For those that want to know what happened, quoting someone from the obscured comment thread on that page:
"AS286 provides IP Transit to AS25459. What happened is that both AS286 and AS25459 did not have proper filtering in place. AS286 leaked AS25459's blackhole routes to it's peers, and a handful accepted those more specifics. This lasted a few minutes before they realized what was going on and a fix was put into place."
So are you saying that there was no deliberate hijack, but rather AS25459 was configured not to carry traffic to those IPs, and it's blackholes got propagated?
I think the author is merely worried about how much of BGP relies on operators trusting each other to configure their networks properly. All it takes is one typo somewhere to bring down the internet for half of America.
Granted, seeing how slowly IPsec and DNSSEC are being adopted, I think the author is fighting an uphill battle.
Certificate pinning in mobile apps goes a long way to preventing a leak of secure data. Sure, you can't get to your service while the hijack is occurring, but you don't have to worry you just submitted your login and password info to a hijacked/malicious IP block. Better to fail closed in this case.
Disclaimer: I use PNC Bank, who was part of this hijack.
What does this have to do with certificates and mobile data? Hijacking an IP is the same as a man-in-the-middle, which PKI prevents without needing to "pin" a cert. You have to first control a trusted CA before you can do real MITM, and if you have that, it's much more effective to simply MITM the existing route and not expose yourself by changing BGP routes all over the place. (Also, a mobile app bundled with a cert "pinned" for that app is effectively just public-key cryptography, so you don't even need to use the global PKI infrastructure at that point)
"Describing '5 minute accidental blackhole route leakage' as 'Multiple banking addresses hijacked' makes for a better and more sensational head line. I fully understand if you must blow this event out of proportion."
As a network operator on a large ASN, you don't have to look back to 97 to find another example of this. This has happened twice within the last year with networks we peer with.
Hell if it weren't for max prefix limits, TATA would leak a full routing table every other week. But that's just incompetence.
Many networks will not let you announce /32s. This is something that you have to have a reason for, such as more granular control. Usually they will say yes, because then you can advertise specific routes yourself without constantly going through engineers with your upstream. Mistakes happen though :P
In the absence of S-BGP (secure BGP), what we need is an anomaly detection service that detects such BGP prefix hijacking in real time and alerts the owner of the prefix (in this case, the banks). I'd built one such service before, anyone interested can read this white paper we wrote on it: http://rio.ecs.umass.edu/mnilpub/papers/securecomm07.pdf
The BGPmon blog has a nice overview of BGP hijacks in recent history. The potential impact of BGP hijacks should not be underestimated. Especially when combined with the SSL/CA events. This is a great post explaining when these things are combined: http://www.bgpmon.net/accidentally-stealing-the-internet/
19 comments
[ 2.7 ms ] story [ 59.2 ms ] thread"AS286 provides IP Transit to AS25459. What happened is that both AS286 and AS25459 did not have proper filtering in place. AS286 leaked AS25459's blackhole routes to it's peers, and a handful accepted those more specifics. This lasted a few minutes before they realized what was going on and a fix was put into place."
Granted, seeing how slowly IPsec and DNSSEC are being adopted, I think the author is fighting an uphill battle.
Disclaimer: I use PNC Bank, who was part of this hijack.
http://en.wikipedia.org/wiki/Resource_Public_Key_Infrastruct...
"Describing '5 minute accidental blackhole route leakage' as 'Multiple banking addresses hijacked' makes for a better and more sensational head line. I fully understand if you must blow this event out of proportion."
http://en.wikipedia.org/wiki/AS_7007_incident
http://www.merit.edu/mail.archives/nanog/1997-04/msg00444.ht...
http://boards.straightdope.com/sdmb/showpost.php?p=16245046&...
https://news.ycombinator.com/item?id=5321663
Well, it kind of puts this 'hijacking' into perspective.