Yet another BGP hijacking towards AS16509

Siyuan Miao siyuan at
Mon Aug 22 23:54:50 UTC 2022

Hi folks,

Recently I read a post regarding the recent incident of Celer Network and
noticed a very interesting and successful BGP hijacking towards AS16509.

The attacker AS209243 added AS16509 to their AS-SET and a more specific
route object for the /24 where the victim's website is in ALTDB:
(Below is our IRRd4 server NRTM logging, UTC timezone)

irrd.log-20220817.gz:31106270-ADD 96126


irrd.log-20220817.gz:31106281-as-set:     AS-SET209243

irrd.log-20220817.gz:31106306-descr:      quickhost set

irrd.log-20220817.gz:31106332-members:    AS209243, AS16509

irrd.log-20220817.gz:31106362:mnt-by:     MAINT-QUICKHOSTUK

irrd.log-20220817.gz:31106392-changed:    crussell at 20220816

irrd.log-20220817.gz:31106438-source:     ALTDB

irrd.log-20220817.gz:31147549-ADD 96127



irrd.log-20220817.gz:31147588-descr:      route

irrd.log-20220817.gz:31147606-origin:     AS16509

irrd.log-20220817.gz:31147626:mnt-by:     MAINT-QUICKHOSTUK

irrd.log-20220817.gz:31147656-changed:    crussell at 20220816

irrd.log-20220817.gz:31147702-source:     ALTDB

Then they started announcing the prefix ... under another AWS ASN (AS14618)
I guess AS1299 Arelion doesn't check if the origin AS of an announcement is
in the customer's AS-SET but it's pretty normal and understandable.

Type: A > announce Involving:
Short description: The new route 34854 1299 209243 14618 has been announced
Path: 34854, 1299, 209243, 14618,
Community: 1299:35000,34854:3001
Date and time: 2022-08-17 19:39:50 Collected by: 00-

Hjacking didn't last too long. AWS started announcing a more specific
announcement to prevent hijacking around 3 hours later. Kudos to Amazon's
security team :-)

Type: A > announce Involving:
Short description: The new route 58057 34549 5511 1299 16509 has been
Path: 58057, 34549, 5511, 1299, 16509,
Community: 5511:521,5511:666,5511:710,5511:5511,34549:100,34549:5511
Date and time: 2022-08-17 23:08:47 Collected by: 00-

The attacker cleaned up the IRR objects on 17 Aug and surprisingly no one
seems to notice them ...

irrd.log-20220819.gz:26517714-ADD 96196


irrd.log-20220819.gz:26517725:as-set:     AS-SET209243

irrd.log-20220819.gz:26517750-descr:      quickhost set

irrd.log-20220819.gz:26517776-members:    AS209243, AS35437, AS37497

irrd.log-20220819.gz:26517815-mnt-by:     MAINT-QUICKHOSTUK

irrd.log-20220819.gz:26517845-changed:    crussell at 20220817

irrd.log-20220819.gz:26517891-source:     ALTDB

irrd.log-20220819.gz:26517910-DEL 96197



irrd.log-20220819.gz:26517949-descr:      route

irrd.log-20220819.gz:26517967-origin:     AS16509

irrd.log-20220819.gz:26517987-mnt-by:     MAINT-QUICKHOSTUK

irrd.log-20220819.gz:26518017-changed:    crussell at 20220816

irrd.log-20220819.gz:26518063-source:     ALTDB

Nowadays hijacking a service by forging AS path is pretty easy and RPKI
won't be able to solve this (as it validates origin AS and prefixes only)

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the NANOG mailing list