

Multiple banking IP addresses hijacked - arthurd
http://isc.sans.edu/diary/BGP+multiple+banking+addresses+hijacked/16249

======
pallandt
For those that want to know what happened, quoting someone from the obscured
comment thread on that page:

"AS286 provides IP Transit to AS25459. What happened is that both AS286 and
AS25459 did not have proper filtering in place. AS286 leaked AS25459's
blackhole routes to it's peers, and a handful accepted those more specifics.
This lasted a few minutes before they realized what was going on and a fix was
put into place."

~~~
shubb
So are you saying that there was no deliberate hijack, but rather AS25459 was
configured not to carry traffic to those IPs, and it's blackholes got
propagated?

~~~
cbhl
I think the author is merely worried about how much of BGP relies on operators
trusting each other to configure their networks properly. All it takes is one
typo somewhere to bring down the internet for half of America.

Granted, seeing how slowly IPsec and DNSSEC are being adopted, I think the
author is fighting an uphill battle.

~~~
toomuchtodo
Certificate pinning in mobile apps goes a long way to preventing a leak of
secure data. Sure, you can't get to your service while the hijack is
occurring, but you don't have to worry you just submitted your login and
password info to a hijacked/malicious IP block. Better to fail closed in this
case.

Disclaimer: I use PNC Bank, who was part of this hijack.

~~~
peterwwillis
What does this have to do with certificates and mobile data? Hijacking an IP
is the same as a man-in-the-middle, which PKI prevents without needing to
"pin" a cert. You have to first control a trusted CA before you can do real
MITM, and if you have that, it's much more effective to simply MITM the
existing route and not expose yourself by changing BGP routes all over the
place. (Also, a mobile app bundled with a cert "pinned" for that app is
effectively just public-key cryptography, so you don't even need to use the
global PKI infrastructure at that point)

------
karlkatzke
From the same buried comment:

"Describing '5 minute accidental blackhole route leakage' as 'Multiple banking
addresses hijacked' makes for a better and more sensational head line. I fully
understand if you must blow this event out of proportion."

~~~
ceph_
While I do think the the title is a bit sensationalist, events where someone
leaks routes that aren't theirs is commonly referred to as a BGP hijack.

------
GeoHong
The BGPmon blog has a nice overview of BGP hijacks in recent history. The
potential impact of BGP hijacks should not be underestimated. Especially when
combined with the SSL/CA events. This is a great post explaining when these
things are combined: [http://www.bgpmon.net/accidentally-stealing-the-
internet/](http://www.bgpmon.net/accidentally-stealing-the-internet/)

------
soups
In the absence of S-BGP (secure BGP), what we need is an anomaly detection
service that detects such BGP prefix hijacking in real time and alerts the
owner of the prefix (in this case, the banks). I'd built one such service
before, anyone interested can read this white paper we wrote on it:
[http://rio.ecs.umass.edu/mnilpub/papers/securecomm07.pdf](http://rio.ecs.umass.edu/mnilpub/papers/securecomm07.pdf)

------
relik
Many networks will not let you announce /32s. This is something that you have
to have a reason for, such as more granular control. Usually they will say
yes, because then you can advertise specific routes yourself without
constantly going through engineers with your upstream. Mistakes happen though
:P

------
EthanHeilman
Another reason for the RPKI to lock down prefix origination.

[http://en.wikipedia.org/wiki/Resource_Public_Key_Infrastruct...](http://en.wikipedia.org/wiki/Resource_Public_Key_Infrastructure)

------
area51org
This may have been merely an accident, but it's still frightening, given the
potential for malicious use.

------
derleth
AS 7007 all over again?

[http://en.wikipedia.org/wiki/AS_7007_incident](http://en.wikipedia.org/wiki/AS_7007_incident)

[http://www.merit.edu/mail.archives/nanog/1997-04/msg00444.ht...](http://www.merit.edu/mail.archives/nanog/1997-04/msg00444.html)

[http://boards.straightdope.com/sdmb/showpost.php?p=16245046&...](http://boards.straightdope.com/sdmb/showpost.php?p=16245046&postcount=18)

[https://news.ycombinator.com/item?id=5321663](https://news.ycombinator.com/item?id=5321663)

~~~
ceph_
As a network operator on a large ASN, you don't have to look back to 97 to
find another example of this. This has happened twice within the last year
with networks we peer with. Hell if it weren't for max prefix limits, TATA
would leak a full routing table every other week. But that's just
incompetence.

~~~
voltagex_
Are you able to give any more details? Granted I'm not involved in large-scale
networking, but it's the first I've heard of that.

