BitCoin mining with BGP Hijacking

A few days ago one telecom engineer repeatedly spoofing BGP prefixes for numerous large providers such as Amazon, OVH, Digital Ocean, LeaseWeb, Alibaba and more. The goal of the operation was to intercept data between Bitcoin miners and Bitcoin mining pools. $83,000 was made with this attack in just four months. Let's take a closer look at the BGP details of this specific BitCoin mining operation.

Attack details

OSPFmon detected the first spoof by Canadian Autonomous System on October 8th 2013. For about 14 minutes a more specific /24 prefix for a Palestinian network was hijacked. Looking at geographical scope of the announcements and the probes that saw this route, we believe that in this case the route was only announced over the Toronto Internet Exchange.

BitCoin mining

On Feb 3rd 2014, the first advanced persistent Bitcoin leaks took place, this affected more specific prefixes for AS 16509 (Amazon). Starting Feb 4th the BGP leak appears to be originating from one of the downstream customers of the BitCoin miner. We believe this may have been an attempt to hide the actual Origin AS.

As of February 6th the finger print changes slightly again and the same more specific announcement for Amazon now appears to be announced by Amazon directly; i.e. the most right AS in the AS path is the Amazon AS. Looking at the data we believe that part of the ASPATH is spoofed and that Amazon did not actually announce this prefix, instead it was announced by the Canadian BitCoin miner who tried to hide itself using AS path prepending.
Interestingly this specific case looks a lot like the ‘stealing the Internet’ attack as presented at Defcon a few years ago, including ASpath poisoning where some of the attackers upstream providers were included in the spoofed part of the ASpath.

We then observe a large gap between February 8th and March 22 where we don’t see any attacks involving this particular AS. On March the 22nd the hijacks return. In this case largely with the same fingerprint: mostly more specific (/24) announcements with the same spoofed ASpaths. Finally May 13, 2014 is the last day these attacks have been observed and it’s been quiet since.

BGP Hijacking of the malicious route in progress

It appears that all the BGP announcements related to the Bitcoin mining operation were only visible via peers of this Canadian network via the Internet Exchange. This means that the BitCoin miner either did not announce these hijacked blocks to their transit providers, or the transit providers did a good job in filtering these announcements.

Most network operators do not have prefix filters on BGP peering sessions at Internet Exchanges. Instead they often only have Max-Prefix filters in place. These Max-Prefix filters are intended to protect against large leaks, or a sudden increase in announced prefixes by these peers. In this scenario the BitCoin miner would only announce a few new prefixes at any given time, this prevented Max-Prefix filters to trip.

The BitCoin miner appears to have known exactly what IP addresses have other Bitcoin miners and as a result knew who to target. However, because many network operators filter out prefixes longer than a /24, the BitCoin miner chose to announce a /24 in order to increase the chances of the prefix being accepted. This means that other machines in the same hijacked /24 prefix that have nothing to do with Bitcoin mining were also affected. Because of the nature of the providers affected, primarily cloud providers offering VM hosting (AWS, OVH, Digital Ocean, ServerStack, Choopa, LeaseWeb and more), it is not unlikely that traffic for machines (VMs) of hundreds of organizations worldwide may have been redirection to the BitCoin miner.

Not the first time

This incident follows numerous similar BGP hijacks that happened recently. Just last year networks of several Credit Card companies were hijacked. Another example is the hijack of multiple Government departments of one specific European country. More recently Turkey hijacked the IP addresses of several well-known DNS providers. These recent examples demonstrate that BGP hijacking is indeed being used for financial gain, Intelligence collection as well as Censorship.

CHECKING the BGP SPEAKER's LEAKS

BGP hijacks remain a relative common occurrence. Just in the last year there have been seen several incidents where a BGP hijack appeared to be targeted and malicious rather than a ‘fat finger’ incident.
Daily checking of possible BGP LEAKS can significantly reduce the operational and financial impact for the victims. When a BGP hijack occurs, OSPFmon will alert Network Operators and Incident Response teams in near real-time and provide the responsible teams with all the information and situational awareness to take immediate action.