A Deeper Dive into the Amazon Route 53 BGP Hijack

Yesterday, we reported some initial news and details about the Amazon Route 53 BGP hijack that resulted in a loss to some cryptocurrency users.

Today on the Internet Society blog, Aftab Siddiqui presents a more technical dive into what exactly happened, using data from Isolario, RIPE Stats, and various reports from organizations who monitor Internet routing and health.

It’s an interesting read, and once again points out how MANRS can help alleviate future incidents. In fact, the Actions called for in MANRS for Network Operators were in place by a few network operators involved in this incident, which helped mitigate some of the damage. From Aftab’s post:

This problem could have been easily avoided if Hurricane Electric (AS6939), 1&1 Internet SE (AS8560), Shaw Communications Inc. (AS6327), and BroadbandOne/WV Fibre (AS19151) had prefix filtering in place. Thankfully, Level3 (AS3356), Cogentco (AS174), and NTT (AS2914) are all MANRS members and had prefix filters in place, or the damage would have been much bigger. As per Dyn they recorded only 15% of their nodes received malicious specific advertisement originated from AS10297, while NLNOG-RING (AS199036) were getting 87 unique paths to 205.251.192.0/23 (one of the Route53 prefix) originating from Amazon (AS16509) at 10am UTC. But when the attack started at 11:05 UTC they installed 15 new paths for 205.251.192.0/24 (one of the malicious more specific prefix) originated from eNET (AS10297). Out of those 15 unique paths, 12 of them were coming via Hurricane Electric (AS6939).

We encourage you to read the whole deep dive, and of course to implement the MANRS Actions (for network operators or for IXPs) and to join the MANRS community of security-minded organizations.

Together, we can protect the core!