On 24/04/2018 21:35, Fredrik Korsbäck wrote:
TLDR; So it seems that AS10297 (some small hostingprovider in the US) suddenly started to announce de-aggregated AWS IP-space, containing quite alot of Route53 infrastructure, put up resolvers on their own on the hijacked IP-space and pointed *ATLEAST* www.myetherwallet.com to a ip-address that seems to be some kind of transparent proxy out of russia with a bogus SSL-cert (but still pretty good) (https://46.161.42.42/)
I did digging in my own logs and played it through BGP-play - seems like it was in fact only Hurricane Electric (6939) that actually propagated this prefix to the Internet. Which makes sense since we have seen them being part of the problem in almost all recent hijacks.
In addition to HE there was AS19151 -WV Fiber that accepted the /24s, but based on BGPlay (attached) it seems that the main culprit was HE that propagated it onward. -Hank