recent routing incidents: using bgp to hijack dns and more · bgp/dns hijacks target payment...
TRANSCRIPT
RecentRoutingIncidents:UsingBGPtoHijackDNSandmore
DougMadoryDirectorofInternetAnalysis,OracleLACNIC30Rosario,ArgentinaSeptember2018
Copyright©2017,Oracleand/oritsaffiliates.Allrightsreserved.| 1
Copyright©2017,Oracleand/oritsaffiliates.Allrightsreserved.|
RecentRoutingIncidents
• Amazon/Route53BGPhijack(April2018)
• BGP/DNShijacksofPaymentProcessors(July2018)
• TakedownofBitcanal(July2018)
Copyright©2017,Oracleand/oritsaffiliates.Allrightsreserved.|
BGPHijackofAmazonDNStoStealCryptoCurrency(April2018)
Copyright©2017,Oracleand/oritsaffiliates.Allrightsreserved.|
BGPHijackofAmazonDNStoStealCryptoCurrency(April2018)
1)WenoticedaBGPhijackofAmazonIPspaceandputoutthefollowingtweet:
(followusat@InternetIntel)
2)IsawreportsofMyEtherWalletbeingsubjectedtoaDNShijackandtheorizedthatthetwoeventsmayberelated.
Copyright©2017,Oracleand/oritsaffiliates.Allrightsreserved.|
BGPHijackofAmazonDNStoStealCryptoCurrency(April2018)
Whathappened?eNet/XLHost(AS10297)ofOhiosufferedabreach.• AttackersreconfiguredAS10297’sCiscoASR9000tohijackAmazon’sRoute53
authoritativeDNSIPspaceforabouttwohours.205.251.192.0/24Amazon.com,Inc. 205.251.197.0/24Amazon.com,Inc.205.251.193.0/24Amazon.com,Inc. 205.251.199.0/24Amazon.com,Inc.205.251.195.0/24Amazon.com,Inc.
Routesweren’tgloballypropagated,butwerepickedupbypopularpublicDNSserviceslikeGoogleDNS,amplifyingitseffect.
Copyright©2017,Oracleand/oritsaffiliates.Allrightsreserved.|
BGPHijackofAmazonDNStoStealCryptoCurrency(April2018)
• Whenqueriedformyetherwallet.com,animposterauthoritativeDNSservicereturnedanIPineasternUkraine(LuhanskPeople'sRepublic).
• HostedonthisIPwasafakecopyofthemyetherwallet.comsitereadytostealtheircurrencyassoonastheylogin.
RecursiveDNSserver
LegitimateAuthoritativeDNSserver
Whatismyetherwallet.com?
Users
root.com
ImposterAuthoritativeDNSserver
BGPhijack
myetherwallet.comisnowineasternUkraine
Imposterwebsite
Copyright©2017,Oracleand/oritsaffiliates.Allrightsreserved.|
BGPHijackofAmazonDNStoStealCryptoCurrency(April2018)
MyEtherWallet issues statement acknowledging that many of their users had been redirected to a fraudulent site.
Copyright©2017,Oracleand/oritsaffiliates.Allrightsreserved.|
Afewmonthslater,authoritativeDNSserviceshijackedagain!!1!Thistime,thetargetwasn’tcryptocurrencywalletservice,butmajorUSpaymentprocessers.
Copyright©2017,Oracleand/oritsaffiliates.Allrightsreserved.|
BGP/DNSHijacksTargetPaymentSystems(July2018)• At 23:37:18 UTC on 6 July 2018, Digital Wireless Indonesia (AS38146)
announced the following prefixes for ~30min • 64.243.142.0/24 Savvis • 64.57.150.0/24 Vantiv, LLC • 64.57.154.0/24 Vantiv, LLC • 69.46.100.0/24 Q9 Networks Inc. • 216.220.36.0/24 Q9 Networks Inc
Prefixes didn't propagate very far
• At 22:17:37 UTC on 10 July 2018, Malaysian operator Extreme Broadband (AS38182) announced the exact same five prefixes
• Why these prefixes? Because they contained authoritative nameservers.
See:https://internetintel.oracle.com/blog-single.html?id=BGP+/+DNS+Hijacks+Target+Payment+Systems
Copyright©2017,Oracleand/oritsaffiliates.Allrightsreserved.|
BGP/DNSHijacksTargetPaymentSystems(July2018)• Datawire is a "connectivity service that transports financial transactions
securely and reliably over the public Internet to payment processing systems."
Datawire's nameservers: ns1.datawire.net (216.220.36.76)
ns2.datawire.net (69.46.100.71)
Copyright©2017,Oracleand/oritsaffiliates.Allrightsreserved.|
BGP/DNSHijacksTargetPaymentSystems(July2018)
• Users begin reporting problems accessing Datawire services…
• BGP/DNS hijacking continues to other payment processers….
Copyright©2017,Oracleand/oritsaffiliates.Allrightsreserved.|
BGP/DNSHijacksTargetPaymentSystems(July2018)
• Mercury Payment Systems is a credit card processing service also owned by Worldpay (formerly Vantiv).
• Mercury's nameservers:
ns1.mercurypay.com (209.235.25.13)
ns2.mercurypay.com (63.111.40.13)
• Vantiv (now Worldpay) is a major US payment processing service.
