SlideShare a Scribd company logo

Linx851

E
Earl Zmijewski
1 of 34
Download to read offline
© 2014 Renesys Corporation Confidential & Proprietary1 The End of Undetected BGP Route Hijacking (Detecting malicious behavior using global data analytics) Speaker Earl Zmijewski, PhD earl@renesys.com +1 603-643-9300, x103 19 May 2014 LINX 85 Congress Centre, London
© 2014 Renesys Corporation Confidential & Proprietary2 Agenda •  A few examples •  The Innocent, the Unusual and the Bizarre •  What makes BGP vulnerable? •  You already know this! •  BGP hijacks in 2013 •  Major Sources •  Techniques Employed •  Overall Summary for the Year •  Fundamental detection issues •  Why is this so hard? •  How Renesys benefits the community •  We keep an eye on things so you don’t have to!
© 2014 Renesys Corporation Confidential & Proprietary3 A Few Examples (Looking for Anomalies in Traceroute and BGP Data)
© 2014 Renesys Corporation Confidential & Proprietary4 Are either of these scenarios unusual & why? 4 Scenario 1 Traffic between two floors of the same office building in Singapore takes over 350ms round trip, traveling via San Jose, California Scenario 2 Traffic from Western Europe to the US takes around 70ms round trip, traveling via Iceland’s incumbent provider
© 2014 Renesys Corporation Confidential & Proprietary5 Scenario 2 is a Man-in-the-Middle incident 5 Scenario 1 Innocent. NTT won’t peer with Tinet in Singapore; Tinet must drag traffic to San Jose to hand it off to NTT, who drags it home again to Singapore. Scenario 2 Unusual. Iceland’s Siminn hijacked routes of major firms for weeks and passed the traffic along. In general, Internet traffic never flows via Iceland (cost, geography).
© 2014 Renesys Corporation Confidential & Proprietary6 6 Scenario 1 Latencies to Google’s public DNS servers increase dramatically from South America Scenario 2 Latencies to a Microsoft network (hosting important domains) decrease momentarily from E. Europe Are either of these scenarios unusual & why?
© 2014 Renesys Corporation Confidential & Proprietary7 Scenario 2 involves route hijacking 7 Scenario 1 Unusual. Google departs Brazil for unexplained reasons. DNS queries answered from California. No route hijacking involved. (See our October 30th blog.) Scenario 2 Unusual. Microsoft network (more specific of routed prefix) is hijacked, misdirection limited to immediate vicinity. Not Man-in-the-Middle! Traces terminated at the hijacker. Google left South America for months, eventually came back and for the better.
Renesys collects BGP & traceroute data worldwide – used to detect route hijacks, path and latency changes/impairments
© 2014 Renesys Corporation Confidential & Proprietary9 What makes BGP vulnerable?
© 2014 Renesys Corporation Confidential & Proprietary10 Why & how infrastructure protocols fail? – Internet runs on the “honor system” at all levels •  BGP protocol is simple & the same on every router §  BGP routers relay messages to neighbors about routes §  Routes are constructed hop-by-hop, beyond the originator’s control •  BGP policy is complex, local, & without any global coordination §  Local policies for accepting, rejecting and propagating routes §  This is good: Great flexibility to support business objectives §  This is bad: Vulnerability to bogus route propagation
© 2014 Renesys Corporation Confidential & Proprietary11 BGP Hijacks in 2013
© 2014 Renesys Corporation Confidential & Proprietary12 Two Major Sources of MITM Hijacks in 2013 12 •  Beltelecom (AS 6697) •  Belarus incumbent •  Several downstream AS “origins” •  Traces pass only through Beltelecom, not the claimed origin •  Siminn (AS 6677) •  Iceland incumbent •  Several downstream AS “origins” •  Traces pass only through Siminn, not the claimed origin •  Siminn conceded redirection of traffic, but claimed router bug •  A few other players, but more limited impacts.
© 2014 Renesys Corporation Confidential & Proprietary13 NYC to Los Angeles during Belarus Hijacks 13
© 2014 Renesys Corporation Confidential & Proprietary14 Germany to California during Iceland Hijacks 14
© 2014 Renesys Corporation Confidential & Proprietary15 Denver to Denver during Iceland hijacks 15
© 2014 Renesys Corporation Confidential & Proprietary16 BGP MITM requires both corrupt and clean paths • At least three possible approaches: •  Pilosov & Kapela, Defcon 2008 •  Announce more-specifics •  AS path poisoning to maintain one clean path from attacker to victim •  Never observed “in the wild”. See our Black Hat DC 2009 talk. •  BGP Communities (first seen in 2013) •  Used to limit propagation by upstream providers •  Tricky to get right, especially since the upstreams might be interconnected •  We’ve seen use of communities evolve over time •  Announcements only to peers, not transit providers (first seen in 2013) •  Peering relationships are between competitors •  Peers will not propagate routes (otherwise they provide free transit!) •  Requires provider with many peers in order to get appreciable amounts of traffic
© 2014 Renesys Corporation Confidential & Proprietary17 Exploiting BGP Communities Hijacker announces prefix p to regional provider P with BGP community P:71990 What does this mean? Whois information tells us … remarks To deny prefix propagation, remarks use P:7DNNA, where remarks D – Deny announcements: remarks 1 – International peers remarks 2 – In-country peers … remarks NN – Upstream: remarks 01 – Provider 1 remarks 02 – Provider 2 … remarks 99 – All Upstreams … remarks A – Action: remarks 0 – Do not announce prefix •  The hijacker tells P not to announce p to any of its international peers, implying that it should announce p only to its domestic peers and customers. •  In this way, the hijack of p is constrained to a geographic region. •  Regional traffic for p is misdirected to the attacker, who can then forward it onward to its rightful owner via a clean path through another provider.
