There was a significant jump on announcement of this prefix at the time of the event.
stat.ripe.net/widget/bgp-upd…
stat.ripe.net/widget/bgp-upd…
AS7625 announces a /21 that covers the prefix in question (/24). AS9457 also announces a super prefix, but even larger (/16 as oppose to /21). Techinically, it should be fine for either ASNs to originate the prefix in question. But it's a bit stranger for AS9457 to do so.
The msgs in question all have link "6461 9457". As @zoaedk originally noticed, the peer link seems not exist. I checked with RouteViews2's RIB dump immediately before this event, and no path exists that contains the link. This smells like #BGP MITM attack by path manipulation.
The only common path segments is "6461 9457". Consider that AS9457 already announces pfxs that covers the hijacked one, there is only one suspect left.
One does not need to originate a prefix to hijack the traffic, one just needs to be on the path.
One does not need to originate a prefix to hijack the traffic, one just needs to be on the path.
Play with the relevant raw BGP data from RouteViews and RIPE RIS yourself with this Python notebook. (Powered by alpha version of @bgpkit mrt parser and data broker in Python.)
colab.research.google.com/drive/1juuTgMG…
colab.research.google.com/drive/1juuTgMG…
Found 4 affected prefixes:
211.249.221.0/24
121.53.104.0/24
7935:6800::/24
d3f9:dd00::/24
The two v4 pfxs are owned by Kakao Corp (does crypto business) and show very similar pattern of the udpate activity (no history, sudden spike on event).
211.249.221.0/24
121.53.104.0/24
7935:6800::/24
d3f9:dd00::/24
The two v4 pfxs are owned by Kakao Corp (does crypto business) and show very similar pattern of the udpate activity (no history, sudden spike on event).
• • •
Missing some Tweet in this thread? You can try to
force a refresh
