The Canadian Bitcoin Hijack
lundi 3 août 2015 à 11:23GuiGui's Show - Liens
« A few days ago researchers at Dell SecureWorks published the details of an attacker repeatedly hijacking BGP prefixes for numerous large providers such as Amazon, OVH, Digital Ocean, LeaseWeb, Alibaba and more. The goal of the operation was to intercept data between Bitcoin miners and Bitcoin mining pools. They estimated that $83,000 was made with this attack in just four months. The original post has many of details which we won’t repeat here, instead will take a closer look at the BGP details of this specific attack.
[...]
On Feb 3rd 2014, the first targeted Bitcoin hijacks took place, this affected more specific prefixes for AS 16509 (Amazon). Starting Feb 4th the BGP hijack appears to be originating from one of the downstream customers of the attacker. We believe this may have been an attempt to hide the actual Origin AS.
As of February 6th the finger print changes slightly again and the same more specific announcement for Amazon now appears to be announced by Amazon directly; i.e. the most right AS in the AS path is the Amazon AS. Looking at the data we believe that part of the ASpath is spoofed and that Amazon did not actually announce this prefix, instead it was announced by the Canadian attacker who tried to hide itself using AS path prepending. Interestingly this specific case looks a lot like the ‘stealing the Internet’ attack as presented at Defcon a few years ago, including ASpath poisoning where some of the attackers upstream providers were included in the spoofed part of the ASpath.
[ NDLR : ho, Pilosov & Kapela ! ]
It appears that all the BGP announcements related to the Bitcoin hijack attacks were only visible via peers of this Canadian network via the Internet Exchange. This means that the attacker either did not announce these hijacked blocks to their transit providers, or the transit providers did a good job in filtering these announcements.
[...]
This means that other machines in the same hijacked /24 that have nothing to do with Bitcoin mining were also affected. Because of the nature of the providers affected, primarily cloud providers offering VM hosting (AWS, OVH, Digital Ocean, ServerStack, Choopa, LeaseWeb and more), it is not unlikely that traffic for machines (VMs) of hundreds of organizations worldwide may have been redirection to the hijacker.
[...]
This incident follows numerous similar BGP hijacks that happened recently. Just last year networks of several Credit Card companies were hijacked. Another example is the hijack of multiple Government departments of one specific European country. [...] These recent examples demonstrate that BGP hijacking is indeed being used for financial gain, Intelligence collection as well as Censorship. »
Old (été 2014) mais super intéressant par l'enjeu (bitcoin -> vol) et par la technique employée (Pilosov & Kapela).
(Permalink)
« A few days ago researchers at Dell SecureWorks published the details of an attacker repeatedly hijacking BGP prefixes for numerous large providers such as Amazon, OVH, Digital Ocean, LeaseWeb, Alibaba and more. The goal of the operation was to intercept data between Bitcoin miners and Bitcoin mining pools. They estimated that $83,000 was made with this attack in just four months. The original post has many of details which we won’t repeat here, instead will take a closer look at the BGP details of this specific attack.
[...]
On Feb 3rd 2014, the first targeted Bitcoin hijacks took place, this affected more specific prefixes for AS 16509 (Amazon). Starting Feb 4th the BGP hijack appears to be originating from one of the downstream customers of the attacker. We believe this may have been an attempt to hide the actual Origin AS.
As of February 6th the finger print changes slightly again and the same more specific announcement for Amazon now appears to be announced by Amazon directly; i.e. the most right AS in the AS path is the Amazon AS. Looking at the data we believe that part of the ASpath is spoofed and that Amazon did not actually announce this prefix, instead it was announced by the Canadian attacker who tried to hide itself using AS path prepending. Interestingly this specific case looks a lot like the ‘stealing the Internet’ attack as presented at Defcon a few years ago, including ASpath poisoning where some of the attackers upstream providers were included in the spoofed part of the ASpath.
[ NDLR : ho, Pilosov & Kapela ! ]
It appears that all the BGP announcements related to the Bitcoin hijack attacks were only visible via peers of this Canadian network via the Internet Exchange. This means that the attacker either did not announce these hijacked blocks to their transit providers, or the transit providers did a good job in filtering these announcements.
[...]
This means that other machines in the same hijacked /24 that have nothing to do with Bitcoin mining were also affected. Because of the nature of the providers affected, primarily cloud providers offering VM hosting (AWS, OVH, Digital Ocean, ServerStack, Choopa, LeaseWeb and more), it is not unlikely that traffic for machines (VMs) of hundreds of organizations worldwide may have been redirection to the hijacker.
[...]
This incident follows numerous similar BGP hijacks that happened recently. Just last year networks of several Credit Card companies were hijacked. Another example is the hijack of multiple Government departments of one specific European country. [...] These recent examples demonstrate that BGP hijacking is indeed being used for financial gain, Intelligence collection as well as Censorship. »
Old (été 2014) mais super intéressant par l'enjeu (bitcoin -> vol) et par la technique employée (Pilosov & Kapela).
(Permalink)