BGP hijacks and leaks: malicious or consensual

BGP hijacks and leaks
malicious or consensual
Net::IP Meetup #12
Wrocław 2019.04.25
Paweł Małachowski
@pawmal80

whoami
• Currently:
redGuardian DDoS mitigation tech lead (Atende Software sp. z o.o.)
• Previously:
system engineer, IT operations lead, analyst, architect, project manager
etc. (ATM SA, Netia SA)
Net::IP, Wrocław 2019.04.25 2

PROBLEM

Problem
• 2004.12: TT Net full table leak, massive outages
• 2008.02: Youtube rerouted to Pakistan Telecom via PCCW Global
• 2014: INEA SA + LG case (PL)
• 2017.04: financial institutions/credit card processors partially rerouted to PJSC
Rostelekom
• 2017.12: high profile companies (FAG, Riot Games and others) announced by DV-LINK
via Megafon via HE
• 2018.04: Amazon Route53 routed to malicious DNS server in eNET
• 2018.06: Telegram messenger partially routed to Iran Telecomunication Company
• 2018.07: Bitcanal „hijack factory” case
• 2018.11: Google traffic routed to MainOne via China Telecom via Trans Telecom
• … many more

Real life BGP routing decision factors
1. more specific preferred (originator decides)
2. higher local preference (layer 8 decides)
3. shorter AS_PATH (prepending)

BGP user types (simplified)
• multihomed network
• CDN (anycasting etc.)
• Eyeballs
• IP Transit: Tier 1, Tier n (paid vs. free peerings)
• IXP

BGP threats
• Prefix hijacking
• Route leaks (unintentional transit)
• AS path manipulation (e.g. shortening)

Reasons
• fat fingers, BGP optimizers and bad defaults
• prefix-lists and as-path filters not widely used
• blind chain of trust
• Internet barely works?

Howto
• Add victim AS to your official AS-SET in IRR
• Wait for upstream nightly filter updates
• Announce victim’s IP address space
• Profit!

Howto, cont.
ExaBGP
route victim/24 next-hop self as-path [ foo ] community [ a:b ];
BIRD
bgp_path.empty;
bgp_path.prepend(foo);

Howto, cont.
„LINX has this peer configured as announcing the AS-SET
AS-TTK. This set contains 984 entries of which 470+ are
themselves AS-SETs. Many of these AS-SETs will
themselves contain AS-SETs, and this patern repeats as
you continue the AS-SET expansion.
Ultimately, this large AS-SET expands to allow 886,051
prefixes from 16,608 origin ASNs.” (2018.11)

Malicious, mistake or consensual?
• origin AS
• AS_PATH
• IRR validity (route object, ROA, etc.)
• mask length (more specific)
• end hosts reachability

BGP-based DDoS scrubbing center
• Hijacks customer IP address space
– global annoucement (BGP withdrawal issues)
– local/selective announcements
• Legal agreement, IRR and ROA valid
• Looks like on-demand optional IP transit

DETECTION

Detection
• Looking glasses/route views
• BGPmon (OpenDNS), BGPstream
• Radar (Qrator Labs)
• Resource Certification alerts (RIPE)
• Routing Information Service Live stream (RIPE)
• Routing History + BGP Play (RIPE)

Looking glass example

BGPmon example

Radar example

RIS Live stream

RIPEstats routing history

PREVENTION

Prevention
• prefix deaggregation
• RPKI Route Announcement Validation
• BGPsec
• ASPA
• legal?

Prefix deaggregation
• split large subnet into multiple /24 prefixes
• limits hijacking ability (/25 are widely not accepted)
• not a final solution (RIB pollution)

RPKI ROA
• declare (origin AS, subnet, prefix range) tuples
example: (AS x, 10.0.0.0/8, /8../16)
• operators validate before accepting
• lacks AS-PATH validation, origin AS easy to forge

RPKI (slow) adoption
But:
„The AT&T/as7018 network is now dropping all RPKI-
invalid route announcements that we receive from our
peers.”
source: https://mailman.nanog.org/pipermail/nanog/2019-February/099501.html

NIST RPKI monitor

IRR online tools
BGP he.net
IRR Explorer

BGPsec
• BGP routers
– sign BGP updates: previous AS, next AS
– verify updates received
• IXP hack (no AS in AS-PATH)
• dead end (computation cost)

ASPA
• Autonomous System Provider Authorization
– declare your official peers
– operators validate AS_PATHs received
• currently RFC draft

TOOLBOX

Looking glasses (some of)
• CenturyLink: https://lookingglass.centurylink.com/
• Cogent: http://www.cogentco.com/en/network/looking-glass
• GTT: http://www.as3257.net/lg/ (mtr only)
• HE: https://lg.he.net/
• Liberty Global (UPC): sorry!
• KPN: https://lg2.eurorings.net/
• NTT: https://www.us.ntt.net/support/looking-glass/
• Open Transit (Orange): https://looking-glass.opentransit.net/
• RETN: http://lg.retn.net/
• TATA: http://lg.beta.as6453.net/
• Telia: https://lg.telia.net/

Looking glasses (some of), cont.
• NLNOG (aggregator): http://lg.ring.nlnog.net/
• AMS-IX: sorry! (password)
• DE-CIX: https://lg.de-cix.net/
• LINX: https://lg.linx.net/
• GEANT: https://tools.geant.net/portal/links/lg/

Important looking glasses (Poland)
• ATMAN + THINX: http://lg.atman.pl/
• Exatel: http://lg.exatel.pl/
• NASK (KOM+EDU): http://lg.nask.pl/
• Netia: http://lg.netia.pl/
• PLIX: http://lg.plix.pl/
• Orange + TPIX: http://lg.tpnet.pl/, http://lg.tpix.pl/
• Pionier (EDU), Vectra, etc.: sorry!

Other tools
• https://bgpmon.net/, https://bgpstream.com/,
https://twitter.com/bgpmon, https://twitter.com/bgpstream
• https://radar.qrator.net/
• https://bgp.he.net/
• http://www.routeviews.org/
• http://irrexplorer.nlnog.net/
• https://ris-live.ripe.net/
• https://stat.ripe.net/widget/routing-history
• https://rpki-monitor.antd.nist.gov/

SOURCES

Sources
• https://en.wikipedia.org/wiki/BGP_hijacking
• https://blog.donatas.net/blog/2019/02/19/ebgp-requires-policy/
• http://www.securerouting.net/
• https://www.ripe.net/participate/policies/proposals/2019-03
• https://www.arin.net/participate/policy/proposals/2019/ARIN_prop_266_v2/
• „PLNOG22 - Zmierzch tranzytu, sieci tier-1, czyli jak działa internet”:
https://www.youtube.com/watch?v=yfmEODv3m4k

Sources, cont.
• https://dyn.com/blog/internetwide-nearcatastrophela/
• https://zaufanatrzeciastrona.pl/post/polski-operator-inea-wykorzystany-w-zaawansowanym-ataku-
na-obce-sieci/
• https://krebsonsecurity.com/2016/09/ddos-mitigation-firm-has-history-of-hijacks/
• https://bgpmon.net/popular-destinations-rerouted-to-russia/
• https://bgpmon.net/bgpstream-and-the-curious-case-of-as12389/
• https://radar.qrator.net/blog/born-to-hijack (DV-LINK case)
• https://www.theregister.co.uk/2018/04/24/myetherwallet_dns_hijack/
• https://dyn.com/blog/shutting-down-the-bgp-hijack-factory/
• https://www.theregister.co.uk/2018/11/13/google_russia_routing/
• https://medium.com/@qratorlabs/bad-news-everyone-new-hijack-attack-in-the-wild-
428ea761da89
• https://blog.thousandeyes.com/amazon-route-53-dns-and-bgp-hijack/

Sources, cont.
• https://rpki.readthedocs.io/en/latest/index.html
• https://bgpmon.net/securing-bgp-routing-with-rpki-and-roas/
• https://blog.cloudflare.com/rpki-details/
• https://www.ripe.net/manage-ips-and-asns/resource-management/certification/resource-
certification-roa-management
• https://medium.com/@qratorlabs/eliminating-opportunities-for-traffic-hijacking-
153a39395778,
https://ripe77.ripe.net/presentations/118-ripe77.azimov_v2.pdf
• https://www.de-cix.net/Files/11a60fcb156e443c98010211f498f5ae4439dab0/Matthias-
Waehlisch---BGPSec---AS-path-validation.pdf
• https://rule11.tech/bgpsec-and-reality/

LIVE DEMO

Live demo
Let’s hijack 3rd party prefix!
• Victim: AS v, foo/20 (foo/24 to be hijacked)
• Hijacker: AS h
Preparation:
• Hijacker places AS v in his AS-SET (earlier)
• Open RIS Live session with „foo/24” filter

Live demo, cont.
1. Hijacker announces „foo/24 origin AS h”
2. Local verification:
BIRD show route foo/24 export upstream
1. Remote verification:
NLNOG Looking Glass: foo/24 partially visible
RIPE RIS Live: BGP hijacking updates received
Disclaimer: AS v is our friendly customer.

Thank you!
https://netip.me
https://twitter.com/pawmal80
https://www.slideshare.net/atendesoftware/presentations

BGP hijacks and leaks: malicious or consensual

Recommended

Recommended

More Related Content

Similar to BGP hijacks and leaks: malicious or consensual

Similar to BGP hijacks and leaks: malicious or consensual (20)

More from Redge Technologies

More from Redge Technologies (12)

Recently uploaded

Recently uploaded (20)

BGP hijacks and leaks: malicious or consensual