• Share
  • Email
  • Embed
  • Like
  • Save
  • Private Content
IP Hijacking - Securing Internet Routing
 

IP Hijacking - Securing Internet Routing

on

  • 1,257 views

Presentation given by Marco Hogewoning at: LEA Meeting, London. 19 March 2012

Presentation given by Marco Hogewoning at: LEA Meeting, London. 19 March 2012

Statistics

Views

Total Views
1,257
Views on SlideShare
1,072
Embed Views
185

Actions

Likes
1
Downloads
6
Comments
0

4 Embeds 185

http://www.ripe.net 160
https://www.ripe.net 23
http://translate.googleusercontent.com 1
https://twitter.com 1

Accessibility

Categories

Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

    IP Hijacking - Securing Internet Routing IP Hijacking - Securing Internet Routing Presentation Transcript

    • RIPE NCC IPv4 Pool Legacy 15% Other IANA 14% AfriNIC 2% LACNIC 4% RIPE NCC 15% ARIN 30% APNIC 20% Marco Hogewoning 1Monday, March 19, 2012
    • IP Hijacking Securing Internet Routing Marco Hogewoning Training ServicesMonday, March 19, 2012
    • Never attribute to malice that which is adequately explained by stupidity. -- Robert J HanlonMonday, March 19, 2012
    • Why Would You Hijack? • Sending spam or malware unnoticed • Intercept traffic to a specific host • Sell the resources Marco Hogewoning 4Monday, March 19, 2012
    • Two Targets for Hijacking • The Internet routing table – Influence how traffic flows by manipulating BGP • The Internet registry – Possibly manipulating BGP filters – Hide or change ownership details Marco Hogewoning 5Monday, March 19, 2012
    • Internet Routing • Non hierarchical • The internet registries only have limited control – It’s the operator who decides – We can only offer some guidance • Internet Routing Registry – Integrated in the RIPE Database – Ties together a prefix and an ASN • RPKI Certification – ROAs couple a prefix and an ASN Marco Hogewoning 6Monday, March 19, 2012
    • Decision Making in Routing • Unless preferences dictate otherwise, a router will pick the shortest path • A more specific route will always take preference • Filtering usually only done at the edge of the Internet – Filteringin the core of the Internet is far too complex and costly to achieve • Most filters are based on IP ranges – Input can come from the IRR Marco Hogewoning 7Monday, March 19, 2012
    • 3 AS 6 AS AS AS IX AS IX AS AS 1 ASMonday, March 19, 2012
    • 3 AS 6 AS AS AS IX AS IX AS AS 1 AS “I have 193.0.0.0/19!”Monday, March 19, 2012
    • 3 AS 6 AS AS AS IX AS IX AS AS 1 AS “I have 193.0.0.0/19!” “I know where 193.0.0.0/19 is”Monday, March 19, 2012
    • 3 AS 6 AS AS AS IX AS IX AS AS 1 AS “I have 193.0.0.0/19!” “I know where 193.0.0.0/19 is”Monday, March 19, 2012
    • 3 AS 6 AS AS AS IX AS IX AS AS 1 “I know where AS “I have 193.0.0.0/19 is” 193.0.0.0/19!” “I know where 193.0.0.0/19 is”Monday, March 19, 2012
    • “I know where 193.0.0.0/19 is” 3 AS 6 AS AS AS IX AS IX AS AS 1 “I know where AS “I have 193.0.0.0/19 is” 193.0.0.0/19!” “I know where 193.0.0.0/19 is”Monday, March 19, 2012
    • 3 AS 6 AS AS AS IX AS IX AS AS 1 AS “I have 193.0.0.0/19!”Monday, March 19, 2012
    • 3 AS 6 AS AS AS IX AS IX AS AS 1 AS “I have 193.0.0.0/19!”Monday, March 19, 2012
    • 3 AS 6 AS AS AS IX AS IX AS AS 1 AS “I have 193.0.0.0/19!”Monday, March 19, 2012
    • “Haha, I have 193.0.3.0/24” 3 AS 6 AS AS AS IX AS IX AS AS 1 AS “I have 193.0.0.0/19!”Monday, March 19, 2012
    • “Haha, I have 193.0.3.0/24” 3 AS 6 AS AS AS IX AS IX AS AS 1 AS “I have 193.0.0.0/19!”Monday, March 19, 2012
    • “Haha, I have 193.0.3.0/24” 3 AS 6 AS AS AS IX AS IX AS AS 1 AS “I have 193.0.0.0/19!”Monday, March 19, 2012
    • Hijacking in PracticeMonday, March 19, 2012
    • Hijacking in Order to Spam • Probably the easiest to do – You don’t need 100% coverage – Probably temporary anyway – You don’t care about identity or ownership • Find some space that is not in use – Registry can “guide” you to them • Find an upstream that does not filter – Or trusts what you tell them Marco Hogewoning 10Monday, March 19, 2012
    • In Practical Terms • Look for older registrations or even better, look for something that is not registered at all • Maybe find an unused ASN to hide behind • Announce it on the Internet and do your thing • Role of the registries is very limited – We advise people to filter – Try to reclaim unannounced space Marco Hogewoning 11Monday, March 19, 2012
    • Hijacking to Intercept • You are targeting space that is in use – The owner is much more likely to find out – You need to create a shorter or better AS path • Using a more specific creates a better path – Announce only the part you are interested in • Make sure you don’t create a blackhole • RIPE NCC provides tools that can spot these Marco Hogewoning 12Monday, March 19, 2012
    • Injecting a Rogue Route AS AS AS AS AS AS AS Target victim AS AS Marco Hogewoning 13Monday, March 19, 2012
    • Injecting a Rogue Route AS Inject AS AS AS AS AS AS Target victim AS AS Marco Hogewoning 13Monday, March 19, 2012
