Hello, welcome to the Tuesday, March 29th, 2020 edition of the Sansonet Storm Center's Stormcast.

My name is Johannes Ulrich, and I'm recording from Jacksonville, Florida.

We got a couple Ukraine-related items to start out with.

First one is a BGYP hijack of a Twitter prefix by RTcom.

The prefix in question is 104, 244-442 slash 24, and that happens to be, of course, the prefix that

Twitter.com resolves to.

Now, the hijacking was somewhat unsuccessful, at least outside of Russia, in part because of

the implementation of RPKI.

That is a more modern, secure addition to BGP that allows ISPs that implement this extension to BGP to actually validate some of these updates and with that avoid some of these hijacking attacks.

And that's probably why we didn't really see any widespread complaints about

Twitter outages, unlike back about 14 years ago in 2008, when YouTube's prefix got hijacked

by Pakistan, and that sort of caused widespread outages for YouTube.

So the good news here is that BGP is actually improving and it is making a difference.

If you want to test if your ISPP is using RPKI, is BGPS safe yet.com is a website Cloudflare set up to actually test your ISP.

I did get a bad response from it earlier today, but currently it seems to be working again.

If your ISP is subject to BGP hijacking, of course, there isn't really much that you sort of as an end user can do about it,

but TLS is your second layer here.

You should see TLS errors, so just don't click OK if you get a bad certificate from a site like Twitter.

And related to that are a number of distributed denial of service attacks against

sites related to the war in Ukraine and sites located in Ukraine.

The attacks, according to a story-in-pleaping computer, appear to originate from many compromised

verb-press sites that have JavaScript included in them.

...