[173828] in North American Network Operators' Group
BGP hijacking to steal bitcoins
daemon@ATHENA.MIT.EDU (Stephane Bortzmeyer)
Fri Aug 8 04:46:33 2014
X-Original-To: nanog@nanog.org
Date: Fri, 8 Aug 2014 10:43:05 +0200
From: Stephane Bortzmeyer <bortzmeyer@nic.fr>
To: nanog@nanog.org
Errors-To: nanog-bounces@nanog.org
Good report (although I do not understand why they hide the name of
the offending ISP since anyone can see it in RouteViews, or in its own
BGP traffic). It's ordinary BGP hijacking but the goal is new:
stealing bitcoins since the connections inside the mining pool are not
authenticated.
http://www.secureworks.com/cyber-threat-intelligence/threats/bgp-hijacking-for-cryptocurrency-profit/
Here is an example in RouteViews@LINX, for (among others) the OVH
prefix 142.4.195.0/24 (bitcoin pool Hashfaster). This route was
withdrawn at 18:35:08.
TIME: 03/23/14 18:32:38
TYPE: BGP4MP/MESSAGE/Update
FROM: 195.66.224.21 AS6939
TO: 195.66.225.222 AS6447
ORIGIN: IGP
ASPATH: 6939 21548 34272 2093 2871 3721
NEXT_HOP: 195.66.224.21
ANNOUNCE
192.99.20.0/24
198.27.75.0/24
192.241.211.0/24
192.99.18.0/24
146.185.179.0/24
162.243.89.0/24
54.197.251.0/24
46.229.169.0/24
107.170.244.0/24
108.61.49.0/24
54.214.242.0/24
107.170.227.0/24
54.194.173.0/24
50.117.92.0/24
95.85.61.0/24
54.84.236.0/24
54.213.177.0/24
162.243.142.0/24
162.243.226.0/24
142.4.195.0/24
107.170.47.0/24
54.194.173.0/24
50.117.92.0/24
95.85.61.0/24
54.84.236.0/24
54.213.177.0/24
162.243.142.0/24
162.243.226.0/24
142.4.195.0/24
107.170.47.0/24
