Upload
jeffery-dennis
View
226
Download
4
Embed Size (px)
Citation preview
BCNET ConferenceApril 29, 2009
Andree [email protected]
BGPmon.net
Prefix hijacking!
Do you know who's routing your network?
Andree Toonk
BCNET ConferenceApril 29, 2009
Andree [email protected]
Where will we go today
1. The Internet & BGP 101
2. Example hijacks
3. Methods to detect hijacks
4. Demo
5. Questions This session contains technical content
BCNET ConferenceApril 29, 2009
Andree [email protected]
Why Should You Care?
• Because others can intercept your traffic without you noticing it.
• Because your traffic can be altered, dropped, stored, etc
• Because if your Internet connection is essential for your business
• It will cost you money!
BCNET ConferenceApril 29, 2009
Andree [email protected]
The Internet & BGP 101
AS1
AS4
AS2
AS6 AS7
AS5
AS3
AS8
•Collection of Networks called Autonomous Systems
•AS identified by a number
•Together make up the Internet
BCNET ConferenceApril 29, 2009
Andree [email protected]
The Internet & BGP 101
AS2
AS5
AS3192.0.2.0/24
• AS3 is a collection of prefixes
• AS3 has 1 upstream ISP: (AS5)• AS3 and AS2 are direct peers
Hi, AS3, Just sent all your traffic to me and I make sure it will get to its destination
BCNET ConferenceApril 29, 2009
Andree [email protected]
The Internet & BGP 101
AS1
AS4
AS2
AS6 AS7
AS5
AS3
AS8
• How to get from AS6 to AS3?• Shortage path: 4 5 3•AS path: 4 5 3
•Several longer alternative paths
BCNET ConferenceApril 29, 2009
Andree [email protected]
The Internet & BGP 101
2 3
6
4
7
I’m AS3 and my prefixes are: 10.0.0.0/811.11.0.0/16
I’m AS2 and my prefixes are:10.10.10.0/2412.12.0.0/16
Remember more specific always wins. If you want to reach 10.10.10.10 10.10.10.0/24 is chosen over 10.0.0.0/8
I’m AS6, my BGP table:My BGP table:*> 10.0.0.0/8: 4 3*> 10.10.10.0/24: 4 2*> 11.11.0.0/16: 4 3*> 12.12.0.0/16: 4 2
BCNET ConferenceApril 29, 2009
Andree [email protected]
The Internet & BGP 101
• Each AS talks BGP to its neighbors (peers)
• Each AS announces its prefixes to his peers
• Upstream ISP’s re-announce that to its peers
• AS path is used for loop prevention and to see how it’s routed
Today in global routing table:• ~290.000 prefixes• ~ 32.000 ASns
BCNET ConferenceApril 29, 2009
Andree [email protected]
What’s the problem?
Inter domain routing is based on trust
Anyone can start announcing someone else prefix and start attracting traffic for that network
Well known example is the YouTube.com Hijack, Feb. 2008
BCNET ConferenceApril 29, 2009
Andree [email protected]
What’s the problem?
AS100 AS200
AS300
I can reach10.10.0.0/16
Very secure Online banking server10.10.10.10
Bob
BCNET ConferenceApril 29, 2009
Andree [email protected]
What’s the problem?
AS100 AS200
AS300
I can reach10.10.0.0/16
I can reach10.10.10.0/24
Very secure Online banking server10.10.10.10
FAKE Very secure Online banking server10.10.10.10
Bob
BCNET ConferenceApril 29, 2009
Andree [email protected]
YouTube.com Hijack
Stable situation:
Hijack by Pakistan Telecom:February 24 2008 > Pakistan’s government orders Pakistan Telecom to block YouTube.com. They accidentally ‘leak’ this to the rest of the Internet.
Result:YouTube traffic is now routed to Pakistan. YouTube.com unreachable, millions of unhappy users and lost revenue
YouTube AS36561 208.65.152.0/22
Pakistan Telecom AS17557 208.65.153.0/24
~$ host www.youtube.comwww.youtube.com is an alias for youtube.l.google.com.youtube.l.google.com has address 208.65.153.25
BCNET ConferenceApril 29, 2009
Andree [email protected]
What’s the problem?
• Hijacks really happen– Mostly accidental
• Would you know what to do if this happens to you?
• Or would you even be able to tell this is happening?
BCNET ConferenceApril 29, 2009
Andree [email protected]
Detecting Hijacks
Number of tools to help you detect hijacks
• Commercial products
• Free community services
• BGPmon.net • Free Service for the community• Allows you to monitor your prefixes for
‘interesting’ events and hijacks.
