Difference between revisions of "DBSA:2013-0006"

From Digibase Knowledge Base
Jump to: navigation, search
m
m
 
(2 intermediate revisions by the same user not shown)
Line 1: Line 1:
 +
{{DBSAHEAD
 +
| TITLE=Multiple Global BGP Compromises
 +
| KEYWORDS=BGP,Routing,Network Operations
 +
}}
 +
 
'''DBSA ID:''' {{PAGENAME}}
 
'''DBSA ID:''' {{PAGENAME}}
  
Line 27: Line 32:
 
==Description==
 
==Description==
 
On 24 July 2013, multiple high-profile financial processing networks including banks and 'e-commerce' sites had their routes compromised by a network, identified by AS25459, "NedZone Internet BV" located in The Netherlands. This compromise saw traffic destined for those networks routed through the malicious provider or an unfiltered customer of theirs. The incident lasted from 15:37 (3:37 PM) UTC/GMT through to 15:41 (3:41 PM) UTC/GMT.
 
On 24 July 2013, multiple high-profile financial processing networks including banks and 'e-commerce' sites had their routes compromised by a network, identified by AS25459, "NedZone Internet BV" located in The Netherlands. This compromise saw traffic destined for those networks routed through the malicious provider or an unfiltered customer of theirs. The incident lasted from 15:37 (3:37 PM) UTC/GMT through to 15:41 (3:41 PM) UTC/GMT.
 +
 +
This route hijack had the effect of re-routing any and all traffic destined to such networks through AS25459 (the aforementioned network).
  
 
This could have contributed to an interruption during the morning of several networks accross the Internet in North America that was detected by Digibase.
 
This could have contributed to an interruption during the morning of several networks accross the Internet in North America that was detected by Digibase.
Line 109: Line 116:
  
 
==Mitigation/Solution==
 
==Mitigation/Solution==
All users that utilize services hosted by the above organizations should ensure accounts are secure and data secured. Users and organizations are advised to consider changing passwords if services were in use during that window of time and to ensure any communications with hosting providers were not compromised.
+
All users that utilize services hosted by the above organizations should ensure accounts are secure and data secured. Users and organizations are advised to consider changing passwords if services were in use during that window of time and to ensure any communications with hosting providers noted in "Technical Details" were not compromised.
  
 
==References==
 
==References==

Latest revision as of 03:45, 29 October 2013

Disclaimer: as technology changes, advisories may become out of date or may no longer be relevant, please refer to the "Date" section of the header to be sure the advisory is recent as pertains to your situation.

Digibase Security Advisory - Multiple Global BGP Compromises

Keywords: BGP,Routing,Network Operations

DBSA ID: 2013-0006

Regarding: Multiple Global BGP Compromises

Writeup: Kradorex Xeron (talk) 01:30, 31 July 2013 (EDT)

Date: 2013 07 29

Last Modified: 20131029034519 by Kradorex Xeron

Who should take note: Everyone

Classification

Priority: HIGH

Rationale: Users and organizations must act to ensure accounts are secured on sites and services on associated networks.

Severity: HIGH

Rationale: The impact is global across multiple high-profile financial sites.

Spread of Issue: CROSS-PLATFORM HIGH

Rationale: All systems that are Intenet-connected are affected.

Description

On 24 July 2013, multiple high-profile financial processing networks including banks and 'e-commerce' sites had their routes compromised by a network, identified by AS25459, "NedZone Internet BV" located in The Netherlands. This compromise saw traffic destined for those networks routed through the malicious provider or an unfiltered customer of theirs. The incident lasted from 15:37 (3:37 PM) UTC/GMT through to 15:41 (3:41 PM) UTC/GMT.

This route hijack had the effect of re-routing any and all traffic destined to such networks through AS25459 (the aforementioned network).

This could have contributed to an interruption during the morning of several networks accross the Internet in North America that was detected by Digibase.

Technical Details

Among the suspected compromised routes (since withdrawn) include the following networks:

