The Canadian Bitcoin Hijack

A few days ago researchers at Dell SecureWorks published the details of an attacker repeatedly hijacking BGP prefixes for numerous large providers such as Amazon, OVH, Digital Ocean, LeaseWeb, Alibaba and more. The goal of the operation was to intercept data between Bitcoin miners and Bitcoin mining pools. They estimated that $83,000 was made with this attack in just four months. The original post has many of details which we won't repeat here, instead will take a closer look at  the BGP details of this specific attack. Attack details Our friends at Dell SecureWorks decided not to name the network from which the hijacks originated. As a result we won’t name the exact Autonomous System either, instead we will suffice by saying that the originator of this hijack is a network operating in Eastern Canada. Initial experiment BGPmon detected the first hijack by this Canadian Autonomous System on October 8th 2013. For about 14 minutes a more specific /24 prefix for a Palestinian network was hijacked. Looking at geographical scope of the announcements and the probes that saw this route, we believe that in this case the route was only announced over the Toronto Internet Exchange. Bitcoin hijack On Feb 3rd 2014, the first targeted Bitcoin hijacks took place, this affected more specific prefixes for AS 16509 (Amazon). Starting Feb 4th the BGP hijack appears to be originating from one of the downstream customers of the attacker. We believe this may have been an attempt to hide the actual Origin AS. As of February 6th the finger print changes slightly again and the same more specific announcement for Amazon now appears to be announced by Amazon directly; i.e. the most right AS in the AS path is the Amazon AS. Looking at the data we believe that part of the ASpath is spoofed and that Amazon did not actually announce this prefix, instead it was announced by the Canadian attacker who tried to hide itself using AS path prepending. Interestingly this specific case looks a lot like the ‘stealing the Internet’ attack as presented at Defcon a few years ago, including ASpath poisoning where some of the attackers upstream providers were included in the spoofed part of the ASpath. We then observe a large gap between February 8th and March 22 where we don’t see any attacks involving this particular AS. On March the 22nd the hijacks return. In this case largely with the same fingerprint: mostly more specific (/24) announcements with the same spoofed ASpaths. Finally May 13, 2014 is the last day these attacks have been observed and it’s been quiet since. Filters to limit the Scope and impact It appears that all the BGP announcements related to the Bitcoin hijack attacks were only visible via peers of this Canadian network via the Internet Exchange. This means that the attacker either did not announce these hijacked blocks to their transit providers, or the transit providers did a good job in filtering these announcements. Most network operators do not have prefix filters on BGP peering sessions at Internet Exchanges. Instead they often only have Max-Prefix filters in place. These Max-Prefix filters are intended to protect against large leaks, or a sudden increase in announced prefixes by these peers. In this scenario the attacker would only announce a few new prefixes at any given time, this prevented Max-Prefix filters to trip. Collateral damage The attacker appears to have known exactly what IP addresses are Bitcoin miners and as a result knew who to target. However, because many network operators filter out prefixes longer than a /24, the attacker chose to announce a /24 in order to increase the chances of the prefix being accepted. This means that other machines in the same hijacked /24 that have nothing to do with Bitcoin mining were also affected. Because of the nature of the providers affected, primarily cloud providers offering VM hosting (AWS, OVH, Digital Ocean, ServerStack, Choopa, LeaseWeb and more), it is not unlikely that traffic for machines (VMs) of hundreds of organizations worldwide may have been redirection to the hijacker. Not the first time This incident follows numerous similar BGP hijacks that happened recently. Just last year networks of several Credit Card companies were hijacked. Another example is the hijack of multiple Government departments of one specific European country. More recently Turkey hijacked the IP addresses of several well-known DNS providers. These recent examples demonstrate that BGP hijacking is indeed being used for financial gain, Intelligence collection as well as Censorship. Monitoring BGP hijacks remain a relative common occurrence. Just in the last year there have been seen several incidents where a BGP hijack appeared to be targeted and malicious rather than a ‘fat finger’ incident. Monitoring for events like this can significantly reduce the operational and financial impact for the victims. When a BGP hijack occurs, BGPmon will alert Network Operators and Incident Response teams in near real-time and provide the responsible teams with all the information and situational awareness to take immediate action.