Your SlideShare is downloading. ×
IP Hijacking - Securing Internet Routing
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

IP Hijacking - Securing Internet Routing

1,318
views

Published on

Presentation given by Marco Hogewoning at: LEA Meeting, London. 19 March 2012

Presentation given by Marco Hogewoning at: LEA Meeting, London. 19 March 2012

Published in: Technology

0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
1,318
On Slideshare
0
From Embeds
0
Number of Embeds
2
Actions
Shares
0
Downloads
11
Comments
0
Likes
1
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. RIPE NCC IPv4 Pool Legacy 15% Other IANA 14% AfriNIC 2% LACNIC 4% RIPE NCC 15% ARIN 30% APNIC 20% Marco Hogewoning 1Monday, March 19, 2012
  • 2. IP Hijacking Securing Internet Routing Marco Hogewoning Training ServicesMonday, March 19, 2012
  • 3. Never attribute to malice that which is adequately explained by stupidity. -- Robert J HanlonMonday, March 19, 2012
  • 4. Why Would You Hijack? • Sending spam or malware unnoticed • Intercept traffic to a specific host • Sell the resources Marco Hogewoning 4Monday, March 19, 2012
  • 5. Two Targets for Hijacking • The Internet routing table – Influence how traffic flows by manipulating BGP • The Internet registry – Possibly manipulating BGP filters – Hide or change ownership details Marco Hogewoning 5Monday, March 19, 2012
  • 6. Internet Routing • Non hierarchical • The internet registries only have limited control – It’s the operator who decides – We can only offer some guidance • Internet Routing Registry – Integrated in the RIPE Database – Ties together a prefix and an ASN • RPKI Certification – ROAs couple a prefix and an ASN Marco Hogewoning 6Monday, March 19, 2012
  • 7. Decision Making in Routing • Unless preferences dictate otherwise, a router will pick the shortest path • A more specific route will always take preference • Filtering usually only done at the edge of the Internet – Filteringin the core of the Internet is far too complex and costly to achieve • Most filters are based on IP ranges – Input can come from the IRR Marco Hogewoning 7Monday, March 19, 2012
  • 8. 3 AS 6 AS AS AS IX AS IX AS AS 1 ASMonday, March 19, 2012
  • 9. 3 AS 6 AS AS AS IX AS IX AS AS 1 AS “I have 193.0.0.0/19!”Monday, March 19, 2012
  • 10. 3 AS 6 AS AS AS IX AS IX AS AS 1 AS “I have 193.0.0.0/19!” “I know where 193.0.0.0/19 is”Monday, March 19, 2012
  • 11. 3 AS 6 AS AS AS IX AS IX AS AS 1 AS “I have 193.0.0.0/19!” “I know where 193.0.0.0/19 is”Monday, March 19, 2012
  • 12. 3 AS 6 AS AS AS IX AS IX AS AS 1 “I know where AS “I have 193.0.0.0/19 is” 193.0.0.0/19!” “I know where 193.0.0.0/19 is”Monday, March 19, 2012
  • 13. “I know where 193.0.0.0/19 is” 3 AS 6 AS AS AS IX AS IX AS AS 1 “I know where AS “I have 193.0.0.0/19 is” 193.0.0.0/19!” “I know where 193.0.0.0/19 is”Monday, March 19, 2012
  • 14. 3 AS 6 AS AS AS IX AS IX AS AS 1 AS “I have 193.0.0.0/19!”Monday, March 19, 2012
  • 15. 3 AS 6 AS AS AS IX AS IX AS AS 1 AS “I have 193.0.0.0/19!”Monday, March 19, 2012
  • 16. 3 AS 6 AS AS AS IX AS IX AS AS 1 AS “I have 193.0.0.0/19!”Monday, March 19, 2012
  • 17. “Haha, I have 193.0.3.0/24” 3 AS 6 AS AS AS IX AS IX AS AS 1 AS “I have 193.0.0.0/19!”Monday, March 19, 2012
  • 18. “Haha, I have 193.0.3.0/24” 3 AS 6 AS AS AS IX AS IX AS AS 1 AS “I have 193.0.0.0/19!”Monday, March 19, 2012
  • 19. “Haha, I have 193.0.3.0/24” 3 AS 6 AS AS AS IX AS IX AS AS 1 AS “I have 193.0.0.0/19!”Monday, March 19, 2012
  • 20. Hijacking in PracticeMonday, March 19, 2012
  • 21. Hijacking in Order to Spam • Probably the easiest to do – You don’t need 100% coverage – Probably temporary anyway – You don’t care about identity or ownership • Find some space that is not in use – Registry can “guide” you to them • Find an upstream that does not filter – Or trusts what you tell them Marco Hogewoning 10Monday, March 19, 2012
  • 22. In Practical Terms • Look for older registrations or even better, look for something that is not registered at all • Maybe find an unused ASN to hide behind • Announce it on the Internet and do your thing • Role of the registries is very limited – We advise people to filter – Try to reclaim unannounced space Marco Hogewoning 11Monday, March 19, 2012
  • 23. Hijacking to Intercept • You are targeting space that is in use – The owner is much more likely to find out – You need to create a shorter or better AS path • Using a more specific creates a better path – Announce only the part you are interested in • Make sure you don’t create a blackhole • RIPE NCC provides tools that can spot these Marco Hogewoning 12Monday, March 19, 2012
  • 24. Injecting a Rogue Route AS AS AS AS AS AS AS Target victim AS AS Marco Hogewoning 13Monday, March 19, 2012
  • 25. Injecting a Rogue Route AS Inject AS AS AS AS AS AS Target victim AS AS Marco Hogewoning 13Monday, March 19, 2012
  • 26. Injecting a Rogue Route fake AS Inject AS AS AS AS AS AS Target victim AS AS Marco Hogewoning 13Monday, March 19, 2012
