RIPE NCC IPv4 Pool                                         Legacy                                          15%            ...
IP Hijacking                         Securing Internet Routing                         Marco Hogewoning                   ...
Never attribute to malice that which is               adequately explained by stupidity.                                 -...
Why Would You Hijack?        •    Sending spam or malware unnoticed        •    Intercept traffic to a specific host        ...
Two Targets for Hijacking        •    The Internet routing table               – Influence       how traffic flows by manipul...
Internet Routing        •    Non hierarchical        •    The internet registries only have limited control               ...
Decision Making in Routing        •    Unless preferences dictate otherwise, a router             will pick the shortest p...
3                                    AS                                                        6                          ...
3                                    AS                                                        6                          ...
3                                    AS                                                                 6                 ...
3                                    AS                                                                 6                 ...
3                                    AS                                                                 6                 ...
“I know where                                    193.0.0.0/19 is”                    3                                    ...
3                                    AS                                                        6                          ...
3                                    AS                                                        6                          ...
3                                    AS                                                        6                          ...
“Haha, I have                                                        193.0.3.0/24”                    3                   ...
“Haha, I have                                                        193.0.3.0/24”                    3                   ...
“Haha, I have                                                        193.0.3.0/24”                    3                   ...
Hijacking in PracticeMonday, March 19, 2012
Hijacking in Order to Spam        •    Probably the easiest to do               – You      don’t need 100% coverage       ...
In Practical Terms        •    Look for older registrations or even better, look             for something that is not reg...
Hijacking to Intercept        •    You are targeting space that is in use               – The     owner is much more likel...
Injecting a Rogue Route                                            AS                              AS            AS       ...
Injecting a Rogue Route                                            AS                     Inject                          ...
Injecting a Rogue Route              fake                          AS                     Inject                          ...
Injecting a Rogue Route              fake                          AS                     Inject                          ...
Hijacking With the Intention to Sell        •    No need to fiddle with routing        •    Unregistered (legacy) space is ...
Protection and                         PreventionMonday, March 19, 2012
IPv4 Address Space Covered                                Legacy                                 15%      RIPE NCC        ...
Internet Registry        •    All assignments and allocations made by the             RIPE NCC are protected by us        ...
RIPE Database        •    Strong protection using MD5 hashed passwords             or PGP public/private key pairs        ...
Internet Routing Registry        •    Combination of ASN and IP resources               – “This      space is announced by...
Internet Routing Registry (2)        •    Not all address space is covered        •    Not everything in the IRR is accura...
Routing Information Service        •    We operate a number of route collectors               – Thousands     of networks ...
IS Alarms Service        •    Tool to monitor the Internet routing table               – Using      RIS as a source       ...
Routing Registry Constancy Check        •    Compares the IRR and RIS        •    Highlights the mismatches in origin AS  ...
Certification        •    The idea came from the routing community               – Secure     InterDomain Routing (SIDR) W...
Certification (2)        •    More and easier integration with the routing layer               – Compared         to the I...
Certification (3)        •    Current guidelines are to alter preference:               – Always      prefer valid over in...
Injecting a Rogue Route                                            AS                     Inject                          ...
Legacy Is the Easy Victim                                    RIPE NCC                                       15%      Other...
Legacy Space        •    The most likely target for any form of hijacking or             other abuse:               – Not ...
Questions?Monday, March 19, 2012
Upcoming SlideShare
Loading in …5
×

IP Hijacking - Securing Internet Routing

1,605 views
1,478 views

Published on

Presentation given by Marco Hogewoning at: LEA Meeting, London. 19 March 2012

Published in: Technology
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
1,605
On SlideShare
0
From Embeds
0
Number of Embeds
196
Actions
Shares
0
Downloads
14
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide

