This presentation by Andree Toonk at NANOG 63 looked at a number of specific examples of route hijacking. The examples included:
- Network hijacking to support the creation of bitcoin farms and bitcoin mining via a hijacked pool of servers, which, in turn, may use a hijacked pool of routes. The scope of a Canadian hijack was limited to a single IX and its peers at Torix. 51 prefixes and19 ASNs were affected by the hijack.
- Network hijacking in Turkey in March 2013. The Turkish authorities first tried to impose a set of DNS blocking filters on ISPs. This encouraged users to redirect their DNS queries to various open resolvers. The authorities then tried to null route IP addresses of the more popular open resolver services, but in so doing they caused a national breakage for a large number of users. Then they tried local spoofing on these addresses. The false routes intended to block the access to open resolvers did not mimic the originating AS, nor the original prefix sizes, making the effort highly visible.
- Spammers. The problem noted here is that the RADB has no admission policy, so spammers were not only hijacking the prefix, but using RADB to make a bogus route entry! They hijacked an idle AS and then moved on to the DB.
- Syrian outage – advertised routes blocked. Mis-origination of 1500 prefixes, including the YouTube prefixes via Telecom Italia (TI) (hijacked 22.214.171.124/24 and announced this to TI)
- Route leaks (customer re-advertisement from transit to transit) (https://blog.cloudflare.com/route-leak-incident-on-october-2-2014/)
The presentation was a casebook of example situations of route hijacks, but Andree Toonk did not indulge in any speculation about possible cures!
The views expressed by the authors of this blog are their own and do not necessarily reflect the views of APNIC. Please note a Code of Conduct applies to this blog.