Kentik

MAY 2, 2018

During a BGP route hijack, an attacker advertises IP prefixes from an ASN that is not the normal originator. During last week’s attack, the attacker was redirecting traffic that belonged to Amazon’s Route 53 DNS servers. Here we have the DNS clients sending their DNS queries to the hijacked blocks advertised by AS10297.

IP Address 49

IP Address DNS UDP port Advertising 49

Confluent

JULY 1, 2019

port 53352 dst 54.191.84.122 port 9092 rank info not available TCP aux info available Connection to ec2-54-191-84-122.us-west-2.compute.amazonaws.com compute.amazonaws.com port 9092 [tcp/XmlIpcRegSvc] succeeded! The existing listener, called PLAINTEXT , just needs overriding to set the advertised hostname (i.e.,

Port 101

Port IaaS DNS Networking 101

Kentik

MARCH 13, 2019

The victim can update DNS to point at a different IP address in an attempt to get their application back up. However, if the attack is targeting the DNS hostname and not the IP address, the attack will just switch over to the new IP address. The mitigation actually “completes the attack.” Destination Prefix. Source Prefix. IP Protocol.

IP Address 49

IP Address Port Routers DNS 49