. Brief

Copyright©2017,Oracleand/oritsaffiliates.Allrightsreserved.|

BGP/DNSHijacksTargetPaymentSystems(July2018)•  Datawire is a "connectivity service that transports financial transactions

securely and reliably over the public Internet to payment processing systems."

Datawire's nameservers: ns1.datawire.net (216.220.36.76)

ns2.datawire.net (69.46.100.71)

Page 11: Recent Routing Incidents: Using BGP to Hijack DNS and more · BGP/DNS Hijacks Target Payment Systems (July 2018) • But most hijacks were brief and didn’t propagate far… 1. Brief

Copyright©2017,Oracleand/oritsaffiliates.Allrightsreserved.|

BGP/DNSHijacksTargetPaymentSystems(July2018)

•  Users begin reporting problems accessing Datawire services…

•  BGP/DNS hijacking continues to other payment processers….

Page 12: Recent Routing Incidents: Using BGP to Hijack DNS and more · BGP/DNS Hijacks Target Payment Systems (July 2018) • But most hijacks were brief and didn’t propagate far… 1. Brief

Copyright©2017,Oracleand/oritsaffiliates.Allrightsreserved.|

BGP/DNSHijacksTargetPaymentSystems(July2018)

•  Mercury Payment Systems is a credit card processing service also owned by Worldpay (formerly Vantiv).

•  Mercury's nameservers:

ns1.mercurypay.com (209.235.25.13)

ns2.mercurypay.com (63.111.40.13)

•  Vantiv (now Worldpay) is a major US payment processing service.

(Nameservers above)

ns1.ftpsllc.net (64.57.150.53)

ns2.ftpsllc.net (64.57.154.53)

Page 13: Recent Routing Incidents: Using BGP to Hijack DNS and more · BGP/DNS Hijacks Target Payment Systems (July 2018) • But most hijacks were brief and didn’t propagate far… 1. Brief

Copyright©2017,Oracleand/oritsaffiliates.Allrightsreserved.|

BGP/DNSHijacksTargetPaymentSystems(July2018)

•  PassiveDNSobservationsshowed*.datawire.netdomainsresolvingtoIPaddressspaceregisteredasbeinginCuraçao,butactuallyroutedoutofeasternUkraine.(sameatRoute53hijack)

Page 14: Recent Routing Incidents: Using BGP to Hijack DNS and more · BGP/DNS Hijacks Target Payment Systems (July 2018) • But most hijacks were brief and didn’t propagate far… 1. Brief

Copyright©2017,Oracleand/oritsaffiliates.Allrightsreserved.|

BGP/DNSHijacksTargetPaymentSystems(July2018)•  Butmosthijackswerebriefanddidn’tpropagatefar…

1.  BriefBGPhijack:AslongasamajorpublicDNSserviceacceptedthe

route,affectedpopulationcouldbeverylarge.2.  AttackerscouldtimequeriestopublicDNSservicetoensurebogusrecord

wascached.3.  TTLsofforgedresponseswere~1week(normally600sec).

Neededtobeflushedtostopthemisdirection.

tBGPDNS

1

2 3

Page 15: Recent Routing Incidents: Using BGP to Hijack DNS and more · BGP/DNS Hijacks Target Payment Systems (July 2018) • But most hijacks were brief and didn’t propagate far… 1. Brief

Copyright©2017,Oracleand/oritsaffiliates.Allrightsreserved.|

BGP/DNSHijacksLessonsLearned

•  AttackersusingBGPhijackstointerceptauthoritativeDNSquerieswiththeintenttoredirectuserstomalicioussites.

•  HijacksneednotbelonglastingorwidelypropagatedtobeeffectiveifmajorrecursiveDNSservicesacceptroutes.

•  WemayreducetheriskifmajorauthoritativeDNSservicessignedroutesandmajorpublicDNSservicesrejectedinvalids.(viaRPKI)

MajorpublicDNSservices

MajorAuthoritativeDNSservices

8.8.8.8,1.1.1.1,9.9.9.9,etc

Route53,Dyn,Ultra,etc

Page 16: Recent Routing Incidents: Using BGP to Hijack DNS and more · BGP/DNS Hijacks Target Payment Systems (July 2018) • But most hijacks were brief and didn’t propagate far… 1. Brief

Copyright©2017,Oracleand/oritsaffiliates.Allrightsreserved.|

Onapositive(?)note…

ShuttingdowntheBGPHijackFactory(July2018)

Page 17: Recent Routing Incidents: Using BGP to Hijack DNS and more · BGP/DNS Hijacks Target Payment Systems (July 2018) • But most hijacks were brief and didn’t propagate far… 1. Brief

Copyright©2017,Oracleand/oritsaffiliates.Allrightsreserved.|

ShuttingdowntheBGPHijackFactory(July2018)CommunityactionbeganwithanemailtotheNANOGlist…

…butBitcanal(akaEbonyHorizons)hasayears-longhistoryofhijacks.See“Case2”in“TheVastWorldofFraudulentRouting.”