© 2014 Renesys Corporation Confidential & Proprietary18 Overall Statistics: 1 Jan – 31 Dec 2013 •  Major hijacks occurred on 102 days in this time period (29% of the days in 2013), most were MITM •  Over almost 1,500 networks (prefixes) were targeted, geolocating to over 150 cities worldwide. Targets included financial services, various governments, NSPs, content providers. •  Hijacked networks contain over 500,000 domains (FQDNs) •  Traffic detouring lasted from minutes to months! One hijack persisted from late October 2013 until late January 2014! •  Techniques were refined over time. •  Global impact varied depending on providers accepting the bogus routes and techniques employed
© 2014 Renesys Corporation Confidential & Proprietary19 Hijacks by City: 1 Jan – 31 Dec 2013
© 2014 Renesys Corporation Confidential & Proprietary20 Global Impacts – 9 February 2013 – We identify the level of acceptance of bogus routes, by country Geolocation of network subject to traffic detouring
© 2014 Renesys Corporation Confidential & Proprietary21 Global Spread of Bogus routes – 27 Feb 2013 – Major US provider, one ccTLD, many others Geolocation of network subject to traffic detouring
© 2014 Renesys Corporation Confidential & Proprietary22 How can all BGP hijacks be discovered?
© 2014 Renesys Corporation Confidential & Proprietary23 •  Each of the 42,000+ ASes on the Internet could … •  Use their favorite route monitoring service or •  Publish their routing policies in an IRR and keep them updated, allowing others to do the monitoring •  Use global historical routing data to report on anomalies •  Find suspicious origins, AS paths •  Use global traceroute data to look for MITM or hosts in the attacker’s network that answer (e.g., Turkey answering for Google’s DNS servers). •  Difficulty: The Internet is a very dynamic place. Easy to generate an overwhelming number of false positives. Two Approaches for Complete Global Coverage
© 2014 Renesys Corporation Confidential & Proprietary24 •  Suppress alerts for new originations that meet certain conditions: •  Origination has been seen in the past (e.g., traffic engineering) •  Origination seen by very few peers or a very short duration •  New origin is part of the same organization as typical origin (e.g., AT&T has over 100 ASNs) •  New origin is a DDoS mitigation service (e.g., Prolexic) •  Obvious typos (e.g., edit distance 1 from legitimate announcement) •  … many more rules to filter innocent errors / typical usage Eliminating False Positives
© 2014 Renesys Corporation Confidential & Proprietary25 •  Score new originations by unusualness •  Hijacking AS now operating in a new, distant geography? •  Hijacked prefix hosting important domains? •  Traces pass through hijacking AS onto legitimate AS (MITM)? •  Traces terminate at hijacking AS (impersonation)? •  … many more rules to score novelty and call out the most suspicious originations for review Look for Novelty in the Rest
© 2014 Renesys Corporation Confidential & Proprietary26 •  We get a handful of reports per day, many are false positives and easily dismissed. Occasionally, we get a “live one”. •  Here is one automated report entry from April 2014: AS6697 (Beltelecom, BY) announced 1 pfx(s) that are potentially hijacks of currently routed address space: XXX.YYY.151.0/24 (ZZZZ, GB), seen by 310 peers for an average of 1.16 hours. This is a more specific of prefix: XXX.YYY.128.0/19 (ZZZZZ), Origin=NNNN (ZZZZZ, GB) Automated BGP Hijack Reporting
© 2014 Renesys Corporation Confidential & Proprietary27 Fundamental Detection Issues
© 2014 Renesys Corporation Confidential & Proprietary28 Fundamental Detection Issues I •  Internet infrastructure incidents impacting a specific enterprise typically occur beyond the enterprise’s perimeter and may be invisible from the enterprise’s vantage points •  Widely distributed global sensor network is necessary to minimize false negatives (otherwise, regional or provider specific events can be missed) •  Multiple data sources and sophisticated analytics are necessary to detect deviations from “normal” and minimize false positives
© 2014 Renesys Corporation Confidential & Proprietary29 Fundamental Detection Issues II How do we distinguish malicious/suboptimal from legitimate? Best case: An enterprise knows “Ground Truth” for what it cares about. Monitoring system then alerts on any deviations. Actual case: “Ground Truth” is rarely fully and correctly specified, and never will be for most organizations. Monitor long enough to determine the “approximately correct”★ state, alert on deviations, automate response processing ★ with thanks to Leslie Valiant, author of Probably Approximately Correct.
© 2014 Renesys Corporation Confidential & Proprietary30 How Renesys Benefits the Community
© 2014 Renesys Corporation Confidential & Proprietary31 The End of Undetected BGP Route Hijacking •  It's no longer acceptable for route hijacking to go unobserved. It's too important to only tell the people who pay. •  Renesys watches the entire Internet, 24x7, and the vast majority of the affected parties are not our customers. •  We tell them anyway. •  Your support makes that possible; without LINX and the other IXes, we would not have the global data to understand “normal routing” in enough detail to support this activity.
© 2014 Renesys Corporation Confidential & Proprietary32 We even alert on silly things … •  For example, global Carrier-Grade NAT announcements: •  Cogent and TransTelecom stopped after we alerted them. •  MegaFon stopped briefly in April. •  The routing table is a little cleaner as a result.
© 2014 Renesys Corporation Confidential & Proprietary33 •  A new more-specific prefix announced from a seemingly unrelated origin will always generate an alert. •  The following example is from 8 May 2014. AS393327 (THE GEORGE W. BUSH FOUNDATION, US) announced 1 pfx(s) that are potentially hijacks of currently routed address space: 12.203.53.0/24 (GEORGE W. BUSH PRESIDENTIAL CENT, US), seen by 394 peers for an average of 0.57 hours. This is a more specific of 12.128.0.0/9 (AT&T Bell Laboratories, US) Origin=7018 (AT&T, US) •  First US president with his own Autonomous System. But false positives are unavoidable …
© 2014 Renesys Corporation Confidential & Proprietary34 Thank you

