Aloha.
Surprised this hasnt "made the news" over at this list yet.
https://doublepulsar.com/hijack-of-amazons-internet-domain-service-used-to-reroute-web-traffic-for-two-hours-unnoticed-3a6f0dda6a6f
https://groups.google.com/forum/#!msg/mozilla.dev.security.policy/2teeVLJ44RM/Yqk5GHSpCQAJ
https://twitter.com/barton_paul/status/988788348272734217
TLDR; So it seems that AS10297 (some small hostingprovider in the US) suddenly started to announce de-aggregated AWS
IP-space, containing quite alot of Route53 infrastructure, put up resolvers on their own on the hijacked IP-space and
pointed *ATLEAST* www.myetherwallet.com to a ip-address that seems to be some kind of transparent proxy out of russia
with a bogus SSL-cert (but still pretty good) (https://46.161.42.42/)
I did digging in my own logs and played it through BGP-play - seems like it was in fact only Hurricane Electric (6939)
that actually propagated this prefix to the Internet. Which makes sense since we have seen them being part of the
problem in almost all recent hijacks.
Can we do some collaborative digging in other tools you have handy (i guess thousand eyes probes etc could be of help
here) to track how big the propagation was?
Being abit involved in the Ethereum world it could be noted that the login to MyEtherWallet.com is abit special since
you actually login with you wallet-seed and not user/pass to the site... giving the possibility to make really swift
transfers without having actual access to the real site (for good ....and bad).
Is MyEtherWallet really doing 500k/hr in business though?
"that depends".
we for sure know that 150K or so got immediately snatched of the bat, but how much more wallets is at stake? no one knows.
What is known however is that they are trying to deploy smokescreens with tons of transfers moving ETH around wallets
and all seems to be ending up sooner or later in this account.
https://etherscan.io/address/0xb3aaaae47070264f3595c5032ee94b620a583a39
Which is good for 17MUSD.
That doesn't really matter though - i wanna speak what we do about this in the DFZ.
Can someone from HE comment on how your ingress route-filtering policy looks like towards your customers? I typically
base my peering-relationships on people/operators that i have some kind of level of trust in.
a message of 28 lines which said:
Surprised this hasnt "made the news" over at this list yet.
It may be also because NANOG email is handled by Google, who broke its antispam:
<nanog@nanog.org>: host aspmx.l.google.com[2a00:1450:400c:c08::1a] said:
550-5.7.1 This message does not have authentication information or
fails to
pass 550-5.7.1 authentication checks. To best protect our
users from spam,
the 550-5.7.1 message has been blocked. Please visit
550-5.7.1
Email sender guidelines - Google Workspace Admin Help
for more 550
5.7.1 information. v20-v6si12240130wrb.82 - gsmtp
(in reply to end of DATA
command)
Well there is quite abit of data around that particular server.
So it definitely happened.
https://twitter.com/GossiTheDog/status/988873775285460992
This tweet is a good start.
The server answer to me right now and google safe browsing has flagged it as well for being insecure (no the regular
cert-fail warning but deceptivness warning)
The SSL-cert is a self-signed one impersonating MyEtherWallet.com.
Id take it that 15169 accepted the prefix for some reason over a bilateral peering-sesssion (to the best of my knowledge
the equinix routeservers does indeed do filter, but please correct me on this one) with 10297 and hence poisoned the
8.8.8.8 resolver for some time with the wrong ip-addr.
Surprised this hasnt "made the news" over at this list yet.
In the old days, the list membership would have noticed the hijack. BGP hijacks used to be a somewhat popular topic, but like spammer chasing, I think everyone grew bored of it and the lack of things actually being done.
TLDR; So it seems that AS10297 (some small hostingprovider in the US) suddenly started to announce de-aggregated AWS
IP-space, containing quite alot of Route53 infrastructure, put up resolvers on their own on the hijacked IP-space and
pointed *ATLEAST* www.myetherwallet.com to a ip-address that seems to be some kind of transparent proxy out of russia
with a bogus SSL-cert (but still pretty good) (https://46.161.42.42/)
Why did they use a self-signed cert? If you control the dns or the endpoint, you can easily get a signed cert. Given how lax people were at detecting this, they would have gotten further if people hadn't been complaining about the cert notification.
Jack
I have no reason to believe the Equinix route servers propagated or
contributed to this hijack, I checked with them. It is a good thing
their route server has filters, otherwise the damage could've been even
worse!
Kind regards,
Job