  • 27. Injecting a Rogue Route fake AS Inject AS AS AS AS AS AS Target victim AS AS Marco Hogewoning 13Monday, March 19, 2012
  • 28. Hijacking With the Intention to Sell • No need to fiddle with routing • Unregistered (legacy) space is probably the easiest to target • Registered space requires you to alter the RIPE Database • Amount of detail needed probably depends on who is buying it Marco Hogewoning 14Monday, March 19, 2012
  • 29. Protection and PreventionMonday, March 19, 2012
  • 30. IPv4 Address Space Covered Legacy 15% RIPE NCC 15% Marco Hogewoning 16Monday, March 19, 2012
  • 31. Internet Registry • All assignments and allocations made by the RIPE NCC are protected by us • Attempts to modify data are monitored and immediately acted upon • Virtually impossible to steal registered space from the perspective of the Database • Routing is not depending on registry information Marco Hogewoning 17Monday, March 19, 2012
  • 32. RIPE Database • Strong protection using MD5 hashed passwords or PGP public/private key pairs • Only authenticated users can update or change information • Creation of so called route objects verified by password of both the IP and ASN holders • It is a public database! Marco Hogewoning 18Monday, March 19, 2012
  • 33. Internet Routing Registry • Combination of ASN and IP resources – “This space is announced by this AS” • Can be used to setup and maintain filters – Used by a number of larger operators – Only accept a route from a customer when properly registered – Blocks the injection of false routing information • Use of the IRR is voluntarily Marco Hogewoning 19Monday, March 19, 2012
  • 34. Internet Routing Registry (2) • Not all address space is covered • Not everything in the IRR is accurate – Stale information can be a problem – Manual overrides happen all the time • It is a distributed system – 14 databases that mirror each other – Verification and authentication methods vary between those databases Marco Hogewoning 20Monday, March 19, 2012
  • 35. Routing Information Service • We operate a number of route collectors – Thousands of networks feed us their view of the world – Provides a global view of the Internet • Information collected in a central database – Provides historic and real time information – Information is publicly accessible • Information can be used to monitor your space • Can also be used to find unused address blocks Marco Hogewoning 21Monday, March 19, 2012
  • 36. IS Alarms Service • Tool to monitor the Internet routing table – Using RIS as a source • Track changes in origin or transit AS for a given prefix • If a rogue route is detected an alarm is raised to the operator either via email or syslog • Can catch a lot of errors and hijack attempts Marco Hogewoning 22Monday, March 19, 2012
  • 37. Routing Registry Constancy Check • Compares the IRR and RIS • Highlights the mismatches in origin AS • Operator can choose from two options: – Fix the IRR to match routing – Fix the routing to match the IRR • Does not prevent or correct any hijacking but improves data quality in the IRR Marco Hogewoning 23Monday, March 19, 2012
  • 38. Certification • The idea came from the routing community – Secure InterDomain Routing (SIDR) WG in IETF • Route Origination Authorization (ROA) – Ties a specific prefix to an ASN – “Improved” version of the route object • Verified by the address holder – Registry is the trust anchor – Allows for better control compared to IRR Marco Hogewoning 24Monday, March 19, 2012
  • 39. Certification (2) • More and easier integration with the routing layer – Compared to the IRR system using the database • Should have less stale information – Turned out to still be error prone • Use is entirely voluntarily – How to handle invalids is up to the operator • Quality of the RPKI data will influence the speed of adoption amongst operators Marco Hogewoning 25Monday, March 19, 2012
  • 40. Certification (3) • Current guidelines are to alter preference: – Always prefer valid over invalid routes • Right now can only verify the origin of the route – Catches a lot of mistakes – “Path validation” added in the future • Filtering only becomes an option when everybody uses the system correctly Marco Hogewoning 26Monday, March 19, 2012
  • 41. Injecting a Rogue Route AS Inject X AS AS AS AS AS AS Target victim AS AS Marco Hogewoning 27Monday, March 19, 2012
  • 42. Legacy Is the Easy Victim RIPE NCC 15% Other IANA 14% APNIC 20% Legacy 15% AfriNIC 2% LACNIC 4% ARIN 30% Marco Hogewoning 28Monday, March 19, 2012
  • 43. Legacy Space • The most likely target for any form of hijacking or other abuse: – Not covered by the registry or stale information – Not covered by RPKI – More likely to not be used on the Internet • Project underway to bring these resources into the registry – Registration is free of charge Marco Hogewoning 29Monday, March 19, 2012
  • 44. Questions?Monday, March 19, 2012