Difference between revisions of "DBSA:2013-0006"
m |
m |
||
(2 intermediate revisions by the same user not shown) | |||
Line 1: | Line 1: | ||
+ | {{DBSAHEAD | ||
+ | | TITLE=Multiple Global BGP Compromises | ||
+ | | KEYWORDS=BGP,Routing,Network Operations | ||
+ | }} | ||
+ | |||
'''DBSA ID:''' {{PAGENAME}} | '''DBSA ID:''' {{PAGENAME}} | ||
Line 27: | Line 32: | ||
==Description== | ==Description== | ||
On 24 July 2013, multiple high-profile financial processing networks including banks and 'e-commerce' sites had their routes compromised by a network, identified by AS25459, "NedZone Internet BV" located in The Netherlands. This compromise saw traffic destined for those networks routed through the malicious provider or an unfiltered customer of theirs. The incident lasted from 15:37 (3:37 PM) UTC/GMT through to 15:41 (3:41 PM) UTC/GMT. | On 24 July 2013, multiple high-profile financial processing networks including banks and 'e-commerce' sites had their routes compromised by a network, identified by AS25459, "NedZone Internet BV" located in The Netherlands. This compromise saw traffic destined for those networks routed through the malicious provider or an unfiltered customer of theirs. The incident lasted from 15:37 (3:37 PM) UTC/GMT through to 15:41 (3:41 PM) UTC/GMT. | ||
+ | |||
+ | This route hijack had the effect of re-routing any and all traffic destined to such networks through AS25459 (the aforementioned network). | ||
This could have contributed to an interruption during the morning of several networks accross the Internet in North America that was detected by Digibase. | This could have contributed to an interruption during the morning of several networks accross the Internet in North America that was detected by Digibase. | ||
Line 109: | Line 116: | ||
==Mitigation/Solution== | ==Mitigation/Solution== | ||
− | All users that utilize services hosted by the above organizations should ensure accounts are secure and data secured. Users and organizations are advised to consider changing passwords if services were in use during that window of time and to ensure any communications with hosting providers were not compromised. | + | All users that utilize services hosted by the above organizations should ensure accounts are secure and data secured. Users and organizations are advised to consider changing passwords if services were in use during that window of time and to ensure any communications with hosting providers noted in "Technical Details" were not compromised. |
==References== | ==References== |
Latest revision as of 03:45, 29 October 2013
Disclaimer: as technology changes, advisories may become out of date or may no longer be relevant, please refer to the "Date" section of the header to be sure the advisory is recent as pertains to your situation.
Contents
Digibase Security Advisory - Multiple Global BGP Compromises
Keywords: BGP,Routing,Network Operations
DBSA ID: 2013-0006
Regarding: Multiple Global BGP Compromises
Writeup: Kradorex Xeron (talk) 01:30, 31 July 2013 (EDT)
Date: 2013 07 29
Last Modified: 20131029034519 by Kradorex Xeron
Who should take note: Everyone
Classification
Priority: HIGH
Rationale: Users and organizations must act to ensure accounts are secured on sites and services on associated networks.
Severity: HIGH
Rationale: The impact is global across multiple high-profile financial sites.
Spread of Issue: CROSS-PLATFORM HIGH
Rationale: All systems that are Intenet-connected are affected.
Description
On 24 July 2013, multiple high-profile financial processing networks including banks and 'e-commerce' sites had their routes compromised by a network, identified by AS25459, "NedZone Internet BV" located in The Netherlands. This compromise saw traffic destined for those networks routed through the malicious provider or an unfiltered customer of theirs. The incident lasted from 15:37 (3:37 PM) UTC/GMT through to 15:41 (3:41 PM) UTC/GMT.
This route hijack had the effect of re-routing any and all traffic destined to such networks through AS25459 (the aforementioned network).
This could have contributed to an interruption during the morning of several networks accross the Internet in North America that was detected by Digibase.