https://dyn.com/blog/vast-world-of-fraudulent-routing/

Page 18: Recent Routing Incidents: Using BGP to Hijack DNS and more · BGP/DNS Hijacks Target Payment Systems (July 2018) • But most hijacks were brief and didn’t propagate far… 1. Brief

Copyright©2017,Oracleand/oritsaffiliates.Allrightsreserved.|

ShuttingdowntheBGPHijackFactory(July2018)Disconnectiontimeline(1/3):•  InitialNANOGemail(26June)•  GTTandCogentdisconnectedBitcanal(AS197426)

(On28Juneand30June,respectively)•  BitcanalbrieflyreturnsviaBICS(2July)

(Disconnectedon4Julywhenpresentedwithhijackingevidence)

Page 19: Recent Routing Incidents: Using BGP to Hijack DNS and more · BGP/DNS Hijacks Target Payment Systems (July 2018) • But most hijacks were brief and didn’t propagate far… 1. Brief

Copyright©2017,Oracleand/oritsaffiliates.Allrightsreserved.|

ShuttingdowntheBGPHijackFactory(July2018)Disconnectiontimeline(2/3):•  AgoraITprefixespreviouslyannouncedbyBitcanal,movedto

Meerfarbig(4July)(Disconnectedon6Julywhenpresentedwithspamminghistory)

•  BitcanalcustomerRoutedSolutions(AS39536)switchedtotransitfromM247(AS9009)(Activated3July,disconnectedon12July)

Page 20: Recent Routing Incidents: Using BGP to Hijack DNS and more · BGP/DNS Hijacks Target Payment Systems (July 2018) • But most hijacks were brief and didn’t propagate far… 1. Brief

Copyright©2017,Oracleand/oritsaffiliates.Allrightsreserved.|

ShuttingdowntheBGPHijackFactory(July2018)Disconnectiontimeline(3/3):•  DECIXdisconnectedBitcanal(Summer2017)•  LINXdisconnectedBitcanal(5July)•  AMSIXdisconnectedBitcanal(7July)•  HE(AS6939)disconnectedBitcanal(9July)•  GigaPixdisconnectedBitcanal(10July)•  IPTelecomdisconnectedBitcanal(10July)BitcanalASNsnolongerrouted(AS197426,etc)

However,EbonyhorizonaddressspacenoworiginatedbyAS48262viaAS50113(SuperServers)inRU(began14August)

Page 21: Recent Routing Incidents: Using BGP to Hijack DNS and more · BGP/DNS Hijacks Target Payment Systems (July 2018) • But most hijacks were brief and didn’t propagate far… 1. Brief

Copyright©2017,Oracleand/oritsaffiliates.Allrightsreserved.|

ShuttingdowntheBGPHijackFactory(July2018)

LessonsLearned:•  Unfortunatelytheremovalofonebadactorisjustadropinthebucket•  IXPsarenotjustaneutraltransportbusanymore

•  Wouldbenefitfrombettercoordinationaboutbannedmembers(otherwisebadactorseasilymoveontonextIXP)

•  IfIXPpoliciesrequireevidenceofbadbehavior,thentheymusthaveon-goingprocesstocollectMRTorPCAPfiles.

Page 22: Recent Routing Incidents: Using BGP to Hijack DNS and more · BGP/DNS Hijacks Target Payment Systems (July 2018) • But most hijacks were brief and didn’t propagate far… 1. Brief

Copyright©2017,Oracleand/oritsaffiliates.Allrightsreserved.|

IXPRouteServerAnalysisProject(intheworks)

•  Freecloud-basedtoolforIXPstohelpreview/improvefiltering.

•  LookingforadditionalIXPstoparticipate.Cometalktome.

Page 23: Recent Routing Incidents: Using BGP to Hijack DNS and more · BGP/DNS Hijacks Target Payment Systems (July 2018) • But most hijacks were brief and didn’t propagate far… 1. Brief

Copyright©2017,Oracleand/oritsaffiliates.Allrightsreserved.|

SafeHarborStatementTheprecedingisintendedtooutlineourgeneralproductdirection.Itisintendedforinformationpurposesonly,andmaynotbeincorporatedintoanycontract.Itisnotacommitmenttodeliveranymaterial,code,orfunctionality,andshouldnotberelieduponinmakingpurchasingdecisions.Thedevelopment,release,andtimingofanyfeaturesorfunctionalitydescribedforOracle’sproductsremainsatthesolediscretionofOracle.

23

Page 24: Recent Routing Incidents: Using BGP to Hijack DNS and more · BGP/DNS Hijacks Target Payment Systems (July 2018) • But most hijacks were brief and didn’t propagate far… 1. Brief

Copyright©2017,Oracleand/oritsaffiliates.Allrightsreserved.| 24

Thankyou!