Recommended

Having Honeypot for Better Network Security Analysis
Having Honeypot for Better Network Security AnalysisHaving Honeypot for Better Network Security Analysis
Having Honeypot for Better Network Security AnalysisBangladesh Network Operators Group
 
Attacking GRX - GPRS Roaming eXchange
Attacking GRX - GPRS Roaming eXchangeAttacking GRX - GPRS Roaming eXchange
Attacking GRX - GPRS Roaming eXchangeP1Security
 
MANRS for Network Operators - bdNOG12
MANRS for Network Operators - bdNOG12MANRS for Network Operators - bdNOG12
MANRS for Network Operators - bdNOG12Bangladesh Network Operators Group
 
Detecting Hijacks and Leaks
Detecting Hijacks and LeaksDetecting Hijacks and Leaks
Detecting Hijacks and LeaksThousandEyes
 
Solving the Visibility Gap for Effective Security
Solving the Visibility Gap for Effective SecuritySolving the Visibility Gap for Effective Security
Solving the Visibility Gap for Effective SecurityLancope, Inc.
 
IPv6 Threat Presentation
IPv6 Threat PresentationIPv6 Threat Presentation
IPv6 Threat Presentationjohnmcclure00
 
Detecting Threats: A Look at the Verizon DBIR and StealthWatch
Detecting Threats: A Look at the Verizon DBIR and StealthWatchDetecting Threats: A Look at the Verizon DBIR and StealthWatch
Detecting Threats: A Look at the Verizon DBIR and StealthWatchLancope, Inc.
 
DDoS Mitigation using BGP Flowspec
DDoS Mitigation using BGP Flowspec DDoS Mitigation using BGP Flowspec
DDoS Mitigation using BGP Flowspec APNIC
 

Recommended

Having Honeypot for Better Network Security Analysis
Having Honeypot for Better Network Security AnalysisHaving Honeypot for Better Network Security Analysis
Having Honeypot for Better Network Security AnalysisBangladesh Network Operators Group
 
Attacking GRX - GPRS Roaming eXchange
Attacking GRX - GPRS Roaming eXchangeAttacking GRX - GPRS Roaming eXchange
Attacking GRX - GPRS Roaming eXchangeP1Security
 
MANRS for Network Operators - bdNOG12
MANRS for Network Operators - bdNOG12MANRS for Network Operators - bdNOG12
MANRS for Network Operators - bdNOG12Bangladesh Network Operators Group
 
Detecting Hijacks and Leaks
Detecting Hijacks and LeaksDetecting Hijacks and Leaks
Detecting Hijacks and LeaksThousandEyes
 
Solving the Visibility Gap for Effective Security
Solving the Visibility Gap for Effective SecuritySolving the Visibility Gap for Effective Security
Solving the Visibility Gap for Effective SecurityLancope, Inc.
 
IPv6 Threat Presentation
IPv6 Threat PresentationIPv6 Threat Presentation
IPv6 Threat Presentationjohnmcclure00
 
Detecting Threats: A Look at the Verizon DBIR and StealthWatch
Detecting Threats: A Look at the Verizon DBIR and StealthWatchDetecting Threats: A Look at the Verizon DBIR and StealthWatch
Detecting Threats: A Look at the Verizon DBIR and StealthWatchLancope, Inc.
 
DDoS Mitigation using BGP Flowspec
DDoS Mitigation using BGP Flowspec DDoS Mitigation using BGP Flowspec
DDoS Mitigation using BGP Flowspec APNIC
 
Using NetFlow to Streamline Security Analysis and Response to Cyber Threats
Using NetFlow to Streamline Security Analysis and Response to Cyber ThreatsUsing NetFlow to Streamline Security Analysis and Response to Cyber Threats
Using NetFlow to Streamline Security Analysis and Response to Cyber ThreatsEmulex Corporation
 
Infoblox - turning DNS from security target to security tool
Infoblox - turning DNS from security target to security toolInfoblox - turning DNS from security target to security tool
Infoblox - turning DNS from security target to security toolJisc
 
CLASS 2022 - Marty Edwards (Tenable) - O perigo crescente de ransomware crimi...
CLASS 2022 - Marty Edwards (Tenable) - O perigo crescente de ransomware crimi...CLASS 2022 - Marty Edwards (Tenable) - O perigo crescente de ransomware crimi...
CLASS 2022 - Marty Edwards (Tenable) - O perigo crescente de ransomware crimi...TI Safe
 
Improving routing security through concerted action
Improving routing security through concerted actionImproving routing security through concerted action
Improving routing security through concerted actionCSUC - Consorci de Serveis Universitaris de Catalunya
 
In the Line of Fire-the Morphology of Cyber Attacks
In the Line of Fire-the Morphology of Cyber AttacksIn the Line of Fire-the Morphology of Cyber Attacks
In the Line of Fire-the Morphology of Cyber AttacksRadware
 
Hunting Attackers with Network Audit Trails
Hunting Attackers with Network Audit TrailsHunting Attackers with Network Audit Trails
Hunting Attackers with Network Audit TrailsLancope, Inc.
 