BCNET ConferenceApril 29, 2009
Andree [email protected]
Feature overviewFeature rich:
• Alarm classifier• IPv4 & IPv6 support• 2 & 4 byte ASN support• Fast notification time (~10min)• Overview of historical alarms in web portal• Regular expressions support• Peer Threshold support• IRR support• Bogon detection• And more…
Monitor for hijacks,Accidental leaks & instability
BCNET ConferenceApril 29, 2009
Andree [email protected]
Architecture
BGP updates repository
Parser / analyzer
Presentation &Notification
Classifier
RIPE RIS project
BCNET ConferenceApril 29, 2009
Andree [email protected]
Event ClassifierClassifying event by type helps to determine the cause & impact
Three main event types:
1. Monitor your own network for configuration errors.
2. Monitor stability of your prefixes.
3. Monitor for hijacks by others.
BCNET ConferenceApril 29, 2009
Andree [email protected]
Your own announcements
Detect configuration errors ASAP
Stable situation: 142.231.0.0/16 Originated by AS271
Configuration change, causing you to leak:142.231.0.0/17 Originated by AS271
BCNET ConferenceApril 29, 2009
Andree [email protected]
Monitor Prefix stabilityLarge number of withdraws for your prefix means
reachability issues
Possible cause could be problem with:
your border router
your upstream
large IX somewhere
…..
BCNET ConferenceApril 29, 2009
Andree [email protected]
ASpath monitoring Flexible monitoring using regular expressions
• Useful for if you have many peers• Useful when monitoring some specific traffic
engineering situations.
Example: $prefix may show behind Example: $prefix may show behind ANY of my peers except $AS_ExpensiveANY of my peers except $AS_Expensive
• Regular expression generator available
BCNET ConferenceApril 29, 2009
Andree [email protected]
Detecting HijacksObvious hijacks
• Your prefix, but origin AS is not yours.• YouTube hijack last year
====================================================================Possible Prefix Hijack (Code: 10)====================================================================Your prefix: 208.65.152.0/22:Update time: 2008-02-24 18:48 (UTC)Detected by #peers: 44Detected prefix: 208.65.153.0/24Announced by: AS17557 (PKTELECOM-AS-AP Pakistan Telecom)Upstream AS: 3491 (PCCWGlobal-ASN)ASpath: 26943 23352 3491 17557Mark as false alert: http://bgpmon.net/fp.php?aid=21659961
BCNET ConferenceApril 29, 2009
Andree [email protected]
BGP MITM attacksNot so obvious hijacks
• As demonstrated at Defcon last summer (“Stealing the Internet”)
Looks like:• A more specific of your prefix.• Looks like it’s originated by your AS• Result: looks like a ‘regular’ leak by my AS
BCNET ConferenceApril 29, 2009
Andree [email protected]
BGP MITM attacks
AS500
AS900attacker
AS100Victim
192.0.2.0/22
AS400
AS300
AS200
AS700 bob
Before AS700 sees: *> 192.0.2.0/22: 200 100
BCNET ConferenceApril 29, 2009
Andree [email protected]
BGP MITM attacks
AS500
AS900attacker
AS100Victim 192.0.2.0/22
AS400
AS300
AS200
AS700 bob
Attack scenario AS700 sees: *> 192.0.2.0/22: 200 100 *> 192.0.2.0/24: 300 900 500 400 100
AS900 is now able to intercept traffic towards AS100
I have a route to 192.0.2.0/24 via 500 400 100
I will sent data for 192.0.2.0/24 to attacker
BCNET ConferenceApril 29, 2009
Andree [email protected]
BGP MITM attacksHow can we detect an attack like this?
• New More Specific Route
• New AS path
• ASpath not “valley free”
• BGPmon.net will detect this
BCNET ConferenceApril 29, 2009
Andree [email protected]
BGP MITM attacks
====================================================================Possible BGP MITM attack (Code: 21)====================================================================Your prefix: 24.120.56.0/22: Update time: 2008-08-10 19:33 (UTC)Detected by #peers: 16Detected prefix: 24.120.56.0/24 Announced by: AS20195 (SPARKLV-1 - Sparkplug Las Vegas, Inc.)Upstream AS: 23005 (SWITCH-COMMUNICATIONS)ASpath: 24875 6461 3561 26627 4436 22822 23005 20195Mark as false alert: http://bgpmon.net/fp.php?aid=19263621
BCNET ConferenceApril 29, 2009
Andree [email protected]
What if….• What if this happened to your network…
– First step is detection!
– Start announcing more specifics – Contact origin AS and his upstream(s)
BCNET ConferenceApril 29, 2009
Andree [email protected]
Wrap up• The inter-domain routing system (BGP) is
insecure• No way to verify of someone is speaking
the truth• ‘Hijacks’ and prefix leaks happen
frequently• Free tools available for monitoring and
detection• BGPmon.net free feature rich service• Great tool for network administrators
BCNET ConferenceApril 29, 2009
Andree [email protected]
Try the demo @
http://BGPmon.net
Thanks BCNET & University of British Columbia for your support!