→ What can be learned from BGP hijacks targeting cryptocurrency services? (posted 2022-11-24)
Interesting blog post on the APNIC blog by Doug Madory:
On 17 August 2022, an attacker was able to steal approximately USD 235,000 in cryptocurrency by employing a BGP hijack against the Celer Bridge, a service that allows users to convert between cryptocurrencies.In this blog post, I discuss this and previous infrastructure attacks against cryptocurrency services. While these episodes revolve around the theft of cryptocurrency, the underlying attacks hold lessons for securing the BGP routing of any organization that conducts business on the Internet.
Using BGP to steal cryptocurrency is happening with some regularity now...
The important lesson comes at the end: Amazon shouldn't have RPKI ROAs for a /10 and a /11 with a maximum prefix limit of /24.
This way, the attacker, thanks to an ISP that didn't properly filter its customer's BGP announcements, was able to advertise a /24 out of Amazon's address space and have that announcement be labeled "valid" by RPKI route origin validation.
Amazon advertises a /11, and if the maximum prefix length in the ROA for that /11 had been just /11, the attacker wouldn't have been able to "shoplift" just that /24, but they'd have to go head-to-head against Amazon for that entire /11. That would have had a much lower chance of success and much higher chance of being noticed quickly.
(Shameless plug: if all that RPKI and ROA talk is gibberish to you, my new BGP e-book has a section on what RPKI is and how it works.)