Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
Internet Routing Vulnerability
Routing-based Internet Infrastructure Attacks &
Manipulations
Doug Madory
NCSC ONE Conferen...
@DynResearch
•  Analyze global Internet routing and infrastructure
•  Renesys acquired by Dyn in May 2014
Who are we?
@DynResearch
@DynResearch
BGP governs movement of Internet traffic
•  Single protocol governs traffic exchange among the roughly
49,000...
@Name	
  
The system that directs
Internet traffic is based on
entirely on trust
@DynResearch
http://research.dyn.com/2013/11/mitm-internet-hijacking/
•  Beltelecom (AS6697)
•  Belarus incumbent hijacked...
@DynResearch
http://research.dyn.com/2013/11/mitm-internet-hijacking/
BGP MITM hijacks
trace from Helsinki to Ministry of ...
@DynResearch
•  Prefixes hosting bitcoin mining sites were repeatedly
hijacked in Feb 2014
•  Amazon, OVH, Digital Ocean t...
@DynResearch
An innocent mistake?
•  Vega Telecom (AS12883)
•  Ukrainian reseller of BT services
•  Announced 14 BT prefix...
@Name	
  
Global routing system can be
(and has been) manipulated
to redirect Internet traffic
@DynResearch
Peering – Normal Behavior
•  ISP A & ISP B peer
•  ISP A sends announcements from
only its customers to ISP B...
@DynResearch
ISP B is inserted into inbound traffic to ISP A
•  ISP A & ISP B peer
•  ISP A sends announcements from
only ...
@DynResearch
ISP B is inserted into outbound traffic from ISP A
•  ISP A & ISP B peer
•  ISP B sends announcements from
it...
@DynResearch
Vimpelcom (AS3216)- China Telecom (AS4134)
At 10:23 UTC on 5 August 2014:
… {1299, 3257, 1273, …} 4134 3216 …...
@DynResearch
trace from Moscow to Manchester, NH at 12:09 Aug 05, 2014
1 *
2 194.154.89.125 (Vimpelcom, Moscow, RU) 0.743m...
@DynResearch
Redirecting traffic
through a faraway
ISP can have big
impacts on latency.
@DynResearch
No one is immune
At 18:15 UTC on 6-Nov-14, Vocus (AS4826) begins leaking Microsoft (AS12076)
routes:
… {174, ...
@DynResearch
California, US Vocus (Australia) Microsoft (Redmond)
San Jose to Microsoft
(Redmond)
redirected through
Austr...
@Name	
  
Routing mistakes are
commonplace and regularly
misdirect Internet traffic
@DynResearch
•  Numerous entities currently engaged in IP squatting
•  Common technique for spam generation, but also used...
@DynResearch
•  Techniques vary by entity
§  Entities under Petersburg Internet Network (AS44050) rapidly
rotate IP addre...
@DynResearch
•  Techniques vary by entity
§  AS197923 used plausible origin ASNs to elude
detection
•  Announced via smal...
@Name	
  
With fraudulent routing,
IP address-based attribution
becomes more difficult
@DynResearch
Recent Analysis
IPv4 Address Market Takes Off
As the problem of IPv4 exhaustion becomes
increasingly urgent, ...
@DynResearch
Analyzing the movement of IPv4
When one analyzes the movement of IPv4 address
space, there are some interesti...
@DynResearch
Issues with Transferred IPv4
Some transferred prefixes have had routing problems:
•  27-Oct-2014: 46.51.0.0/1...
@DynResearch
Issues with Transferred IPv4
Some transferred prefixes have had routing problems:
•  27-Oct-2014: 46.51.0.0/1...
@DynResearch
Issues with Transferred IPv4
Some transferred prefixes have had routing problems:
•  Today, 46.51.0.0/17 is r...
@DynResearch
Also Leads to Confusion in Geolocation
@DynResearch
IPv4 Transfer Market
•  Lots of IPv4 address space being sold
•  Increasing rate of transfer suggests strong ...
@Name	
  
IPv4 market heating up
and sometimes leads to
misrouting
@DynResearch
•  Global Internet routing is vulnerable to manipulation
•  Hijacks and routing errors can (and do) misdirect...
@Name	
  
THANK YOU!
Doug Madory
dmadory@dyn.com
@dynresearch
Upcoming SlideShare
Loading in …5
×

Internet Routing Vulnerability

2,015 views

Published on

Doug Madory, Dyn Director of Internet Analysis, speaks about routing issues at the NCSC ONE Conference in The Hague, Netherlands.

