Earlier today many BGPmon users received one or more alerts informing them that their autonomous system (AS) started to announce a more-specific prefix. BGPmon classified many of these alerts as possible BGP man-in-the-middle (MITM) attacks. Here is an example alert:
====================================================================
Possible BGP MITM attack (Code: 21)
====================================================================
Your prefix: 23.20.0.0/15:
Prefix Description: acxiom-online.com --- Amazon EC2 IAD prefix
Update time: 2015-03-26 11:27 (UTC)
Detected by #peers: 24
Detected prefix: 23.21.112.0/20
Announced by: AS14618 (AMAZON-AES - Amazon.com, Inc.,US)
Upstream AS: AS3257 (TINET-BACKBONE Tinet SpA,DE)
ASpath: 4608 24130 7545 6939 40633 18978 3257 14618
The alert shows the user was monitoring 23.20.0.0/15, normally announced by Amazon, Inc. (AS14618). In this case however, the detected prefix was the more specific 23.21.112.0/20. The netblock owners would have verified their BGP announcements and quickly recognized they did not originate this more-specific prefix. Further analysis pointed to the suspicion that a bad actor was impersonating Amazon. BGPmon algorithms alerted to this as well, and–within moments of the initial change–marked these events as a possible BGP MITM attack.
One reason for this classification is the way BGPmon understands and interprets AS paths and what are considered odd behaviors. When looking at the AS path, it appears either Enzu, Inc. (18978) or the Los Angeles Internet Exchange (40633) leaked this prefix. BGPmon normally considers this activity as a “standard” BGP leak, but when paired with a new, more-specific prefix, it is considered highly suspicious.
More in-depth examination shows the BGPmon system correctly classified the attack. As it turns out, all events have the following part of the AS path in common: ‘40633 18978’.
Because of their amplifying nature, these particular BGP incidents are some of the most serious. We have blogged about similar cases previously, like this one from last year: http://www.bgpmon.net/accidentally-stealing-the-internet/. Even though these incidents tend to be accidents, the potential impact is significant, primarily because the new BGP announcements are more-specific announcements and, as a result, are always prefered. Events like this are also harder to detect and properly classify, since the origin AS appears to not change. This is another example where monitoring using specialized software such as BGPmon.net is essential for network operators to help them quickly discover and properly clasify events like this.
Based on past incidents, we suspect a BGP traffic optimizer as the cause of the prefix leak. When announcing new, fake more-specific prefixes, BGP traffic optimizers normally break up an aggregate block of prefixes into two (or more) prefix sets, while keeping the original AS path in tact. These ‘fake’ new announcements typically stay within the network that deploys the optimizer and they are not leaked to the rest of the world.
In this case, that is exactly what happened. Enzu, Inc. (AS18978) appears to have a BGP traffic optimizer deployed, and leaked these ‘optimized’ routes to AS40633, who then announced it to its peering partners at the Internet Exchange ANY2 IX in Los Angeles. Those networks then propagated this further to their customers and other peers. Networks that learned these new routes would have selected that path and routed traffic towards AS18978, which reroutes traffic away from the legitimate destination, essentially creating a MITM scenario.
This incident occurred between 10:38 and 14:26 UTC today and resulted in more than 7,000 new more-specific prefixes affecting roughly 280 Autonomous Systems, including large networks such as Rogers Cable, Telstra, Telenor, KDDI, BT-UK, Orange, Deutsche Telekom , Sprint, China Telecom, SHAW, LGI-UPC, AT&T, Comcast, Amazon, Internap, Time Warner Cable, Choopa, Syrian Telecommunications and many more.