On 25/04/2018 08:29, Hank Nussbacher wrote: > On 24/04/2018 21:35, Fredrik Korsbäck wrote: > >> TLDR; So it seems that AS10297 (some small hostingprovider in the US) >> suddenly started to announce de-aggregated AWS >> IP-space, containing quite alot of Route53 infrastructure, put up resolvers >> on their own on the hijacked IP-space and >> pointed *ATLEAST* www.myetherwallet.com to a ip-address that seems to be >> some kind of transparent proxy out of russia >> with a bogus SSL-cert (but still pretty good) (https://46.161.42.42/) >> >> I did digging in my own logs and played it through BGP-play - seems like it >> was in fact only Hurricane Electric (6939) >> that actually propagated this prefix to the Internet. Which makes sense >> since we have seen them being part of the >> problem in almost all recent hijacks. > In addition to HE there was AS19151 -WV Fiber that accepted the /24s, > but based on BGPlay (attached) it seems that the main culprit was HE > that propagated it onward. > > -Hank > Would appear no attachments allowed :-(
-Hank