Published in: Internet
  • Be the first to comment

  • Be the first to like this

Internet Routing Vulnerability

  1. 1. Internet Routing Vulnerability Routing-based Internet Infrastructure Attacks & Manipulations Doug Madory NCSC ONE Conference 2015 The Hague, Netherlands April 13, 2015
  2. 2. @DynResearch •  Analyze global Internet routing and infrastructure •  Renesys acquired by Dyn in May 2014 Who are we?
  3. 3. @DynResearch
  4. 4. @DynResearch BGP governs movement of Internet traffic •  Single protocol governs traffic exchange among the roughly 49,000 Autonomous Systems that make up the Internet •  Each AS advertises their own IP networks, or prefixes, to their peers and transit providers •  Each AS independently picks the best route to every prefix on earth (most specific, then shortest AS path) •  However, each AS also has the ability to announce any other AS’s IP address space! Prefix: 194.123.122.0/24 (256 addresses) ASNs: AS286 (KPN), AS1103 (SURFnet)
  5. 5. @Name   The system that directs Internet traffic is based on entirely on trust
  6. 6. @DynResearch http://research.dyn.com/2013/11/mitm-internet-hijacking/ •  Beltelecom (AS6697) •  Belarus incumbent hijacked multiple entities in February 2013 •  Multiple downstream AS origins for hijacked prefixes •  Traceroutes pass only through Beltelecom •  Targeted US financial institutions and Foreign Ministries of numerous governments BGP MITM hijacks
  7. 7. @DynResearch http://research.dyn.com/2013/11/mitm-internet-hijacking/ BGP MITM hijacks trace from Helsinki to Ministry of Foreign Affairs of Lithuania (May 23, 2013) 1 * 2 62.78.114.228 Helsinki, Finland 0.519 3 62.78.111.198 Helsinki, Finland 0.508 4 62.78.107.128 Tampere, Finland 8.669 5 62.78.107.135 Tampere, Finland 14.401 6 62.78.107.51 Tampere, Finland 8.694 7 194.68.123.212 Stockholm, Sweden 21.758 8 217.150.62.234 Moscow, Russia 156.642 9 217.150.62.233 Minsk, Belarus 44.710 10 84.15.6.213 Vilnius, Lithuania 66.443 11 213.226.128.18 Vilnius, Lithuania 66.613 12 195.22.173.222 Ministry of Foreign 68.120 Affairs of Lithuania … 13194 24825 195.22.173.0/24 Legitimate route: … 20485 6697 56498 195.22.173.0/24 Hijack route: •  Hijack route was in circulation for about 1hr •  BGP communities used to deliberately limit propagation to create MITM Beltelecom Ministry of Foreign Affairs of Lithuania
  8. 8. @DynResearch •  Prefixes hosting bitcoin mining sites were repeatedly hijacked in Feb 2014 •  Amazon, OVH, Digital Ocean targeted •  54.197.251.210 useast.middlecoin.com •  54.214.242.184 uswest.middlecoin.com •  Hijacked traffic was routed through AS21548 (MTO Telecom) in Montreal •  Attack generated an estimated $80k http://www.secureworks.com/cyber-threat-intelligence/threats/bgp-hijacking-for-cryptocurrency-profit/ Bitcoin BGP hijacks
  9. 9. @DynResearch An innocent mistake? •  Vega Telecom (AS12883) •  Ukrainian reseller of BT services •  Announced 14 BT prefixes for a week, then 167prefixes for 90 minutes •  Traffic passes through Vega en-route to BT in England •  British organizations affected included the UK Atomic Weapons Establishment (also Walmart and Coca-Cola)
  10. 10. @Name   Global routing system can be (and has been) manipulated to redirect Internet traffic
  11. 11. @DynResearch Peering – Normal Behavior •  ISP A & ISP B peer •  ISP A sends announcements from only its customers to ISP B •  ISP B sends announcements from ISP A to only its customers Traffic misdirection also due to routing errorsTraffic misdirection also due to routing errors
  12. 12. @DynResearch ISP B is inserted into inbound traffic to ISP A •  ISP A & ISP B peer •  ISP A sends announcements from only its customers to ISP B •  ISP B sends announcements from ISP A to its peers and/or providers Peering – Routing Leak (Scenario 1) http://research.dyn.com/2014/11/use-protection-if-peering-promiscuously/
  13. 13. @DynResearch ISP B is inserted into outbound traffic from ISP A •  ISP A & ISP B peer •  ISP B sends announcements from its peers and/or providers to ISP A Peering – Routing Leak (Scenario 2)
  14. 14. @DynResearch Vimpelcom (AS3216)- China Telecom (AS4134) At 10:23 UTC on 5 August 2014: … {1299, 3257, 1273, …} 4134 3216 … 7k prefixes (scenario 1) … 3216 4134 {2914, 7018, 1239, …} 326k prefixes (scenario 2) Examples: ISPs leaking ISP routes http://research.dyn.com/2014/11/chinese-routing-errors-redirect-russian-traffic/
  15. 15. @DynResearch trace from Moscow to Manchester, NH at 12:09 Aug 05, 2014 1 * 2 194.154.89.125 (Vimpelcom, Moscow, RU) 0.743ms 3 79.104.235.66 mx01.Frankfurt.gldn.net 40.574ms 4 118.85.204.53 beeline-gw3.china-telecom.net 43.198ms 5 202.97.58.57 (China Telecom, Shanghai, CN) 302.433ms 6 202.97.58.238 (China Telecom, Los Angeles, US) 479.642ms 7 202.97.49.14 (China Telecom, Los Angeles, US) 487.225ms 8 38.104.139.77 te0-7-0-24.ccr21.sjc03.atlas.cogentco.com 380.087ms 9 154.54.6.105 be2000.ccr21.sjc01.atlas.cogentco.com 375.079ms 10 154.54.28.33 be2164.ccr21.sfo01.atlas.cogentco.com 371.727ms 11 154.54.30.54 be2132.ccr21.mci01.atlas.cogentco.com 372.585ms 12 154.54.6.86 be2156.ccr41.ord01.atlas.cogentco.com 370.596ms 13 154.54.44.86 be2351.ccr21.cle04.atlas.cogentco.com 367.498ms 14 154.54.25.89 be2009.ccr21.alb02.atlas.cogentco.com 371.972ms 15 38.104.52.78 (Cogent, Albany, US) 367.334ms 16 70.109.168.139 burl-lnk.ngn.east.myfairpoint.net 321.980ms 17 64.222.166.166 (Fairpoint Communications, Concord, US) 315.036ms 18 64.223.189.66 static.man.east.myfairpoint.net 321.682ms Remember, peers are only supposed to provide mutual visibility into each others’ customers. When peers announce peer routes to other peers, it quickly turns into traffic misdirection .. Not a hijacking, but a policy breakdown.
  16. 16. @DynResearch Redirecting traffic through a faraway ISP can have big impacts on latency.
  17. 17. @DynResearch No one is immune At 18:15 UTC on 6-Nov-14, Vocus (AS4826) begins leaking Microsoft (AS12076) routes: … {174, 6939, 3491,… } 4826 12076 65.52.0.0/14 (& 30 more) Condition persisted for 6 days Examples: ISPs leaking CDN routes
  18. 18. @DynResearch California, US Vocus (Australia) Microsoft (Redmond) San Jose to Microsoft (Redmond) redirected through Australia
  19. 19. @Name   Routing mistakes are commonplace and regularly misdirect Internet traffic
  20. 20. @DynResearch •  Numerous entities currently engaged in IP squatting •  Common technique for spam generation, but also used for distribution of malware and botnet CnC •  Obfuscates perpetrator’s true source •  Mostly unused IP space, but sometimes used space http://research.dyn.com/2015/01/vast-world-of-fraudulent-routing/ Vast World of Fraudulent Routing
  21. 21. @DynResearch •  Techniques vary by entity §  Entities under Petersburg Internet Network (AS44050) rapidly rotate IP address ranges Vast World of Fraudulent Routing Petersburg Internet Network (AS44050) Cyber Futuristics India (AS131788) Moj.Net (AS15393) SC TEHNOGRUP SRL (AS198596) NetLine Ltd (AS25051) Providers and Peers Phony ASNs
  22. 22. @DynResearch •  Techniques vary by entity §  AS197923 used plausible origin ASNs to elude detection •  Announced via small ISP in Ufa, Russia •  Modified AS path to make AS3300 (BT Infonet) appear to originate unused IP address space registered to BT Infonet Vast World of Fraudulent Routing Vimpelcom (AS3216) Telecontur (AS47951) FOP Obuhov Oleg Gennadiyovich(AS197923) BT Infonet (AS3300) Providers and Peers Phony, yet plausible ASNs British Telecom (AS5400) T-Systems GmbH (AS5400) Primus Telecom (AS5427) RSAWeb (AS37053)
  23. 23. @Name   With fraudulent routing, IP address-based attribution becomes more difficult
  24. 24. @DynResearch Recent Analysis IPv4 Address Market Takes Off As the problem of IPv4 exhaustion becomes increasingly urgent, the market for IPv4 address space is heating up. •  Pace of the transfer of IPv4 address has greatly accelerated as evidenced by RIPE's table of IPv4 transfers •  Increasing number of IPv4 brokers facilitating the exchange of IPv4 address space http://research.dyn.com/2015/04/ipv4-address-market-takes-off/
  25. 25. @DynResearch Analyzing the movement of IPv4 When one analyzes the movement of IPv4 address space, there are some interesting findings: •  Disproportionate amount of address space being transferred (i.e. “sold”) from Romania •  1,069 out of 1,848 (58%) blocks transferred since January 2014 were from Romania •  947 (51%) were from Jump Mgt (AS2541) •  Much of the Romanian address space is showing up in the Middle East •  33% of the ~4,656 prefixes originated out of Saudi Arabia were Romanian a couple of months ago •  Iran, Syria, UAE are other ME nations now using former Romanian IPv4 space
  26. 26. @DynResearch Issues with Transferred IPv4 Some transferred prefixes have had routing problems: •  27-Oct-2014: 46.51.0.0/17 was transferred from Netserv Consult SRL (RO) to Mobile Communication Company of Iran •  Mobile Communication Company of Iran (AS197207) began announcing the prefix immediately •  However, Level 3 (AS3356) has announced more-specific prefixes within this range since early 2012 •  46.51.16.0/21, 46.51.24.0/21, 46.51.32.0/21, …
  27. 27. @DynResearch Issues with Transferred IPv4 Some transferred prefixes have had routing problems: •  27-Oct-2014: 46.51.0.0/17 was transferred from Netserv Consult SRL (RO) to Mobile Communication Company of Iran •  Mobile Communication Company of Iran (AS197207) began announcing the prefix immediately •  However, Level 3 (AS3356) has announced more-specific prefixes within this range since early 2012 •  46.51.16.0/21, 46.51.24.0/21, 46.51.32.0/21, … •  So starting in early December, AS197207 started announcing more-specifics of AS3356’s more-specifics to regain the space
  28. 28. @DynResearch Issues with Transferred IPv4 Some transferred prefixes have had routing problems: •  Today, 46.51.0.0/17 is routed by AS197207 out of Iran. Level 3 announces more-specifics of this route, however AS197207 announces more-specifics of those. •  Also, 46.51.108.0/22 has been announced from AS51656 out of Romania since 10-Nov-2010. However, AS197207 now announces the two more-specifics of the prefix (46.51.108.0/23 and 46.51.110.0/23) •  In addition, multiple prefixes in this range are announced by both AS197207 and Romanian entities. For example: 46.51.105.0/24 (pictured right)
  29. 29. @DynResearch Also Leads to Confusion in Geolocation
  30. 30. @DynResearch IPv4 Transfer Market •  Lots of IPv4 address space being sold •  Increasing rate of transfer suggests strong desire for IPv4 •  Much from Romania, much to the Middle East •  IPv4 Buyer beware •  Carefully research the historical routing of the prefix for sale and its more specifics •  Configure aggressive routing alarms on any purchased prefix via a 3rd party service •  Establish strong technical contacts within the seller's organization
  31. 31. @Name   IPv4 market heating up and sometimes leads to misrouting
  32. 32. @DynResearch •  Global Internet routing is vulnerable to manipulation •  Hijacks and routing errors can (and do) misdirect traffic •  Fraudulent BGP routing occurring at a near constant pace •  Attribution based on IP addresses and reputation based on ASN are not so simple •  Enterprises and ISPs would do well to monitor their routes Summary
  33. 33. @Name   THANK YOU! Doug Madory dmadory@dyn.com @dynresearch

×