In April 2018, we detailed a brazen BGP hijack of Amazon's authoritative DNS service in order to redirect users of a crypto currency wallet service to a fraudulent website ready to steal their money.

In the past month, we have observed additional BGP hijacks of authoritative DNS servers with a technique similar to what was used in April. This time the targets included US payment processing companies.

As in the Amazon case, these more recent BGP hijacks enabled imposter DNS servers to return forged DNS responses, misdirecting unsuspecting users to malicious sites. By using long TTL values in the forged responses, recursive DNS servers held these bogus DNS entries in their caches long after the BGP hijack had disappeared — maximizing the duration of the attack.

The Hijacks

At 23:37:18 UTC on 6 July 2018, Digital Wireless Indonesia (AS38146) announced the following prefixes for about thirty minutes. These prefixes didn't propagate very far and were only seen by a handful of our peers.

> 64.243.142.0/24 Savvis

> 64.57.150.0/24 Vantiv, LLC

> 64.57.154.0/24 Vantiv, LLC

> 69.46.100.0/24 Q9 Networks Inc.

> 216.220.36.0/24 Q9 Networks Inc.

Three were more-specific announcements (64.243.142.0/24, 69.46.100.0/24, 216.220.36.0/24) of existing routes.

Then at 22:17:37 UTC on 10 July 2018, Malaysian operator Extreme Broadband (AS38182) announced the exact same five prefixes listed above. For about 30 minutes, these hijack prefixes weren't propagated very far. Then they were announced again at 23:37:47 UTC for about 15 minutes but to a larger set of peers — 48 peers instead of 3 peers in the previous hour. It appears a change of BGP communities from 24218:1120 to 24218:1 increased the route propagation.

According to a brochure on the company's website, Datawire is a "patented connectivity service that transports financial transactions securely and reliably over the public Internet to payment processing systems." Datawire's nameservers, ns1.datawire.net and ns2.datawire.net, resolve to 216.220.36.76 and 69.46.100.71 respectively, addresses that were in the hijacked networks shown above.

Vantiv and First Third Processing are former names of Worldpay, a major US payment processing service. Vantiv's nameservers, ns1.ftpsllc.net and ns2.ftpsllc.net, resolve to 64.57.150.53 and 64.57.154.53 respectively, addresses in the hijacked networks shown above.

At 00:29:24 UTC on 11 July 2018, AS38182 began hijacking a new set of prefixes in two separate incidents for minutes each time.

> 209.235.25.0/24 Mercury Payment Systems

> 63.111.40.0/24 Mercury Payment Systems

> 8.25.204.0/24 Level 3

> 12.130.236.0/24 CERFnet

Mercury Payment Systems is a credit card processing service also owned by Worldpay (formerly Vantiv). Mercury's nameservers, ns1.mercurypay.com and ns2.mercurypay.com, resolve to 209.235.25.13 and 63.111.40.13. These IP addresses were hijacked as part of 209.235.25.0/24 and 63.111.40.0/24, both more-specifics of their normal routes.

This at 21:51:36 UTC on 12 July 2018, AS38182 began hijacking the same five routes as had been targeted twice previously.

> 64.243.142.0/24 Savvis

> 64.57.150.0/24 Vantiv, LLC

> 64.57.154.0/24 Vantiv, LLC

> 69.46.100.0/24 Q9 Networks Inc.

> 216.220.36.0/24 Q9 Networks Inc.

These hijacks lasted for almost three hours. The Vantiv hijacks are visualized below:

Illustrated below, Q9 evidently noticed their routes were being hijacked and started announcing the same routes in an effort to regain control of the IP address space.

Then at 23:06:32 UTC on 12 July 2018, AS38182 began hijacking various routes, including two for major DNS service provider UltraDNS (owned by Neustar), for approximately 10 minutes.

> 199.7.68.0/24 UltraDNS Corporation

> 199.7.69.0/24 UltraDNS Corporation

> 204.74.108.0/24 UltraDNS Corp

> 204.74.109.0/24 Internet Media Network

> 204.74.114.0/24 Internet Media Network

> 204.74.115.0/24 Internet Media Network

> 65.118.49.0/24 CenturyLink

Forged DNS responses

Users of these payment systems began to report problems as early as 10 July. Participants on the Outages email distribution list reported problems connecting to Datawire shortly after the first hijack.

Passive DNS observations between the 10th and 13th of July showed *.datawire.net domains resolving to 45.227.252.17 - IP address space registered as being in Dutch Caribbean island of Curaçao, but routed out of breakaway region of Luhansk in eastern Ukraine.

Similarly the hijack of Amazon's Route53 service in April was directed to 46.161.42.42, which is registered as being German IP space, but is also routed out of Luhansk in eastern Ukraine.

These similarities indicate that these two BGP hijacks of authoritative DNS servers may be related.

In last month's hijacks, the perpetrators showed attention to detail, setting the TTL of the forged response to ~5 days. The normal TTL for the targeted domains was 10 minutes (600 seconds). By configuring a very long TTL, the forged record could persist in the DNS caching layer for an extended period of time, long after the BGP hijack had stopped.

Conclusion

If previous hijacks were shots across the bow, these incidents show the Internet infrastructure is now taking direct hits. Unfortunately, there is no reason not to expect to see more of these types of attacks against the Internet.

As Job Snijders of NTT Communications has suggested, our only hope is the use the consolidation of the Internet industry to our advantage. He wrote to me recently: