This document discusses BGP route leaks and hijacks, and issues with using AS-SETs and IRR filters to prevent them. The key points are: 1. The document analyzes routing data and finds that at least 7% of IPv4 ISPs and 1% of IPv6 ISPs have problems with invalid BGP route advertisements violating their advertised filters. 2. Major tier 1 and tier 2 networks are found to accept route leaks not originating from their own networks, failing to properly filter routes according to their AS-SETs. 3. Properly configured and maintained AS-SETs and IRR filters could help reduce route leaks and hijacks, but many networks have poorly maintained filters or

1. BGP Flexibility and…
Its Consequences
Alexander Azimov
Qrator Labs aa@qrator.net

2. Rights
• Get address space from RIR;
• Establish BGP sessions;
• Advertise prefixes;
• Receive traffic.

3. Obligations
• MUST not hijack foreign address space;
• MUST not create route leaks;
• MUST Support anti-spoofing policies;
• MUST Configure Ingress/Egress filters;
• MUST Pay fee to RIR.

4. Obligations
• MUST not hijack foreign address space;
• MUST not create route leaks;
• MUST Support anti-spoofing policies;
• MUST Configure Ingress/Egress filters;
• MUST Pay fee to RIR – that’s all!

5. BGP Anomalies
BGP Hijacks
Illegitimate advertisement of foreign address space.
BGP Route Leaks
Illegitimate announce of a route received from peer
or upstream to another peer or upstream.

6. Google
It will never happen again!

7. BGP in the Headlines

8. 12th December
AS39523 (DV-LINK-AS)
https://radar.qrator.net/blog/born-to-hijack
May I have your traffic?

9. 30th December:
Idea Cellular Limited (AS55644)
https://radar.qrator.net/blog/indian-route-leak-or-there-and-back-again

10. 17th January
AS8901 (Moscow City Government)
https://radar.qrator.net/blog/moscow-traffic-jam

11. BGP Exams?

12. BGP Ingress Filtering: AS-SETs
from AS197068 action accept AS-QRATOR
200449, 197068, …….
178.248.232.0/21, 185.65.148.0/22,
45.116.91.0/24, 89.218.31.0/24 …
AS-SET to ASNs
ASNs to route objects
IRR filters doesn’t perform origin validation!

13. AS-SETs & AS Cone
In ‘Ideal World’ AS-SETs = AS Cone

14. AS-SETs & AS Cone
In ‘Ideal World’ AS-SETs = AS Cone
Not in AS-SET?
Drop it!

15. AS-SETs & AS Cone
In an ‘Ideal World’ AS-SETs = AS Cone
But even then it has limitations.

16. What Do We Know?
• IRR filters doesn’t perform origin validation;
• AS-SET objects are not authorized (even in RIPE);
• Poorly maintained AS-SETs become less affective;
• There are ISPs does not use any IRR filters.

17. Investigation
How many filters have been already violated?

18. Methodology
• Route Object Aggregator (RIPE, APNIC, ARIN,
AFRINIC, RADB… 27 sources);
• Analyze only globally visible prefixes;

19. Route Objects
Valid Invalid No object Valid Invalid No object
IPv6IPv4

20. Invalid & Unknown Objects
Reasons:
1. Route-sets;
2. LOAs;
3. Upstream announcing customer routes;
4. AS_PATH poisoning (thank you, Akamai);
5. Broken/absent filters;

21. Methodology v.2
• Route Object Aggregator (RIPE, APNIC, ARIN,
AFRINIC, RADB… 27 sources);
• Analyze prefixes with unique asn in route objects;
• Detect c2p links through which route leaks were
propagated;
• Check that origin doesn’t belong to customer cone.

22. Results
IPv4
At least 7% of ISPs have
problems with filters
IPv6
At least 1% of ISPs have
problems with filters

23. Results: Explained
0%
20%
40%
60%
80%
100%
120%
Top10 Top100 Top200 Top300 Top400
Percent of Violated Filters by ISP size
IPv4 IPv6

24. Accepts Leaks originated by Tier1
4809 4837 6695 6939 7363
7552 7713 7843 8732 9583
12389 12586 13536 20485 20562
22356 22773 31025 35104 40805
48276 50384 53211
Russia
IPv4
6939 16735 23106 49697 199524
IPv6

25. Accepts Leaks originated by Tier1
4809 4837 6695 6939 7363
7552 7713 7843 8732 9583
12389 12586 13536 20485 20562
22356 22773 31025 35104 40805
48276 50384 53211
China
IPv4
6939 16735 23106 49697 199524
IPv6

26. Accepts Leaks originated by Tier1
4809 4837 6695 6939 7363
7552 7713 7843 8732 9583
12389 12586 13536 20485 20562
22356 22773 31025 35104 40805
48276 50384 53211
Opentransit and DE-CIX
IPv4
6939 16735 23106 49697 199524
IPv6

27. Accepts Leaks originated by Tier1
4809 4837 6695 6939 7363
7552 7713 7843 8732 9583
12389 12586 13536 20485 20562
22356 22773 31025 35104 40805
48276 50384 53211
Hurricane Electric!
IPv4
6939 16735 23106 49697 199524
IPv6

28. Key Findings: AS-SETs
AS-SET Can be Used to:
• Filter some hijacks;
• Filter some route leaks.
In reality:
• Many AS-SETs are poorly maintained;
• No filters at some huge Tier-2 networks;
• Even some Tier1 networks fail to configure filters.

29. Holes in Filters = Security Holes
DoS
Increased Latency
MiTM attacks

30. MiTM Attack
Connecting, port 80Connecting, port 80

31. MiTM Attack
Connecting, port 80
HTTP 302
Connecting, port 443
HTTP 200
Connecting, port 80
Encrypted

32. MiTM Attack
Connecting, port 80
HTTP 302
Connecting, port 443
HTTP 200
Connecting, port 80
HTTP 200
EncryptedNot encrypted
And suddenly credentials are gone…

34. What Can Transit Do?
• IRR filters at your customer links, no exceptions!
• Work with customers, that corrupt AS-SETs;
• Consider using IRR filters with your private peers;
• Ad-hoc filtering (NTT Peering Lock);
• Perform constant BGP monitoring.

35. What Can IX Do?
• IRR filters at all links, no exceptions!
• Work with customers, that corrupt AS-SETs.
• Remove legacy filters (LOA, route-sets);
• Consider using RPKI-cache inside at RS;

36. What Can Multihomed Do?
• Keep Route Objects up to date;
• Keep AS-SETs up to date;
• Create ROA records;
• Perform constant BGP monitoring.