In the Line of Fire - The Morphology of Cyber-Attacks
In the Line of Fire - The Morphology of Cyber-AttacksIn the Line of Fire - The Morphology of Cyber-Attacks
In the Line of Fire - The Morphology of Cyber-AttacksRadware
 
Security in an IPv6 World - Myth & Reality
Security in an IPv6 World - Myth & RealitySecurity in an IPv6 World - Myth & Reality
Security in an IPv6 World - Myth & RealityChris Grundemann
 
Exploiting Redundancy Properties of Malicious Infrastructure for Incident Det...
Exploiting Redundancy Properties of Malicious Infrastructure for Incident Det...Exploiting Redundancy Properties of Malicious Infrastructure for Incident Det...
Exploiting Redundancy Properties of Malicious Infrastructure for Incident Det...Positive Hack Days
 
IPv4: Mining Strategic Reserves
IPv4: Mining Strategic ReservesIPv4: Mining Strategic Reserves
IPv4: Mining Strategic ReservesAPNIC
 
mnNOG 3: IP technology adoption in Mongolia
mnNOG 3: IP technology adoption in MongoliamnNOG 3: IP technology adoption in Mongolia
mnNOG 3: IP technology adoption in MongoliaAPNIC
 
Philippines Cybersecurity Conference 2021: The role of CERTs
Philippines Cybersecurity Conference 2021: The role of CERTsPhilippines Cybersecurity Conference 2021: The role of CERTs
Philippines Cybersecurity Conference 2021: The role of CERTsAPNIC
 
Jeff Simpson - Cyber Maneuver Warfare and Active Cyber Defense - from ICCWS 16
Jeff Simpson - Cyber Maneuver Warfare and Active Cyber Defense - from ICCWS 16 Jeff Simpson - Cyber Maneuver Warfare and Active Cyber Defense - from ICCWS 16
Jeff Simpson - Cyber Maneuver Warfare and Active Cyber Defense - from ICCWS 16 Jeff Simpson
 
Top Security Trends for 2014
Top Security Trends for 2014Top Security Trends for 2014
Top Security Trends for 2014Imperva
 
Michael schapira - Hebrew University Jeruslaem - Secure Internet Routing
Michael schapira - Hebrew University Jeruslaem - Secure Internet RoutingMichael schapira - Hebrew University Jeruslaem - Secure Internet Routing
Michael schapira - Hebrew University Jeruslaem - Secure Internet Routingvpnmentor
 
FTC6 Olivier Breton Level3 resolving Frogans addresses worldwide 2016/02/16
FTC6 Olivier Breton Level3 resolving Frogans addresses worldwide 2016/02/16FTC6 Olivier Breton Level3 resolving Frogans addresses worldwide 2016/02/16
FTC6 Olivier Breton Level3 resolving Frogans addresses worldwide 2016/02/16Organization for the Promotion, Protection and Progress of Frogans Technology
 
Monitoring for Network Security: BGP Hijacks, DDoS Attacks and DNS Poisoning
Monitoring for Network Security: BGP Hijacks, DDoS Attacks and DNS PoisoningMonitoring for Network Security: BGP Hijacks, DDoS Attacks and DNS Poisoning
Monitoring for Network Security: BGP Hijacks, DDoS Attacks and DNS PoisoningThousandEyes
 
PLNOG16: DNS – przyjaciel e-szpiegów i e-złodziei. Analityka w służbie jej DN...
PLNOG16: DNS – przyjaciel e-szpiegów i e-złodziei. Analityka w służbie jej DN...PLNOG16: DNS – przyjaciel e-szpiegów i e-złodziei. Analityka w służbie jej DN...
PLNOG16: DNS – przyjaciel e-szpiegów i e-złodziei. Analityka w służbie jej DN...PROIDEA
 
THE CYBER-DOME
THE CYBER-DOMETHE CYBER-DOME
THE CYBER-DOMEDina Beer
 
NZNOG 2022: Routing Security
NZNOG 2022: Routing SecurityNZNOG 2022: Routing Security
NZNOG 2022: Routing SecurityAPNIC
 

More Related Content

Similar to Linx851

Using NetFlow to Streamline Security Analysis and Response to Cyber Threats
Using NetFlow to Streamline Security Analysis and Response to Cyber ThreatsUsing NetFlow to Streamline Security Analysis and Response to Cyber Threats
Using NetFlow to Streamline Security Analysis and Response to Cyber ThreatsEmulex Corporation
 
Infoblox - turning DNS from security target to security tool
Infoblox - turning DNS from security target to security toolInfoblox - turning DNS from security target to security tool
Infoblox - turning DNS from security target to security toolJisc
 
CLASS 2022 - Marty Edwards (Tenable) - O perigo crescente de ransomware crimi...
CLASS 2022 - Marty Edwards (Tenable) - O perigo crescente de ransomware crimi...CLASS 2022 - Marty Edwards (Tenable) - O perigo crescente de ransomware crimi...
CLASS 2022 - Marty Edwards (Tenable) - O perigo crescente de ransomware crimi...TI Safe
 
In the Line of Fire-the Morphology of Cyber Attacks
In the Line of Fire-the Morphology of Cyber AttacksIn the Line of Fire-the Morphology of Cyber Attacks
In the Line of Fire-the Morphology of Cyber AttacksRadware
 
Hunting Attackers with Network Audit Trails
Hunting Attackers with Network Audit TrailsHunting Attackers with Network Audit Trails
Hunting Attackers with Network Audit TrailsLancope, Inc.
 
In the Line of Fire - The Morphology of Cyber-Attacks
In the Line of Fire - The Morphology of Cyber-AttacksIn the Line of Fire - The Morphology of Cyber-Attacks
In the Line of Fire - The Morphology of Cyber-AttacksRadware
 
Security in an IPv6 World - Myth & Reality
Security in an IPv6 World - Myth & RealitySecurity in an IPv6 World - Myth & Reality
Security in an IPv6 World - Myth & RealityChris Grundemann
 
Exploiting Redundancy Properties of Malicious Infrastructure for Incident Det...
Exploiting Redundancy Properties of Malicious Infrastructure for Incident Det...Exploiting Redundancy Properties of Malicious Infrastructure for Incident Det...
Exploiting Redundancy Properties of Malicious Infrastructure for Incident Det...Positive Hack Days
 
IPv4: Mining Strategic Reserves
IPv4: Mining Strategic ReservesIPv4: Mining Strategic Reserves
IPv4: Mining Strategic ReservesAPNIC
 
mnNOG 3: IP technology adoption in Mongolia
mnNOG 3: IP technology adoption in MongoliamnNOG 3: IP technology adoption in Mongolia
mnNOG 3: IP technology adoption in MongoliaAPNIC
 
Philippines Cybersecurity Conference 2021: The role of CERTs
Philippines Cybersecurity Conference 2021: The role of CERTsPhilippines Cybersecurity Conference 2021: The role of CERTs
Philippines Cybersecurity Conference 2021: The role of CERTsAPNIC
 
Jeff Simpson - Cyber Maneuver Warfare and Active Cyber Defense - from ICCWS 16
Jeff Simpson - Cyber Maneuver Warfare and Active Cyber Defense - from ICCWS 16 Jeff Simpson - Cyber Maneuver Warfare and Active Cyber Defense - from ICCWS 16
Jeff Simpson - Cyber Maneuver Warfare and Active Cyber Defense - from ICCWS 16 Jeff Simpson
 
Top Security Trends for 2014
Top Security Trends for 2014Top Security Trends for 2014
Top Security Trends for 2014Imperva
 
Michael schapira - Hebrew University Jeruslaem - Secure Internet Routing
Michael schapira - Hebrew University Jeruslaem - Secure Internet RoutingMichael schapira - Hebrew University Jeruslaem - Secure Internet Routing
Michael schapira - Hebrew University Jeruslaem - Secure Internet Routingvpnmentor
 
Monitoring for Network Security: BGP Hijacks, DDoS Attacks and DNS Poisoning
Monitoring for Network Security: BGP Hijacks, DDoS Attacks and DNS PoisoningMonitoring for Network Security: BGP Hijacks, DDoS Attacks and DNS Poisoning
Monitoring for Network Security: BGP Hijacks, DDoS Attacks and DNS PoisoningThousandEyes
 
PLNOG16: DNS – przyjaciel e-szpiegów i e-złodziei. Analityka w służbie jej DN...
PLNOG16: DNS – przyjaciel e-szpiegów i e-złodziei. Analityka w służbie jej DN...PLNOG16: DNS – przyjaciel e-szpiegów i e-złodziei. Analityka w służbie jej DN...
PLNOG16: DNS – przyjaciel e-szpiegów i e-złodziei. Analityka w służbie jej DN...PROIDEA
 
THE CYBER-DOME
THE CYBER-DOMETHE CYBER-DOME
THE CYBER-DOMEDina Beer
 
NZNOG 2022: Routing Security
NZNOG 2022: Routing SecurityNZNOG 2022: Routing Security
NZNOG 2022: Routing SecurityAPNIC
 

Similar to Linx851 (20)

Using NetFlow to Streamline Security Analysis and Response to Cyber Threats
Using NetFlow to Streamline Security Analysis and Response to Cyber ThreatsUsing NetFlow to Streamline Security Analysis and Response to Cyber Threats
Using NetFlow to Streamline Security Analysis and Response to Cyber Threats
 
Infoblox - turning DNS from security target to security tool
Infoblox - turning DNS from security target to security toolInfoblox - turning DNS from security target to security tool
Infoblox - turning DNS from security target to security tool
 
CLASS 2022 - Marty Edwards (Tenable) - O perigo crescente de ransomware crimi...
CLASS 2022 - Marty Edwards (Tenable) - O perigo crescente de ransomware crimi...CLASS 2022 - Marty Edwards (Tenable) - O perigo crescente de ransomware crimi...
CLASS 2022 - Marty Edwards (Tenable) - O perigo crescente de ransomware crimi...
 
Improving routing security through concerted action
Improving routing security through concerted actionImproving routing security through concerted action
Improving routing security through concerted action
 
In the Line of Fire-the Morphology of Cyber Attacks
In the Line of Fire-the Morphology of Cyber AttacksIn the Line of Fire-the Morphology of Cyber Attacks
In the Line of Fire-the Morphology of Cyber Attacks
 
Hunting Attackers with Network Audit Trails
Hunting Attackers with Network Audit TrailsHunting Attackers with Network Audit Trails
Hunting Attackers with Network Audit Trails
 
In the Line of Fire - The Morphology of Cyber-Attacks
In the Line of Fire - The Morphology of Cyber-AttacksIn the Line of Fire - The Morphology of Cyber-Attacks
In the Line of Fire - The Morphology of Cyber-Attacks
 
Security in an IPv6 World - Myth & Reality
Security in an IPv6 World - Myth & RealitySecurity in an IPv6 World - Myth & Reality
Security in an IPv6 World - Myth & Reality
 
Exploiting Redundancy Properties of Malicious Infrastructure for Incident Det...
Exploiting Redundancy Properties of Malicious Infrastructure for Incident Det...Exploiting Redundancy Properties of Malicious Infrastructure for Incident Det...
Exploiting Redundancy Properties of Malicious Infrastructure for Incident Det...
 
IPv4: Mining Strategic Reserves
IPv4: Mining Strategic ReservesIPv4: Mining Strategic Reserves
IPv4: Mining Strategic Reserves
 
mnNOG 3: IP technology adoption in Mongolia
mnNOG 3: IP technology adoption in MongoliamnNOG 3: IP technology adoption in Mongolia
mnNOG 3: IP technology adoption in Mongolia
 
Philippines Cybersecurity Conference 2021: The role of CERTs
Philippines Cybersecurity Conference 2021: The role of CERTsPhilippines Cybersecurity Conference 2021: The role of CERTs
Philippines Cybersecurity Conference 2021: The role of CERTs
 
Jeff Simpson - Cyber Maneuver Warfare and Active Cyber Defense - from ICCWS 16
Jeff Simpson - Cyber Maneuver Warfare and Active Cyber Defense - from ICCWS 16 Jeff Simpson - Cyber Maneuver Warfare and Active Cyber Defense - from ICCWS 16
Jeff Simpson - Cyber Maneuver Warfare and Active Cyber Defense - from ICCWS 16
 
Top Security Trends for 2014
Top Security Trends for 2014Top Security Trends for 2014
Top Security Trends for 2014
 
Michael schapira - Hebrew University Jeruslaem - Secure Internet Routing
Michael schapira - Hebrew University Jeruslaem - Secure Internet RoutingMichael schapira - Hebrew University Jeruslaem - Secure Internet Routing
Michael schapira - Hebrew University Jeruslaem - Secure Internet Routing
 
FTC6 Olivier Breton Level3 resolving Frogans addresses worldwide 2016/02/16
FTC6 Olivier Breton Level3 resolving Frogans addresses worldwide 2016/02/16FTC6 Olivier Breton Level3 resolving Frogans addresses worldwide 2016/02/16
FTC6 Olivier Breton Level3 resolving Frogans addresses worldwide 2016/02/16
 
Monitoring for Network Security: BGP Hijacks, DDoS Attacks and DNS Poisoning
Monitoring for Network Security: BGP Hijacks, DDoS Attacks and DNS PoisoningMonitoring for Network Security: BGP Hijacks, DDoS Attacks and DNS Poisoning
Monitoring for Network Security: BGP Hijacks, DDoS Attacks and DNS Poisoning
 
PLNOG16: DNS – przyjaciel e-szpiegów i e-złodziei. Analityka w służbie jej DN...
PLNOG16: DNS – przyjaciel e-szpiegów i e-złodziei. Analityka w służbie jej DN...PLNOG16: DNS – przyjaciel e-szpiegów i e-złodziei. Analityka w służbie jej DN...
PLNOG16: DNS – przyjaciel e-szpiegów i e-złodziei. Analityka w służbie jej DN...
 
THE CYBER-DOME
THE CYBER-DOMETHE CYBER-DOME
THE CYBER-DOME
 
NZNOG 2022: Routing Security
NZNOG 2022: Routing SecurityNZNOG 2022: Routing Security
NZNOG 2022: Routing Security
 

Linx851

  • 1. © 2014 Renesys Corporation Confidential & Proprietary1 The End of Undetected BGP Route Hijacking (Detecting malicious behavior using global data analytics) Speaker Earl Zmijewski, PhD earl@renesys.com +1 603-643-9300, x103 19 May 2014 LINX 85 Congress Centre, London
  • 2. © 2014 Renesys Corporation Confidential & Proprietary2 Agenda •  A few examples •  The Innocent, the Unusual and the Bizarre •  What makes BGP vulnerable? •  You already know this! •  BGP hijacks in 2013 •  Major Sources •  Techniques Employed •  Overall Summary for the Year •  Fundamental detection issues •  Why is this so hard? •  How Renesys benefits the community •  We keep an eye on things so you don’t have to!
  • 3. © 2014 Renesys Corporation Confidential & Proprietary3 A Few Examples (Looking for Anomalies in Traceroute and BGP Data)
  • 4. © 2014 Renesys Corporation Confidential & Proprietary4 Are either of these scenarios unusual & why? 4 Scenario 1 Traffic between two floors of the same office building in Singapore takes over 350ms round trip, traveling via San Jose, California Scenario 2 Traffic from Western Europe to the US takes around 70ms round trip, traveling via Iceland’s incumbent provider
  • 5. © 2014 Renesys Corporation Confidential & Proprietary5 Scenario 2 is a Man-in-the-Middle incident 5 Scenario 1 Innocent. NTT won’t peer with Tinet in Singapore; Tinet must drag traffic to San Jose to hand it off to NTT, who drags it home again to Singapore. Scenario 2 Unusual. Iceland’s Siminn hijacked routes of major firms for weeks and passed the traffic along. In general, Internet traffic never flows via Iceland (cost, geography).
  • 6. © 2014 Renesys Corporation Confidential & Proprietary6 6 Scenario 1 Latencies to Google’s public DNS servers increase dramatically from South America Scenario 2 Latencies to a Microsoft network (hosting important domains) decrease momentarily from E. Europe Are either of these scenarios unusual & why?
  • 7. © 2014 Renesys Corporation Confidential & Proprietary7 Scenario 2 involves route hijacking 7 Scenario 1 Unusual. Google departs Brazil for unexplained reasons. DNS queries answered from California. No route hijacking involved. (See our October 30th blog.) Scenario 2 Unusual. Microsoft network (more specific of routed prefix) is hijacked, misdirection limited to immediate vicinity. Not Man-in-the-Middle! Traces terminated at the hijacker. Google left South America for months, eventually came back and for the better.
  • 8. Renesys collects BGP & traceroute data worldwide – used to detect route hijacks, path and latency changes/impairments
  • 9. © 2014 Renesys Corporation Confidential & Proprietary9 What makes BGP vulnerable?
  • 10. © 2014 Renesys Corporation Confidential & Proprietary10 Why & how infrastructure protocols fail? – Internet runs on the “honor system” at all levels •  BGP protocol is simple & the same on every router §  BGP routers relay messages to neighbors about routes §  Routes are constructed hop-by-hop, beyond the originator’s control •  BGP policy is complex, local, & without any global coordination §  Local policies for accepting, rejecting and propagating routes §  This is good: Great flexibility to support business objectives §  This is bad: Vulnerability to bogus route propagation
  • 11. © 2014 Renesys Corporation Confidential & Proprietary11 BGP Hijacks in 2013
  • 12. © 2014 Renesys Corporation Confidential & Proprietary12 Two Major Sources of MITM Hijacks in 2013 12 •  Beltelecom (AS 6697) •  Belarus incumbent •  Several downstream AS “origins” •  Traces pass only through Beltelecom, not the claimed origin •  Siminn (AS 6677) •  Iceland incumbent •  Several downstream AS “origins” •  Traces pass only through Siminn, not the claimed origin •  Siminn conceded redirection of traffic, but claimed router bug •  A few other players, but more limited impacts.
  • 13. © 2014 Renesys Corporation Confidential & Proprietary13 NYC to Los Angeles during Belarus Hijacks 13
  • 14. © 2014 Renesys Corporation Confidential & Proprietary14 Germany to California during Iceland Hijacks 14
  • 15. © 2014 Renesys Corporation Confidential & Proprietary15 Denver to Denver during Iceland hijacks 15
  • 16. © 2014 Renesys Corporation Confidential & Proprietary16 BGP MITM requires both corrupt and clean paths • At least three possible approaches: •  Pilosov & Kapela, Defcon 2008 •  Announce more-specifics •  AS path poisoning to maintain one clean path from attacker to victim •  Never observed “in the wild”. See our Black Hat DC 2009 talk. •  BGP Communities (first seen in 2013) •  Used to limit propagation by upstream providers •  Tricky to get right, especially since the upstreams might be interconnected •  We’ve seen use of communities evolve over time •  Announcements only to peers, not transit providers (first seen in 2013) •  Peering relationships are between competitors •  Peers will not propagate routes (otherwise they provide free transit!) •  Requires provider with many peers in order to get appreciable amounts of traffic
  • 17. © 2014 Renesys Corporation Confidential & Proprietary17 Exploiting BGP Communities Hijacker announces prefix p to regional provider P with BGP community P:71990 What does this mean? Whois information tells us … remarks To deny prefix propagation, remarks use P:7DNNA, where remarks D – Deny announcements: remarks 1 – International peers remarks 2 – In-country peers … remarks NN – Upstream: remarks 01 – Provider 1 remarks 02 – Provider 2 … remarks 99 – All Upstreams … remarks A – Action: remarks 0 – Do not announce prefix •  The hijacker tells P not to announce p to any of its international peers, implying that it should announce p only to its domestic peers and customers. •  In this way, the hijack of p is constrained to a geographic region. •  Regional traffic for p is misdirected to the attacker, who can then forward it onward to its rightful owner via a clean path through another provider.