(Nameservers above)
ns1.ftpsllc.net (64.57.150.53)
ns2.ftpsllc.net (64.57.154.53)
Copyright©2017,Oracleand/oritsaffiliates.Allrightsreserved.|
BGP/DNSHijacksTargetPaymentSystems(July2018)
• PassiveDNSobservationsshowed*.datawire.netdomainsresolvingtoIPaddressspaceregisteredasbeinginCuraçao,butactuallyroutedoutofeasternUkraine.(sameatRoute53hijack)
Copyright©2017,Oracleand/oritsaffiliates.Allrightsreserved.|
BGP/DNSHijacksTargetPaymentSystems(July2018)• Butmosthijackswerebriefanddidn’tpropagatefar…
1. BriefBGPhijack:AslongasamajorpublicDNSserviceacceptedthe
route,affectedpopulationcouldbeverylarge.2. AttackerscouldtimequeriestopublicDNSservicetoensurebogusrecord
wascached.3. TTLsofforgedresponseswere~1week(normally600sec).
Neededtobeflushedtostopthemisdirection.
tBGPDNS
1
2 3
Copyright©2017,Oracleand/oritsaffiliates.Allrightsreserved.|
BGP/DNSHijacksLessonsLearned
• AttackersusingBGPhijackstointerceptauthoritativeDNSquerieswiththeintenttoredirectuserstomalicioussites.
• HijacksneednotbelonglastingorwidelypropagatedtobeeffectiveifmajorrecursiveDNSservicesacceptroutes.
• WemayreducetheriskifmajorauthoritativeDNSservicessignedroutesandmajorpublicDNSservicesrejectedinvalids.(viaRPKI)
MajorpublicDNSservices
MajorAuthoritativeDNSservices
8.8.8.8,1.1.1.1,9.9.9.9,etc
Route53,Dyn,Ultra,etc
Copyright©2017,Oracleand/oritsaffiliates.Allrightsreserved.|
Onapositive(?)note…
ShuttingdowntheBGPHijackFactory(July2018)
Copyright©2017,Oracleand/oritsaffiliates.Allrightsreserved.|
ShuttingdowntheBGPHijackFactory(July2018)CommunityactionbeganwithanemailtotheNANOGlist…
…butBitcanal(akaEbonyHorizons)hasayears-longhistoryofhijacks.See“Case2”in“TheVastWorldofFraudulentRouting.”
https://dyn.com/blog/vast-world-of-fraudulent-routing/
Copyright©2017,Oracleand/oritsaffiliates.Allrightsreserved.|
ShuttingdowntheBGPHijackFactory(July2018)Disconnectiontimeline(1/3):• InitialNANOGemail(26June)• GTTandCogentdisconnectedBitcanal(AS197426)
(On28Juneand30June,respectively)• BitcanalbrieflyreturnsviaBICS(2July)
(Disconnectedon4Julywhenpresentedwithhijackingevidence)
Copyright©2017,Oracleand/oritsaffiliates.Allrightsreserved.|
ShuttingdowntheBGPHijackFactory(July2018)Disconnectiontimeline(2/3):• AgoraITprefixespreviouslyannouncedbyBitcanal,movedto
Meerfarbig(4July)(Disconnectedon6Julywhenpresentedwithspamminghistory)
• BitcanalcustomerRoutedSolutions(AS39536)switchedtotransitfromM247(AS9009)(Activated3July,disconnectedon12July)
Copyright©2017,Oracleand/oritsaffiliates.Allrightsreserved.|
ShuttingdowntheBGPHijackFactory(July2018)Disconnectiontimeline(3/3):• DECIXdisconnectedBitcanal(Summer2017)• LINXdisconnectedBitcanal(5July)• AMSIXdisconnectedBitcanal(7July)• HE(AS6939)disconnectedBitcanal(9July)• GigaPixdisconnectedBitcanal(10July)• IPTelecomdisconnectedBitcanal(10July)BitcanalASNsnolongerrouted(AS197426,etc)
However,EbonyhorizonaddressspacenoworiginatedbyAS48262viaAS50113(SuperServers)inRU(began14August)
Copyright©2017,Oracleand/oritsaffiliates.Allrightsreserved.|
ShuttingdowntheBGPHijackFactory(July2018)
LessonsLearned:• Unfortunatelytheremovalofonebadactorisjustadropinthebucket• IXPsarenotjustaneutraltransportbusanymore
• Wouldbenefitfrombettercoordinationaboutbannedmembers(otherwisebadactorseasilymoveontonextIXP)
• IfIXPpoliciesrequireevidenceofbadbehavior,thentheymusthaveon-goingprocesstocollectMRTorPCAPfiles.
Copyright©2017,Oracleand/oritsaffiliates.Allrightsreserved.|
IXPRouteServerAnalysisProject(intheworks)
• Freecloud-basedtoolforIXPstohelpreview/improvefiltering.
• LookingforadditionalIXPstoparticipate.Cometalktome.
Copyright©2017,Oracleand/oritsaffiliates.Allrightsreserved.|
SafeHarborStatementTheprecedingisintendedtooutlineourgeneralproductdirection.Itisintendedforinformationpurposesonly,andmaynotbeincorporatedintoanycontract.Itisnotacommitmenttodeliveranymaterial,code,orfunctionality,andshouldnotberelieduponinmakingpurchasingdecisions.Thedevelopment,release,andtimingofanyfeaturesorfunctionalitydescribedforOracle’sproductsremainsatthesolediscretionofOracle.
23
Copyright©2017,Oracleand/oritsaffiliates.Allrightsreserved.| 24
Thankyou!
[email protected]@dougmadory