A few days ago, researchers at Dell SecureWorks published the details of a hashrate hijacker repeatedly hijacking BGP prefixes for numerous large providers such as Amazon, OVH, Digital Ocean, LeaseWeb, Alibaba and more. The goal of the operation was to intercept data between Bitcoin ASIC-miners and Bitcoin mining pools. They estimated that $83,000 was made with this hashrate hijack in just four months. Let’s take a closer look at the BGP details of this specific hashrate hijack.
HashRate hijack details
Our friends at Dell SecureWorks decided not to name the network from which the bgp route hijacks originated. As a result, we won’t name the exact Autonomous System either, instead we will suffice by saying that the originator of this hashrate hijack is a network operating in Eastern Canada.
Initial experiment
We detected the first HashRate Hijack by this Canadian Autonomous System on October 8th. For about 14 minutes a more specific /24 IP prefix for a Palestinian network was hijacked. Looking at geographical scope of the announcements and the probes that saw this route, we believe that in this case the route was only announced over the Toronto Internet Exchange.
Bitcoin hijack
On Feb 3rd, the first targeted Bitcoin hijacks took place, this affected more specific prefixes for AS 16509 (Amazon). Starting Feb 4th, the BGP route leak appears to be originating from one of the downstream customers of the hashrate hijacker. We believe this may have been an attempt to hide the actual Origin AS.
As of February 6th, the fingerprint changes slightly again and the same more specific announcement for Amazon now appears to be announced by Amazon directly, i.e. the most right AS in the AS path is the Amazon AS. Looking at the data, we believe that part of the AS path is spoofed and that Amazon did not actually announce this prefix, instead it was announced by the Canadian hashrate hijacker who tried to hide itself using AS path prepending.
Interestingly this specific case looks a lot like the ‘stealing the Internet’ bgp route hijack as presented at Defcon a few years ago, including AS path poisoning where some of the hijackers upstream providers were included in the spoofed part of the AS path.
We then observe a large gap between February 8th and March 22 where we don’t see any bgp route hijacks involving this particular AS. On March the 22nd the BGP route leaks return. In this case largely with the same fingerprint: mostly more specific (/24) announcements with the same spoofed AS paths.
Finally, May 13 is the last day these BGP route hijacks have been observed and it’s been quiet since.
Filters to limit the Scope and impact
It appears that all the BGP announcements related to the HashRate Hijacks were only visible via peers of this Canadian network via the Internet Exchange. This means that the bgp route hijacker either did not announce these leaked blocks to their transit providers, or the transit providers did a good job in filtering these announcements.
Most network operators do not have prefix filters on BGP peering sessions at Internet Exchanges. Instead, they often only have Max-Prefix filters in place. These Max-Prefix filters are intended to protect against large bgp route leaks, or a sudden increase in announced prefixes by these peers. In this scenario the BGP route hijacker would only announce a few new prefixes at any given time, this prevented Max-Prefix filters to trip.
Collateral damage
The BGP route hijacker appears to have known exactly what IP addresses Bitcoin ASIC-miners are, and as a result knew who to target. However, because many network operators filter out prefixes longer than a /24, the BGP route hijacker chose to announce a /24 in order to increase the chances of the prefix being accepted. This means that other machines in the same leaked /24 prefix that have nothing to do with Bitcoin mining were also affected. Because of the nature of the providers affected, primarily cloud providers offering VM hosting (AWS, OVH, Digital Ocean, ServerStack, Choopa, LeaseWeb and more), it is not unlikely that traffic for machines (VMs) of hundreds of organizations worldwide may have been redirection to the BGP route hijacker.
Not the first time
This incident follows numerous similar BGP route hijacks that happened recently. Just last year networks of several Credit Card companies were hijacked.
Another example is the bgp route hijack of multiple Government departments of one specific European country. More recently Turkey hijacked the IP addresses of several well-known DNS providers.
These recent examples demonstrate that BGP route leak is indeed being used for financial gain, Intelligence collection as well as Censorship.
You can discuss hashrate leak scenarios and detection methods with me in more detail via private messages. Contact information is provided in the relevant section of this website.