[email protected]@dougmadory


CSCD 434 Network Security Winter 2013 Lecture 4 BGP, DNS Vulnerabilities 1

CSCD 434 Network Security Spring 2014 Lecture 4 BGP, DNS Vulnerabilities 1

Detecting BGP hijacks in 2014 - PacSec · source: JPNIC ANSSI - Detecting BGP hijacks in 2014 8/53. Access to Internet Resources Allocation The WHOIS protocol $ whois AS4713 aut-num:

REDES MPLS PROFESSOR: MARCOS A. A. GONDIM BGP. Roteiro Introdução ao BGP Sistema Autonômo Fundamentos do BGP Sessão BGP Cabeçalho BGP Mensagem BGP Tabelas

Profiling BGP Serial Hijackers: Capturing Persistent ...people.csail.mit.edu/ctestart/publications/BGPserialHijackers.pdf · BGP vulnerabilities and hijacks have been studied for

Oncogenic human herpesvirus hijacks proline metabolism for

BGP Secure Routing Extension (BGP-SRx)

A tale of two hijacks

DNS Anycast Operation of · 2005. 11. 30. · BGP Anycast Overview AS 2 Anycast node #1 Anycast node #2 Both routers announce the same shared unicast IP address by BGP connection

Practical DNS Operations - MENOG · 2017-04-25 · MENOG 7 John Kristoff – Team Cymru 3 One of two critical systems Routing (BGP) and naming (DNS) are by far the two most critical

On Control Flow Hijacks of unsafe Rust

NSC #2 - D3 04 - Guillaume Valadon & Nicolas Vivet - Detecting BGP hijacks

DNS in the Crossfire: 2 Years of Hijacks and Defacements

Routing Security DDoS and Route Hijacks - NANOG...DNS server • The malicious DNS authoritative server had a legitimate IP address • These malicious DNS authoritative servers sent

Attacks on TCP/IP, BGP, DNS Denial of Serviceojensen/courses/cs361s/... · slide 1 Vitaly Shmatikov CS 361S Attacks on TCP/IP, BGP, DNS Denial of Service . slide 2 Reading Assignment

Next Generation Networks –Teachingsites.ieee.org/denver-com/files/2017/02/Levi-ODL-User-Group.pdf · •REST API •Firewall •Load-balancer •DNS Blacklist •BGP Path Manipulation

Fungal effector Jsi1 hijacks plant JA/ET signaling through ...1 Fungal effector Jsi1 hijacks plant JA/ET signaling through Topless Martin Darino1, Joana Marques1, Khong-Sam Chia1,

You’ve Got Vulnerability: Exploring Effective ... · You’ve Got Vulnerability: Exploring Effective Vulnerability Notifications ... pared to IPv4, including for BGP, DNS, FTP,

Detecting BGP hijacks in 2014 - NoSuchCon · Detecting BGP hijacks in 2014 Guillaume Valadon & Nicolas Vivet Agence nationale de la sécurité des systèmes d’information

BGP - Cisco...P2PTechnology No Encrypted No Tunnel No UnderlyingProtocols - • BITTORRENT,page4 • CITRIX,page5 • DHCP,page6 • DIRECTCONNECT,page7 • DNS,page8 • EDONKEY,page9

Nicolas Dubée Secway, 05/2003 BGP et DNS : Attaques sur les protocoles critiques de lInternet 1 BGP et DNS: attaques sur les protocoles critiques de lInternet

Securing BGP - RPKI · Amazon (AS16509) Route53 hijack – April2018 ... DNS servers in the hijacked range only responded to queries for myetherwallet.com • Responded with addresses

Detecting Hijacks and Leaks

BGPDNS Using BGP topology information for DNS RR sorting a scalable way of multi-homing

Fingerprint-based detection of DNS hijacks using RIPE Atlas

Malicious BGP Hijacks: Appearances Can Be Deceiving BGP Hijacks: Appearances Can Be Deceiving Pierre-Antoine Vervier yQuentin Jacquemart Johann Schlampz ... Through this case study

Mind Your Blocks: On the Stealthiness of Malicious BGP Hijacks · on network operational mailing lists, such as NANOG, or blog posts [12], [15], [16], [21]. Techniques to detect these

Attacks on TCP/IP, BGP, DNS Denial of Serviceshmat/courses/cs378/netattacks.pdf · FreeBSD 2.1.5 128 WinNT 4.0 6 slide 19 ... BGP (Border Gateway Protocol) is the core ... BGP, DNS

Monitoring for Network Security: BGP Hijacks, DDoS Attacks and DNS Poisoning

Pretty Good BGP Josh Karlin 8/15/2006. Towards Securing BGP Authenticate Origins –Prefix hijacks –Sub-prefix hijacks –Often caused by router misconfiguration

1 Border Gateway Protocol (BGP). 2 Contents Internet connectivity and BGP connectivity services, AS relationships BGP Basics BGP sessions, BGP

HUGHES HX200 H… · Кэширование dns Поддержка протоколов маршрутизации ripv1, ripv2, bgp Мультикастинг в направлениях

DNSSEC Deployment: Where We Are · The BAD: Other DNS hijacks* • 25 Dec 2010 - Russian e -Payment Giant ChronoPay Hacked • 18 Dec 2009 – Twitter – “Iranian cyber army”

Detecting BGP Configuration Faults with Static …...0 10 20 30 40 50 60 70 80 90 Filtering Route Leaks Route Hijacks Route Instability Routing Loops Blackholes O c c u r r e n c

Attacks on TCP/IP, BGP, DNS Denial of Service