nanog mailing list archives
BGP hijacking to steal bitcoins
From: Stephane Bortzmeyer <bortzmeyer () nic fr>
Date: Fri, 8 Aug 2014 10:43:05 +0200
Good report (although I do not understand why they hide the name of the offending ISP since anyone can see it in RouteViews, or in its own BGP traffic). It's ordinary BGP hijacking but the goal is new: stealing bitcoins since the connections inside the mining pool are not authenticated. http://www.secureworks.com/cyber-threat-intelligence/threats/bgp-hijacking-for-cryptocurrency-profit/ Here is an example in RouteViews@LINX, for (among others) the OVH prefix 142.4.195.0/24 (bitcoin pool Hashfaster). This route was withdrawn at 18:35:08. TIME: 03/23/14 18:32:38 TYPE: BGP4MP/MESSAGE/Update FROM: 195.66.224.21 AS6939 TO: 195.66.225.222 AS6447 ORIGIN: IGP ASPATH: 6939 21548 34272 2093 2871 3721 NEXT_HOP: 195.66.224.21 ANNOUNCE 192.99.20.0/24 198.27.75.0/24 192.241.211.0/24 192.99.18.0/24 146.185.179.0/24 162.243.89.0/24 54.197.251.0/24 46.229.169.0/24 107.170.244.0/24 108.61.49.0/24 54.214.242.0/24 107.170.227.0/24 54.194.173.0/24 50.117.92.0/24 95.85.61.0/24 54.84.236.0/24 54.213.177.0/24 162.243.142.0/24 162.243.226.0/24 142.4.195.0/24 107.170.47.0/24 54.194.173.0/24 50.117.92.0/24 95.85.61.0/24 54.84.236.0/24 54.213.177.0/24 162.243.142.0/24 162.243.226.0/24 142.4.195.0/24 107.170.47.0/24
Current thread:
- BGP hijacking to steal bitcoins Stephane Bortzmeyer (Aug 08)