    • Injecting a Rogue Route fake AS Inject AS AS AS AS AS AS Target victim AS AS Marco Hogewoning 13Monday, March 19, 2012
    • Injecting a Rogue Route fake AS Inject AS AS AS AS AS AS Target victim AS AS Marco Hogewoning 13Monday, March 19, 2012
    • Hijacking With the Intention to Sell • No need to fiddle with routing • Unregistered (legacy) space is probably the easiest to target • Registered space requires you to alter the RIPE Database • Amount of detail needed probably depends on who is buying it Marco Hogewoning 14Monday, March 19, 2012
    • Protection and PreventionMonday, March 19, 2012
    • IPv4 Address Space Covered Legacy 15% RIPE NCC 15% Marco Hogewoning 16Monday, March 19, 2012
    • Internet Registry • All assignments and allocations made by the RIPE NCC are protected by us • Attempts to modify data are monitored and immediately acted upon • Virtually impossible to steal registered space from the perspective of the Database • Routing is not depending on registry information Marco Hogewoning 17Monday, March 19, 2012
    • RIPE Database • Strong protection using MD5 hashed passwords or PGP public/private key pairs • Only authenticated users can update or change information • Creation of so called route objects verified by password of both the IP and ASN holders • It is a public database! Marco Hogewoning 18Monday, March 19, 2012
    • Internet Routing Registry • Combination of ASN and IP resources – “This space is announced by this AS” • Can be used to setup and maintain filters – Used by a number of larger operators – Only accept a route from a customer when properly registered – Blocks the injection of false routing information • Use of the IRR is voluntarily Marco Hogewoning 19Monday, March 19, 2012
    • Internet Routing Registry (2) • Not all address space is covered • Not everything in the IRR is accurate – Stale information can be a problem – Manual overrides happen all the time • It is a distributed system – 14 databases that mirror each other – Verification and authentication methods vary between those databases Marco Hogewoning 20Monday, March 19, 2012
    • Routing Information Service • We operate a number of route collectors – Thousands of networks feed us their view of the world – Provides a global view of the Internet • Information collected in a central database – Provides historic and real time information – Information is publicly accessible • Information can be used to monitor your space • Can also be used to find unused address blocks Marco Hogewoning 21Monday, March 19, 2012
    • IS Alarms Service • Tool to monitor the Internet routing table – Using RIS as a source • Track changes in origin or transit AS for a given prefix • If a rogue route is detected an alarm is raised to the operator either via email or syslog • Can catch a lot of errors and hijack attempts Marco Hogewoning 22Monday, March 19, 2012
    • Routing Registry Constancy Check • Compares the IRR and RIS • Highlights the mismatches in origin AS • Operator can choose from two options: – Fix the IRR to match routing – Fix the routing to match the IRR • Does not prevent or correct any hijacking but improves data quality in the IRR Marco Hogewoning 23Monday, March 19, 2012
    • Certification • The idea came from the routing community – Secure InterDomain Routing (SIDR) WG in IETF • Route Origination Authorization (ROA) – Ties a specific prefix to an ASN – “Improved” version of the route object • Verified by the address holder – Registry is the trust anchor – Allows for better control compared to IRR Marco Hogewoning 24Monday, March 19, 2012
    • Certification (2) • More and easier integration with the routing layer – Compared to the IRR system using the database • Should have less stale information – Turned out to still be error prone • Use is entirely voluntarily – How to handle invalids is up to the operator • Quality of the RPKI data will influence the speed of adoption amongst operators Marco Hogewoning 25Monday, March 19, 2012
    • Certification (3) • Current guidelines are to alter preference: – Always prefer valid over invalid routes • Right now can only verify the origin of the route – Catches a lot of mistakes – “Path validation” added in the future • Filtering only becomes an option when everybody uses the system correctly Marco Hogewoning 26Monday, March 19, 2012
    • Injecting a Rogue Route AS Inject X AS AS AS AS AS AS Target victim AS AS Marco Hogewoning 27Monday, March 19, 2012
    • Legacy Is the Easy Victim RIPE NCC 15% Other IANA 14% APNIC 20% Legacy 15% AfriNIC 2% LACNIC 4% ARIN 30% Marco Hogewoning 28Monday, March 19, 2012
    • Legacy Space • The most likely target for any form of hijacking or other abuse: – Not covered by the registry or stale information – Not covered by RPKI – More likely to not be used on the Internet • Project underway to bring these resources into the registry – Registration is free of charge Marco Hogewoning 29Monday, March 19, 2012
    • Questions?Monday, March 19, 2012