Hacker News new | past | comments | ask | show | jobs | submit login

But Amazon really did screw up here.

The attackers were able to announce more specific prefixes than Amazon was announcing itself. It was like Amazon said "give me all phone calls for the 415 area code," and the attackers said "give me all calls for 415-555-xxxx." In internet routing, the most specific always wins (down to the minimum prefix size of /24 most networks filter on).

A commonly accepted mitigation for BGP hijacking is to announce the /24's of your important assets as well as the covering prefixes. An attackers announcement of the same /24 will at worst capture _some_ of the traffic, rather than being seen as a more specific and capturing _all_ the traffic.




> In internet routing, the most specific always wins

So is this flaw Amazon's fault? I think not. Even your accepted mitigation doesn't fix the hole completely. It's still an internet problem.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: