BCNET Conference April 29, 2009 Andree Toonk [email protected] BGPmon.net Prefix hijacking! Do you know who's routing your network? Andree Toonk [email protected]

BCNET ConferenceApril 29, 2009

Andree [email protected]

BGPmon.net

Prefix hijacking!

Do you know who's routing your network?

Andree Toonk

[email protected]



Where will we go today

1. The Internet & BGP 101

2. Example hijacks

3. Methods to detect hijacks

4. Demo

5. Questions This session contains technical content



Why Should You Care?

• Because others can intercept your traffic without you noticing it.

• Because your traffic can be altered, dropped, stored, etc

• Because if your Internet connection is essential for your business

• It will cost you money!



The Internet & BGP 101

AS1

AS4

AS2

AS6 AS7

AS5

AS3

AS8

•Collection of Networks called Autonomous Systems

•AS identified by a number

•Together make up the Internet




AS2

AS5

AS3192.0.2.0/24

• AS3 is a collection of prefixes

• AS3 has 1 upstream ISP: (AS5)• AS3 and AS2 are direct peers

Hi, AS3, Just sent all your traffic to me and I make sure it will get to its destination




AS1

AS4

AS2

AS6 AS7

AS5

AS3

AS8

• How to get from AS6 to AS3?• Shortage path: 4 5 3•AS path: 4 5 3

•Several longer alternative paths




2 3

6

4

7

I’m AS3 and my prefixes are: 10.0.0.0/811.11.0.0/16

I’m AS2 and my prefixes are:10.10.10.0/2412.12.0.0/16

Remember more specific always wins. If you want to reach 10.10.10.10 10.10.10.0/24 is chosen over 10.0.0.0/8

I’m AS6, my BGP table:My BGP table:*> 10.0.0.0/8: 4 3*> 10.10.10.0/24: 4 2*> 11.11.0.0/16: 4 3*> 12.12.0.0/16: 4 2




• Each AS talks BGP to its neighbors (peers)

• Each AS announces its prefixes to his peers

• Upstream ISP’s re-announce that to its peers

• AS path is used for loop prevention and to see how it’s routed

Today in global routing table:• ~290.000 prefixes• ~ 32.000 ASns



What’s the problem?

Inter domain routing is based on trust

Anyone can start announcing someone else prefix and start attracting traffic for that network

Well known example is the YouTube.com Hijack, Feb. 2008




AS100 AS200

AS300

I can reach10.10.0.0/16

Very secure Online banking server10.10.10.10

Bob




AS100 AS200

AS300

I can reach10.10.0.0/16

I can reach10.10.10.0/24

Very secure Online banking server10.10.10.10

FAKE Very secure Online banking server10.10.10.10

Bob



YouTube.com Hijack

Stable situation:

Hijack by Pakistan Telecom:February 24 2008 > Pakistan’s government orders Pakistan Telecom to block YouTube.com. They accidentally ‘leak’ this to the rest of the Internet.

Result:YouTube traffic is now routed to Pakistan. YouTube.com unreachable, millions of unhappy users and lost revenue

YouTube AS36561 208.65.152.0/22

Pakistan Telecom AS17557 208.65.153.0/24

~$ host www.youtube.comwww.youtube.com is an alias for youtube.l.google.com.youtube.l.google.com has address 208.65.153.25




• Hijacks really happen– Mostly accidental

• Would you know what to do if this happens to you?

• Or would you even be able to tell this is happening?



Detecting Hijacks

Number of tools to help you detect hijacks

• Commercial products

• Free community services

• BGPmon.net • Free Service for the community• Allows you to monitor your prefixes for

‘interesting’ events and hijacks.



Feature overviewFeature rich:

• Alarm classifier• IPv4 & IPv6 support• 2 & 4 byte ASN support• Fast notification time (~10min)• Overview of historical alarms in web portal• Regular expressions support• Peer Threshold support• IRR support• Bogon detection• And more…

Monitor for hijacks,Accidental leaks & instability



Architecture

BGP updates repository

Parser / analyzer

Presentation &Notification

Classifier

RIPE RIS project



Event ClassifierClassifying event by type helps to determine the cause & impact

Three main event types:

1. Monitor your own network for configuration errors.

2. Monitor stability of your prefixes.

3. Monitor for hijacks by others.



Your own announcements

Detect configuration errors ASAP

Stable situation: 142.231.0.0/16 Originated by AS271

Configuration change, causing you to leak:142.231.0.0/17 Originated by AS271



Monitor Prefix stabilityLarge number of withdraws for your prefix means

reachability issues

Possible cause could be problem with:

your border router

your upstream

large IX somewhere

…..



ASpath monitoring Flexible monitoring using regular expressions

• Useful for if you have many peers• Useful when monitoring some specific traffic

engineering situations.

Example: $prefix may show behind Example: $prefix may show behind ANY of my peers except $AS_ExpensiveANY of my peers except $AS_Expensive

• Regular expression generator available



Detecting HijacksObvious hijacks

• Your prefix, but origin AS is not yours.• YouTube hijack last year

====================================================================Possible Prefix Hijack (Code: 10)====================================================================Your prefix: 208.65.152.0/22:Update time: 2008-02-24 18:48 (UTC)Detected by #peers: 44Detected prefix: 208.65.153.0/24Announced by: AS17557 (PKTELECOM-AS-AP Pakistan Telecom)Upstream AS: 3491 (PCCWGlobal-ASN)ASpath: 26943 23352 3491 17557Mark as false alert: http://bgpmon.net/fp.php?aid=21659961



BGP MITM attacksNot so obvious hijacks

• As demonstrated at Defcon last summer (“Stealing the Internet”)

Looks like:• A more specific of your prefix.• Looks like it’s originated by your AS• Result: looks like a ‘regular’ leak by my AS



BGP MITM attacks

AS500

AS900attacker

AS100Victim

192.0.2.0/22

AS400

AS300

AS200

AS700 bob

Before AS700 sees: *> 192.0.2.0/22: 200 100



BGP MITM attacks

AS500

AS900attacker

AS100Victim 192.0.2.0/22

AS400

AS300

AS200

AS700 bob

Attack scenario AS700 sees: *> 192.0.2.0/22: 200 100 *> 192.0.2.0/24: 300 900 500 400 100

AS900 is now able to intercept traffic towards AS100

I have a route to 192.0.2.0/24 via 500 400 100

I will sent data for 192.0.2.0/24 to attacker



BGP MITM attacksHow can we detect an attack like this?

• New More Specific Route

• New AS path

• ASpath not “valley free”

• BGPmon.net will detect this



BGP MITM attacks

====================================================================Possible BGP MITM attack (Code: 21)====================================================================Your prefix: 24.120.56.0/22: Update time: 2008-08-10 19:33 (UTC)Detected by #peers: 16Detected prefix: 24.120.56.0/24 Announced by: AS20195 (SPARKLV-1 - Sparkplug Las Vegas, Inc.)Upstream AS: 23005 (SWITCH-COMMUNICATIONS)ASpath: 24875 6461 3561 26627 4436 22822 23005 20195Mark as false alert: http://bgpmon.net/fp.php?aid=19263621



My Prefixes



My Updates



Customize



What if….• What if this happened to your network…

– First step is detection!

– Start announcing more specifics – Contact origin AS and his upstream(s)



Wrap up• The inter-domain routing system (BGP) is

insecure• No way to verify of someone is speaking

the truth• ‘Hijacks’ and prefix leaks happen

frequently• Free tools available for monitoring and

detection• BGPmon.net free feature rich service• Great tool for network administrators



[email protected]

Try the demo @

http://BGPmon.net

Thanks BCNET & University of British Columbia for your support!

Documents

BCNET Conference April 29, 2009 Andree Toonk [email protected] BGPmon.net Prefix hijacking! Do you know who's routing your network? Andree Toonk [email protected]