Orange Spain suffered an internet outage today after hackers infiltrated the company’s RIPE account and misconfigured BGP routing and RPKI.
Routing of traffic on the Internet is handled by Border Gateway Protocol (BGP). This allows organizations to associate IP addresses with autonomous system (AS) numbers and advertise them to other connected routers, called peers.
These BGP advertisements create a routing table that propagates to all other edge routers on the Internet, allowing the network to know the best route to send traffic to a particular IP address.
However, when rogue networks announce IP ranges that are typically associated with different AS numbers, they can hijack those IP ranges and redirect traffic to malicious websites or networks.
According to Cloudflare, BGP makes this possible because it is built on trust and updates its routing table based on which advertiser has the shortest and more specific route.
To prevent this, a new standard called Resource Public Key Infrastructure (RPKI) was created to serve as a cryptographic solution to BGP hijacking.
“Resource Public Key Infrastructure (RPKI) is a cryptographic method that signs records that associate BGP route announcements with the correct originating AS number,” explains Cloudflare’s article about RPKI.
By enabling RPKI using a routing body such as ARIN or RIPE, a network can cryptographically prove that only routers under its control can advertise AS numbers and their associated IP addresses.
Hacker breaks into RIPE account and breaks BGP
Yesterday, a threat actor named “Snow” compromised Orange Spain’s RIPE account and tweeted to contact Orange Spain about obtaining new credentials.
Since then, the attacker has changed the AS numbers associated with the company’s IP addresses and enabled invalid RPKI configurations on those IP addresses.
By publishing IP addresses with someone else’s AS number and then effectively enabling RPKI, these IP addresses were no longer properly published on the Internet.
“As you can see, what they did was basically create some ROA /12 records that say who has the authority for the prefix (i.e. the AS that can announce the prefix).” Felipe CañizaresCTO of DMNTR Network Solutions told BleepingComputer.
“These group the /22 and /24 prefixes announced by Orange Spain, indicating that the AS that should announce the prefix is AS49581 (Ferdinand Zink trading as Tube-Hosting). I am.”
“Once this was done, they activated RPKI on that /12…and goodbye…”
Source: Cañizares
This caused performance issues on Orange Spain’s network between 14:45 and 16:15 UTC. This can be seen in the Cloudflare traffic graph for AS12479 below.
Source: Cloudflare
Orange Spain subsequently confirmed that the RIPE account had been hacked and began restoring services.
“Note: The IP Network Coordination Center (RIPE) Orange account was inappropriately accessed, impacting browsing for some customers. Service has been substantially restored.” Orange Spain tweeted.
“We have confirmed that our clients’ data was not compromised in any way, and only the navigation of some services was affected.”
It’s unclear how the attackers got into the RIPE account, but Cañizares told BleepingComputer that he believes Orange Spain did not enable two-factor authentication on the account.
Mr. Cañizares created the X thread Here’s a summary of how this attack took place.
BleepingComputer has reached out to Orange Spain with questions about the attack, but has not yet received a response.