IP Hijacking - Securing Internet Routing

  1. 1. RIPE NCC IPv4 Pool Legacy 15% Other IANA 14% AfriNIC 2% LACNIC 4% RIPE NCC 15% ARIN 30% APNIC 20% Marco Hogewoning 1Monday, March 19, 2012
  2. 2. IP Hijacking Securing Internet Routing Marco Hogewoning Training ServicesMonday, March 19, 2012
  3. 3. Never attribute to malice that which is adequately explained by stupidity. -- Robert J HanlonMonday, March 19, 2012
  4. 4. Why Would You Hijack? • Sending spam or malware unnoticed • Intercept traffic to a specific host • Sell the resources Marco Hogewoning 4Monday, March 19, 2012
  5. 5. Two Targets for Hijacking • The Internet routing table – Influence how traffic flows by manipulating BGP • The Internet registry – Possibly manipulating BGP filters – Hide or change ownership details Marco Hogewoning 5Monday, March 19, 2012
  6. 6. Internet Routing • Non hierarchical • The internet registries only have limited control – It’s the operator who decides – We can only offer some guidance • Internet Routing Registry – Integrated in the RIPE Database – Ties together a prefix and an ASN • RPKI Certification – ROAs couple a prefix and an ASN Marco Hogewoning 6Monday, March 19, 2012
  7. 7. Decision Making in Routing • Unless preferences dictate otherwise, a router will pick the shortest path • A more specific route will always take preference • Filtering usually only done at the edge of the Internet – Filteringin the core of the Internet is far too complex and costly to achieve • Most filters are based on IP ranges – Input can come from the IRR Marco Hogewoning 7Monday, March 19, 2012
  8. 8. 3 AS 6 AS AS AS IX AS IX AS AS 1 ASMonday, March 19, 2012
  9. 9. 3 AS 6 AS AS AS IX AS IX AS AS 1 AS “I have 193.0.0.0/19!”Monday, March 19, 2012
  10. 10. 3 AS 6 AS AS AS IX AS IX AS AS 1 AS “I have 193.0.0.0/19!” “I know where 193.0.0.0/19 is”Monday, March 19, 2012
  11. 11. 3 AS 6 AS AS AS IX AS IX AS AS 1 AS “I have 193.0.0.0/19!” “I know where 193.0.0.0/19 is”Monday, March 19, 2012
  12. 12. 3 AS 6 AS AS AS IX AS IX AS AS 1 “I know where AS “I have 193.0.0.0/19 is” 193.0.0.0/19!” “I know where 193.0.0.0/19 is”Monday, March 19, 2012
  13. 13. “I know where 193.0.0.0/19 is” 3 AS 6 AS AS AS IX AS IX AS AS 1 “I know where AS “I have 193.0.0.0/19 is” 193.0.0.0/19!” “I know where 193.0.0.0/19 is”Monday, March 19, 2012
  14. 14. 3 AS 6 AS AS AS IX AS IX AS AS 1 AS “I have 193.0.0.0/19!”Monday, March 19, 2012
  15. 15. 3 AS 6 AS AS AS IX AS IX AS AS 1 AS “I have 193.0.0.0/19!”Monday, March 19, 2012
  16. 16. 3 AS 6 AS AS AS IX AS IX AS AS 1 AS “I have 193.0.0.0/19!”Monday, March 19, 2012
  17. 17. “Haha, I have 193.0.3.0/24” 3 AS 6 AS AS AS IX AS IX AS AS 1 AS “I have 193.0.0.0/19!”Monday, March 19, 2012
  18. 18. “Haha, I have 193.0.3.0/24” 3 AS 6 AS AS AS IX AS IX AS AS 1 AS “I have 193.0.0.0/19!”Monday, March 19, 2012
  19. 19. “Haha, I have 193.0.3.0/24” 3 AS 6 AS AS AS IX AS IX AS AS 1 AS “I have 193.0.0.0/19!”Monday, March 19, 2012
  20. 20. Hijacking in PracticeMonday, March 19, 2012
  21. 21. Hijacking in Order to Spam • Probably the easiest to do – You don’t need 100% coverage – Probably temporary anyway – You don’t care about identity or ownership • Find some space that is not in use – Registry can “guide” you to them • Find an upstream that does not filter – Or trusts what you tell them Marco Hogewoning 10Monday, March 19, 2012
  22. 22. In Practical Terms • Look for older registrations or even better, look for something that is not registered at all • Maybe find an unused ASN to hide behind • Announce it on the Internet and do your thing • Role of the registries is very limited – We advise people to filter – Try to reclaim unannounced space Marco Hogewoning 11Monday, March 19, 2012
  23. 23. Hijacking to Intercept • You are targeting space that is in use – The owner is much more likely to find out – You need to create a shorter or better AS path • Using a more specific creates a better path – Announce only the part you are interested in • Make sure you don’t create a blackhole • RIPE NCC provides tools that can spot these Marco Hogewoning 12Monday, March 19, 2012
  24. 24. Injecting a Rogue Route AS AS AS AS AS AS AS Target victim AS AS Marco Hogewoning 13Monday, March 19, 2012
  25. 25. Injecting a Rogue Route AS Inject AS AS AS AS AS AS Target victim AS AS Marco Hogewoning 13Monday, March 19, 2012
  26. 26. Injecting a Rogue Route fake AS Inject AS AS AS AS AS AS Target victim AS AS Marco Hogewoning 13Monday, March 19, 2012
  27. 27. Injecting a Rogue Route fake AS Inject AS AS AS AS AS AS Target victim AS AS Marco Hogewoning 13Monday, March 19, 2012