Technical Details
Among the suspected compromised routes (since withdrawn) include the following networks:
NA | 193.239.116.0 | NA 174 | 213.146.191.81 | COGENT Cogent/PSI 1103 | 145.100.102.140 | SURFNET-NL SURFnet, The Netherlands 3147 | 170.135.216.181 | FIRSTBANK - FIRSTBANK 3549 | 67.17.194.80 | GBLX Global Crossing Ltd. 4134 | 211.148.151.240 | CHINANET-BACKBONE No.31,Jin-rong Street 4134 | 222.87.204.13 | CHINANET-BACKBONE No.31,Jin-rong Street 4323 | 50.59.63.211 | TWTC - tw telecom holdings, inc. 4621 | 202.29.39.238 | UNSPECIFIED UNINET-TH 5541 | 46.108.60.22 | ADNET-TELECOM AdNet Telecom 7743 | 159.53.46.53 | AS-7743 - JPMorgan Chase & Co. 7743 | 159.53.62.93 | AS-7743 - JPMorgan Chase & Co. 8228 | 88.141.120.0 | CEGETEL-AS Societe Francaise du Radiotelephone S.A 8560 | 212.227.136.64 | ONEANDONE-AS 1&1 Internet AG 9125 | 217.169.223.79 | ORIONTELEKOM-AS Drustvo za telekomunikacije Orion telekom doo Beograd, Gandijeva 76a 9143 | 83.84.194.112 | ZIGGO Ziggo B.V. 9221 | 203.112.92.133 | HSBC-HK-AS HSBC HongKong 10794 | 171.161.198.100 | BANK-OF-AMERICA Bank of America 10794 | 171.161.202.100 | BANK-OF-AMERICA Bank of America 10801 | 205.255.243.11 | REGIONS-ASN-1 - REGIONS FINANCIAL CORPORATION 10995 | 170.201.128.162 | PNCBANK - PNC Bank 10995 | 170.201.60.3 | PNCBANK - PNC Bank 13335 | 141.101.116.17 | CLOUDFLARENET - CloudFlare, Inc. 13335 | 190.93.253.64 | CLOUDFLARENET - CloudFlare, Inc. 13335 | 190.93.254.45 | CLOUDFLARENET - CloudFlare, Inc. 14618 | 174.129.132.92 | AMAZON-AES - Amazon.com, Inc. 14745 | 64.94.237.60 | INTERNAP-BLOCK-4 - Internap Network Services Corporation 15395 | 94.236.46.240 | Rackspace Ltd. 16243 | 193.23.143.167 | VIRTU-AS Virtu Secure Webservices B.V. 16265 | 95.211.113.200 | LEASEWEB LeaseWeb B.V. 16265 | 95.211.211.76 | LEASEWEB LeaseWeb B.V. 16276 | 188.165.230.24 | OVH OVH Systems 16276 | 188.165.95.172 | OVH OVH Systems 16276 | 213.186.33.16 | OVH OVH Systems 16276 | 91.121.183.228 | OVH OVH Systems 16276 | 91.121.82.179 | OVH OVH Systems 16276 | 94.23.207.222 | OVH OVH Systems 16276 | 94.23.40.106 | OVH OVH Systems 18881 | 189.114.74.122 | Global Village Telecom 20454 | 198.15.67.172 | SSASN2 - SECURED SERVERS LLC 21409 | 213.246.39.59 | IKOULA Ikoula Net SAS 23005 | 216.115.77.181 | SWITCH-COMMUNICATIONS - SWITCH Communications Group LLC 24940 | 46.4.170.163 | HETZNER-AS Hetzner Online AG 25187 | 62.64.35.10 | FCV FRANCE CITEVISION SAS 26769 | 173.245.201.28 | BANDCON - Bandcon 26848 | 206.195.196.160 | PFG-ASN-1 - The Principal Financial Group 29854 | 198.105.209.76 | WESTHOST - WestHost, Inc. 30998 | 196.207.11.23 | NETCOM-AFRICA-AS 32097 | 208.110.65.135 | WII-KC - WholeSale Internet, Inc. 32421 | 192.31.185.155 | BLCC - Black Lotus Communications 32787 | 72.52.11.117 | PROLEXIC-TECHNOLOGIES-DDOS-MITIGATION-NETWORK - Prolexic Technologies, Inc. 33070 | 166.78.21.112 | RMH-14 - Rackspace Hosting 35470 | 79.170.88.67 | XL-AS XL Internet Services B.V. 36137 | 66.248.200.243 | AVANTE-1 - Avante Hosting Services Inc. 36351 | 174.127.78.48 | SOFTLAYER - SoftLayer Technologies Inc. 36351 | 174.36.4.145 | SOFTLAYER - SoftLayer Technologies Inc. 36351 | 50.97.55.41 | SOFTLAYER - SoftLayer Technologies Inc. 36666 | 68.168.125.235 | GTCOMM - GloboTech Communications 36758 | 74.120.64.17 | ASN-BBT-ASN - Branch Banking and Trust Company 42244 | 46.254.19.65 | ESERVER Hosting Operator eServer.ru Ltd. 42910 | 188.132.179.0 | SADECEHOSTING-COM Hosting Internet Hizmetleri Sanayi ve Ticaret Anonim Sirketi 43260 | 31.210.155.45 | ROUTERGATE DGN TEKNOLOJI BILISIM YAYINCILIK SANAYI VE LIMITED SIRKETI 47195 | 79.110.92.75 | GAMEFORGE-AS Gameforge Productions GmbH 47927 | 94.126.8.26 | WIFIWEB Wifiweb s.r.l. 48539 | 193.23.143.167 | OXILION-AS Oxilion B.V. 48737 | 46.20.159.0 | DORATELEKOM Dora Telekomunikasyon Hizletleri A.S. 49544 | 109.200.206.176 | INTERACTIVE3D i3d B.V. 56471 | 217.116.176.133 | ACW-AT ACW - Netzwerk Produkte & Dienste GmbH 57511 | 185.9.18.130 | OVALTECH-AS OvalTech Internet Ltd 60454 | 89.33.242.99 | COMBIEM-AS COMBIEM SRL 197988 | 46.28.203.23 | SOLARCOM Solar Communications GMBH 199636 | 198.144.121.201 | ESECURITY Esecurity S.A. 263079 | 186.233.187.52 | HS - Serviços e Soluções Web Ltda
Mitigation/Solution
All users that utilize services hosted by the above organizations should ensure accounts are secure and data secured. Users and organizations are advised to consider changing passwords if services were in use during that window of time and to ensure any communications with hosting providers noted in "Technical Details" were not compromised.