NA      | 193.239.116.0    | NA
174     | 213.146.191.81   | COGENT Cogent/PSI
1103    | 145.100.102.140  | SURFNET-NL SURFnet, The Netherlands
3147    | 170.135.216.181  | FIRSTBANK - FIRSTBANK
3549    | 67.17.194.80     | GBLX Global Crossing Ltd.
4134    | 211.148.151.240  | CHINANET-BACKBONE No.31,Jin-rong Street
4134    | 222.87.204.13    | CHINANET-BACKBONE No.31,Jin-rong Street
4323    | 50.59.63.211     | TWTC - tw telecom holdings, inc.
4621    | 202.29.39.238    | UNSPECIFIED UNINET-TH
5541    | 46.108.60.22     | ADNET-TELECOM AdNet Telecom
7743    | 159.53.46.53     | AS-7743 - JPMorgan Chase & Co.
7743    | 159.53.62.93     | AS-7743 - JPMorgan Chase & Co.
8228    | 88.141.120.0     | CEGETEL-AS Societe Francaise du Radiotelephone S.A
8560    | 212.227.136.64   | ONEANDONE-AS 1&1 Internet AG
9125    | 217.169.223.79   | ORIONTELEKOM-AS Drustvo za telekomunikacije Orion telekom doo Beograd, Gandijeva 76a
9143    | 83.84.194.112    | ZIGGO Ziggo B.V.
9221    | 203.112.92.133   | HSBC-HK-AS HSBC HongKong
10794   | 171.161.198.100  | BANK-OF-AMERICA Bank of America
10794   | 171.161.202.100  | BANK-OF-AMERICA Bank of America
10801   | 205.255.243.11   | REGIONS-ASN-1 - REGIONS FINANCIAL CORPORATION
10995   | 170.201.128.162  | PNCBANK - PNC Bank
10995   | 170.201.60.3     | PNCBANK - PNC Bank
13335   | 141.101.116.17   | CLOUDFLARENET - CloudFlare, Inc.
13335   | 190.93.253.64    | CLOUDFLARENET - CloudFlare, Inc.
13335   | 190.93.254.45    | CLOUDFLARENET - CloudFlare, Inc.
14618   | 174.129.132.92   | AMAZON-AES - Amazon.com, Inc.
14745   | 64.94.237.60     | INTERNAP-BLOCK-4 - Internap Network Services Corporation
15395   | 94.236.46.240    | Rackspace Ltd.
16243   | 193.23.143.167   | VIRTU-AS Virtu Secure Webservices B.V.
16265   | 95.211.113.200   | LEASEWEB LeaseWeb B.V.
16265   | 95.211.211.76    | LEASEWEB LeaseWeb B.V.
16276   | 188.165.230.24   | OVH OVH Systems
16276   | 188.165.95.172   | OVH OVH Systems
16276   | 213.186.33.16    | OVH OVH Systems
16276   | 91.121.183.228   | OVH OVH Systems
16276   | 91.121.82.179    | OVH OVH Systems
16276   | 94.23.207.222    | OVH OVH Systems
16276   | 94.23.40.106     | OVH OVH Systems
18881   | 189.114.74.122   | Global Village Telecom
20454   | 198.15.67.172    | SSASN2 - SECURED SERVERS LLC
21409   | 213.246.39.59    | IKOULA Ikoula Net SAS
23005   | 216.115.77.181   | SWITCH-COMMUNICATIONS - SWITCH Communications Group LLC
24940   | 46.4.170.163     | HETZNER-AS Hetzner Online AG
25187   | 62.64.35.10      | FCV FRANCE CITEVISION SAS
26769   | 173.245.201.28   | BANDCON - Bandcon
26848   | 206.195.196.160  | PFG-ASN-1 - The Principal Financial Group
29854   | 198.105.209.76   | WESTHOST - WestHost, Inc.
30998   | 196.207.11.23    | NETCOM-AFRICA-AS
32097   | 208.110.65.135   | WII-KC - WholeSale Internet, Inc.
32421   | 192.31.185.155   | BLCC - Black Lotus Communications
32787   | 72.52.11.117     | PROLEXIC-TECHNOLOGIES-DDOS-MITIGATION-NETWORK - Prolexic Technologies, Inc.
33070   | 166.78.21.112    | RMH-14 - Rackspace Hosting
35470   | 79.170.88.67     | XL-AS XL Internet Services B.V.
36137   | 66.248.200.243   | AVANTE-1 - Avante Hosting Services Inc.
36351   | 174.127.78.48    | SOFTLAYER - SoftLayer Technologies Inc.
36351   | 174.36.4.145     | SOFTLAYER - SoftLayer Technologies Inc.
36351   | 50.97.55.41      | SOFTLAYER - SoftLayer Technologies Inc.
36666   | 68.168.125.235   | GTCOMM - GloboTech Communications
36758   | 74.120.64.17     | ASN-BBT-ASN - Branch Banking and Trust Company
42244   | 46.254.19.65     | ESERVER Hosting Operator eServer.ru Ltd.
42910   | 188.132.179.0    | SADECEHOSTING-COM Hosting Internet Hizmetleri Sanayi ve Ticaret Anonim Sirketi
43260   | 31.210.155.45    | ROUTERGATE DGN TEKNOLOJI BILISIM YAYINCILIK SANAYI VE LIMITED SIRKETI
47195   | 79.110.92.75     | GAMEFORGE-AS Gameforge Productions GmbH
47927   | 94.126.8.26      | WIFIWEB Wifiweb s.r.l.
48539   | 193.23.143.167   | OXILION-AS Oxilion B.V.
48737   | 46.20.159.0      | DORATELEKOM Dora Telekomunikasyon Hizletleri A.S.
49544   | 109.200.206.176  | INTERACTIVE3D i3d B.V.
56471   | 217.116.176.133  | ACW-AT ACW - Netzwerk Produkte & Dienste GmbH
57511   | 185.9.18.130     | OVALTECH-AS OvalTech Internet Ltd
60454   | 89.33.242.99     | COMBIEM-AS COMBIEM SRL
197988  | 46.28.203.23     | SOLARCOM Solar Communications GMBH
199636  | 198.144.121.201  | ESECURITY Esecurity S.A.
263079  | 186.233.187.52   | HS - Serviços e Soluções Web Ltda
 

Mitigation/Solution

All users that utilize services hosted by the above organizations should ensure accounts are secure and data secured. Users and organizations are advised to consider changing passwords if services were in use during that window of time and to ensure any communications with hosting providers noted in "Technical Details" were not compromised.

References