  28. 28. Hijacking With the Intention to Sell • No need to fiddle with routing • Unregistered (legacy) space is probably the easiest to target • Registered space requires you to alter the RIPE Database • Amount of detail needed probably depends on who is buying it Marco Hogewoning 14Monday, March 19, 2012
  29. 29. Protection and PreventionMonday, March 19, 2012
  30. 30. IPv4 Address Space Covered Legacy 15% RIPE NCC 15% Marco Hogewoning 16Monday, March 19, 2012
  31. 31. Internet Registry • All assignments and allocations made by the RIPE NCC are protected by us • Attempts to modify data are monitored and immediately acted upon • Virtually impossible to steal registered space from the perspective of the Database • Routing is not depending on registry information Marco Hogewoning 17Monday, March 19, 2012
  32. 32. RIPE Database • Strong protection using MD5 hashed passwords or PGP public/private key pairs • Only authenticated users can update or change information • Creation of so called route objects verified by password of both the IP and ASN holders • It is a public database! Marco Hogewoning 18Monday, March 19, 2012
  33. 33. Internet Routing Registry • Combination of ASN and IP resources – “This space is announced by this AS” • Can be used to setup and maintain filters – Used by a number of larger operators – Only accept a route from a customer when properly registered – Blocks the injection of false routing information • Use of the IRR is voluntarily Marco Hogewoning 19Monday, March 19, 2012
  34. 34. Internet Routing Registry (2) • Not all address space is covered • Not everything in the IRR is accurate – Stale information can be a problem – Manual overrides happen all the time • It is a distributed system – 14 databases that mirror each other – Verification and authentication methods vary between those databases Marco Hogewoning 20Monday, March 19, 2012
  35. 35. Routing Information Service • We operate a number of route collectors – Thousands of networks feed us their view of the world – Provides a global view of the Internet • Information collected in a central database – Provides historic and real time information – Information is publicly accessible • Information can be used to monitor your space • Can also be used to find unused address blocks Marco Hogewoning 21Monday, March 19, 2012
  36. 36. IS Alarms Service • Tool to monitor the Internet routing table – Using RIS as a source • Track changes in origin or transit AS for a given prefix • If a rogue route is detected an alarm is raised to the operator either via email or syslog • Can catch a lot of errors and hijack attempts Marco Hogewoning 22Monday, March 19, 2012
  37. 37. Routing Registry Constancy Check • Compares the IRR and RIS • Highlights the mismatches in origin AS • Operator can choose from two options: – Fix the IRR to match routing – Fix the routing to match the IRR • Does not prevent or correct any hijacking but improves data quality in the IRR Marco Hogewoning 23Monday, March 19, 2012
  38. 38. Certification • The idea came from the routing community – Secure InterDomain Routing (SIDR) WG in IETF • Route Origination Authorization (ROA) – Ties a specific prefix to an ASN – “Improved” version of the route object • Verified by the address holder – Registry is the trust anchor – Allows for better control compared to IRR Marco Hogewoning 24Monday, March 19, 2012
  39. 39. Certification (2) • More and easier integration with the routing layer – Compared to the IRR system using the database • Should have less stale information – Turned out to still be error prone • Use is entirely voluntarily – How to handle invalids is up to the operator • Quality of the RPKI data will influence the speed of adoption amongst operators Marco Hogewoning 25Monday, March 19, 2012
  40. 40. Certification (3) • Current guidelines are to alter preference: – Always prefer valid over invalid routes • Right now can only verify the origin of the route – Catches a lot of mistakes – “Path validation” added in the future • Filtering only becomes an option when everybody uses the system correctly Marco Hogewoning 26Monday, March 19, 2012
  41. 41. Injecting a Rogue Route AS Inject X AS AS AS AS AS AS Target victim AS AS Marco Hogewoning 27Monday, March 19, 2012
  42. 42. Legacy Is the Easy Victim RIPE NCC 15% Other IANA 14% APNIC 20% Legacy 15% AfriNIC 2% LACNIC 4% ARIN 30% Marco Hogewoning 28Monday, March 19, 2012
  43. 43. Legacy Space • The most likely target for any form of hijacking or other abuse: – Not covered by the registry or stale information – Not covered by RPKI – More likely to not be used on the Internet • Project underway to bring these resources into the registry – Registration is free of charge Marco Hogewoning 29Monday, March 19, 2012
  44. 44. Questions?Monday, March 19, 2012

×