  • 18. © 2014 Renesys Corporation Confidential & Proprietary18 Overall Statistics: 1 Jan – 31 Dec 2013 •  Major hijacks occurred on 102 days in this time period (29% of the days in 2013), most were MITM •  Over almost 1,500 networks (prefixes) were targeted, geolocating to over 150 cities worldwide. Targets included financial services, various governments, NSPs, content providers. •  Hijacked networks contain over 500,000 domains (FQDNs) •  Traffic detouring lasted from minutes to months! One hijack persisted from late October 2013 until late January 2014! •  Techniques were refined over time. •  Global impact varied depending on providers accepting the bogus routes and techniques employed
  • 19. © 2014 Renesys Corporation Confidential & Proprietary19 Hijacks by City: 1 Jan – 31 Dec 2013
  • 20. © 2014 Renesys Corporation Confidential & Proprietary20 Global Impacts – 9 February 2013 – We identify the level of acceptance of bogus routes, by country Geolocation of network subject to traffic detouring
  • 21. © 2014 Renesys Corporation Confidential & Proprietary21 Global Spread of Bogus routes – 27 Feb 2013 – Major US provider, one ccTLD, many others Geolocation of network subject to traffic detouring
  • 22. © 2014 Renesys Corporation Confidential & Proprietary22 How can all BGP hijacks be discovered?
  • 23. © 2014 Renesys Corporation Confidential & Proprietary23 •  Each of the 42,000+ ASes on the Internet could … •  Use their favorite route monitoring service or •  Publish their routing policies in an IRR and keep them updated, allowing others to do the monitoring •  Use global historical routing data to report on anomalies •  Find suspicious origins, AS paths •  Use global traceroute data to look for MITM or hosts in the attacker’s network that answer (e.g., Turkey answering for Google’s DNS servers). •  Difficulty: The Internet is a very dynamic place. Easy to generate an overwhelming number of false positives. Two Approaches for Complete Global Coverage
  • 24. © 2014 Renesys Corporation Confidential & Proprietary24 •  Suppress alerts for new originations that meet certain conditions: •  Origination has been seen in the past (e.g., traffic engineering) •  Origination seen by very few peers or a very short duration •  New origin is part of the same organization as typical origin (e.g., AT&T has over 100 ASNs) •  New origin is a DDoS mitigation service (e.g., Prolexic) •  Obvious typos (e.g., edit distance 1 from legitimate announcement) •  … many more rules to filter innocent errors / typical usage Eliminating False Positives
  • 25. © 2014 Renesys Corporation Confidential & Proprietary25 •  Score new originations by unusualness •  Hijacking AS now operating in a new, distant geography? •  Hijacked prefix hosting important domains? •  Traces pass through hijacking AS onto legitimate AS (MITM)? •  Traces terminate at hijacking AS (impersonation)? •  … many more rules to score novelty and call out the most suspicious originations for review Look for Novelty in the Rest
  • 26. © 2014 Renesys Corporation Confidential & Proprietary26 •  We get a handful of reports per day, many are false positives and easily dismissed. Occasionally, we get a “live one”. •  Here is one automated report entry from April 2014: AS6697 (Beltelecom, BY) announced 1 pfx(s) that are potentially hijacks of currently routed address space: XXX.YYY.151.0/24 (ZZZZ, GB), seen by 310 peers for an average of 1.16 hours. This is a more specific of prefix: XXX.YYY.128.0/19 (ZZZZZ), Origin=NNNN (ZZZZZ, GB) Automated BGP Hijack Reporting
  • 27. © 2014 Renesys Corporation Confidential & Proprietary27 Fundamental Detection Issues
  • 28. © 2014 Renesys Corporation Confidential & Proprietary28 Fundamental Detection Issues I •  Internet infrastructure incidents impacting a specific enterprise typically occur beyond the enterprise’s perimeter and may be invisible from the enterprise’s vantage points •  Widely distributed global sensor network is necessary to minimize false negatives (otherwise, regional or provider specific events can be missed) •  Multiple data sources and sophisticated analytics are necessary to detect deviations from “normal” and minimize false positives
  • 29. © 2014 Renesys Corporation Confidential & Proprietary29 Fundamental Detection Issues II How do we distinguish malicious/suboptimal from legitimate? Best case: An enterprise knows “Ground Truth” for what it cares about. Monitoring system then alerts on any deviations. Actual case: “Ground Truth” is rarely fully and correctly specified, and never will be for most organizations. Monitor long enough to determine the “approximately correct”★ state, alert on deviations, automate response processing ★ with thanks to Leslie Valiant, author of Probably Approximately Correct.
  • 30. © 2014 Renesys Corporation Confidential & Proprietary30 How Renesys Benefits the Community
  • 31. © 2014 Renesys Corporation Confidential & Proprietary31 The End of Undetected BGP Route Hijacking •  It's no longer acceptable for route hijacking to go unobserved. It's too important to only tell the people who pay. •  Renesys watches the entire Internet, 24x7, and the vast majority of the affected parties are not our customers. •  We tell them anyway. •  Your support makes that possible; without LINX and the other IXes, we would not have the global data to understand “normal routing” in enough detail to support this activity.
  • 32. © 2014 Renesys Corporation Confidential & Proprietary32 We even alert on silly things … •  For example, global Carrier-Grade NAT announcements: •  Cogent and TransTelecom stopped after we alerted them. •  MegaFon stopped briefly in April. •  The routing table is a little cleaner as a result.
  • 33. © 2014 Renesys Corporation Confidential & Proprietary33 •  A new more-specific prefix announced from a seemingly unrelated origin will always generate an alert. •  The following example is from 8 May 2014. AS393327 (THE GEORGE W. BUSH FOUNDATION, US) announced 1 pfx(s) that are potentially hijacks of currently routed address space: 12.203.53.0/24 (GEORGE W. BUSH PRESIDENTIAL CENT, US), seen by 394 peers for an average of 0.57 hours. This is a more specific of 12.128.0.0/9 (AT&T Bell Laboratories, US) Origin=7018 (AT&T, US) •  First US president with his own Autonomous System. But false positives are unavoidable …
  • 34. © 2014 Renesys Corporation Confidential & Proprietary34 Thank you