• Skip to primary navigation
  • Skip to main content
  • Skip to primary sidebar
MANRS

MANRS

Mutually Agreed Norms for Routing Security

  • Home
  • About
    • About MANRS
    • History
    • Partners
    • Advisory Group
      • Description and Role
      • Members
    • Testimonials
    • Contact Us
  • Programmes
    • Network Operators
      • Network Operators Programme and Actions
      • Implementation Guide
      • Participants
      • Join MANRS
    • IXPs
      • IXP Programme and Actions
      • Participants
      • Join IXP Programme
    • CDN and Cloud Providers
      • CDN and Cloud Providers Programme and Actions
      • Participants
      • Join the Programme
  • MANRS Ambassadors
  • Resources
    • All Resources
      • Implementation Guide
      • Papers
    • Training
      • Workshops
      • Tutorials
    • Promote MANRS
  • Observatory
  • Blog
  • Join

A Deeper Dive into the Amazon Route 53 BGP Hijack

April 27, 2018 by Megan Kruse Leave a Comment

Yesterday, we reported some initial news and details about the Amazon Route 53 BGP hijack that resulted in a loss to some cryptocurrency users.

Today on the Internet Society blog, Aftab Siddiqui presents a more technical dive into what exactly happened, using data from Isolario, RIPE Stats, and various reports from organizations who monitor Internet routing and health.

It’s an interesting read, and once again points out how MANRS can help alleviate future incidents. In fact, the Actions called for in MANRS for Network Operators were in place by a few network operators involved in this incident, which helped mitigate some of the damage. From Aftab’s post:

This problem could have been easily avoided if Hurricane Electric (AS6939), 1&1 Internet SE (AS8560), Shaw Communications Inc. (AS6327), and BroadbandOne/WV Fibre (AS19151) had prefix filtering in place. Thankfully, Level3 (AS3356), Cogentco (AS174), and NTT (AS2914) are all MANRS members and had prefix filters in place, or the damage would have been much bigger. As per Dyn they recorded only 15% of their nodes received malicious specific advertisement originated from AS10297, while NLNOG-RING (AS199036) were getting 87 unique paths to 205.251.192.0/23 (one of the Route53 prefix) originating from Amazon (AS16509) at 10am UTC. But when the attack started at 11:05 UTC they installed 15 new paths for 205.251.192.0/24 (one of the malicious more specific prefix) originated from eNET (AS10297). Out of those 15 unique paths, 12 of them were coming via Hurricane Electric (AS6939).

We encourage you to read the whole deep dive, and of course to implement the MANRS Actions (for network operators or for IXPs) and to join the MANRS community of security-minded organizations.

Together, we can protect the core!

Share this:

  • Twitter
  • Facebook
  • LinkedIn
  • More
  • Email
  • Print
  • Reddit
  • Tumblr

Category iconNews and Announcements,  Routing Security Incidents

Reader Interactions

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Primary Sidebar

Recent Posts

  • Feedback Requested: Chartering the MANRS Community
  • A Major BGP Hijack by AS55410-Vodafone Idea Ltd
  • 2 Security Issues with RPKI and How To Fix Them
  • Announcing the 2021 MANRS Fellows
  • Meet the 2021 MANRS Ambassadors
MANRS logo
Join MANRS
  • Sharing Our Content
  • Terms of Use
  • Privacy Policy
  • Contact
Follow us: Follow MANRS on Twitter Follow MANRS on Facebook Follow MANRS on LinkedIn Follow MANRS on YouTube

MANRS Document © 2016–2021

loading Cancel
Post was not sent - check your email addresses!
Email check failed, please try again
Sorry, your blog cannot share posts by email.