BGP hijacks and leaks

BGP hijacks and leaks
malicious or consensual
Net::IP Meetup #12
Wrocław 2019.04.25
Paweł Małachowski
@pawmal80

whoami
• Currently:
redGuardian DDoS mitigation tech lead (Atende Software sp. z o.o.)
• Previously:
system engineer, IT operations lead, analyst, architect, project manager
etc. (ATM SA, Netia SA)
Net::IP, Wrocław 2019.04.25 2

PROBLEM

Problem
• 2004.12: TT Net full table leak, massive outages
• 2008.02: Youtube rerouted to Pakistan Telecom via PCCW Global
• 2014: INEA SA + LG case (PL)
• 2017.04: financial institutions/credit card processors partially rerouted to PJSC
Rostelekom
• 2017.12: high profile companies (FAG, Riot Games and others) announced by DV-LINK
via Megafon via HE
• 2018.04: Amazon Route53 routed to malicious DNS server in eNET
• 2018.06: Telegram messenger partially routed to Iran Telecomunication Company
• 2018.07: Bitcanal „hijack factory” case
• 2018.11: Google traffic routed to MainOne via China Telecom via Trans Telecom
• … many more

Real life BGP routing decision factors
1. more specific preferred (originator decides)
2. higher local preference (layer 8 decides)
3. shorter AS_PATH (prepending)

BGP user types (simplified)
• multihomed network
• CDN (anycasting etc.)
• Eyeballs
• IP Transit: Tier 1, Tier n (paid vs. free peerings)
• IXP

BGP threats
• Prefix hijacking
• Route leaks (unintentional transit)
• AS path manipulation (e.g. shortening)

Reasons
• fat fingers, BGP optimizers and bad defaults
• prefix-lists and as-path filters not widely used
• blind chain of trust
• Internet barely works?

Howto
• Add victim AS to your official AS-SET in IRR
• Wait for upstream nightly filter updates
• Announce victim’s IP address space
• Profit!

Howto, cont.
ExaBGP
route victim/24 next-hop self as-path [ foo ] community [ a:b ];
BIRD
bgp_path.empty;
bgp_path.prepend(foo);

Howto, cont.
„LINX has this peer configured as announcing the AS-SET
AS-TTK. This set contains 984 entries of which 470+ are
themselves AS-SETs. Many of these AS-SETs will
themselves contain AS-SETs, and this patern repeats as
you continue the AS-SET expansion.
Ultimately, this large AS-SET expands to allow 886,051
prefixes from 16,608 origin ASNs.” (2018.11)

Malicious, mistake or consensual?
• origin AS
• AS_PATH
• IRR validity (route object, ROA, etc.)
• mask length (more specific)
• end hosts reachability

BGP-based DDoS scrubbing center
• Hijacks customer IP address space
– global annoucement (BGP withdrawal issues)
– local/selective announcements
• Legal agreement, IRR and ROA valid
• Looks like on-demand optional IP transit

DETECTION

Detection
• Looking glasses/route views
• BGPmon (OpenDNS), BGPstream
• Radar (Qrator Labs)
• Resource Certification alerts (RIPE)
• Routing Information Service Live stream (RIPE)
• Routing History + BGP Play (RIPE)

Looking glass example

BGPmon example

Radar example

RIS Live stream

RIPEstats routing history

PREVENTION

Prevention
• prefix deaggregation
• RPKI Route Announcement Validation
• BGPsec
• ASPA
• legal?

Prefix deaggregation
• split large subnet into multiple /24 prefixes
• limits hijacking ability (/25 are widely not accepted)
• not a final solution (RIB pollution)

RPKI ROA
• declare (origin AS, subnet, prefix range) tuples
example: (AS x, 10.0.0.0/8, /8../16)
• operators validate before accepting
• lacks AS-PATH validation, origin AS easy to forge

RPKI (slow) adoption
But:
„The AT&T/as7018 network is now dropping all RPKI-
invalid route announcements that we receive from our
peers.”
source: https://mailman.nanog.org/pipermail/nanog/2019-February/099501.html

NIST RPKI monitor

IRR online tools
BGP he.net
IRR Explorer

BGPsec
• BGP routers
– sign BGP updates: previous AS, next AS
– verify updates received
• IXP hack (no AS in AS-PATH)
• dead end (computation cost)

ASPA
• Autonomous System Provider Authorization
– declare your official peers
– operators validate AS_PATHs received
• currently RFC draft

TOOLBOX

Looking glasses (some of)
• CenturyLink: https://lookingglass.centurylink.com/
• Cogent: http://www.cogentco.com/en/network/looking-glass
• GTT: http://www.as3257.net/lg/ (mtr only)
• HE: https://lg.he.net/
• Liberty Global (UPC): sorry!
• KPN: https://lg2.eurorings.net/
• NTT: https://www.us.ntt.net/support/looking-glass/
• Open Transit (Orange): https://looking-glass.opentransit.net/
• RETN: http://lg.retn.net/
• TATA: http://lg.beta.as6453.net/
• Telia: https://lg.telia.net/

Looking glasses (some of), cont.
• NLNOG (aggregator): http://lg.ring.nlnog.net/
• AMS-IX: sorry! (password)
• DE-CIX: https://lg.de-cix.net/
• LINX: https://lg.linx.net/
• GEANT: https://tools.geant.net/portal/links/lg/

Important looking glasses (Poland)
• ATMAN + THINX: http://lg.atman.pl/
• Exatel: http://lg.exatel.pl/
• NASK (KOM+EDU): http://lg.nask.pl/
• Netia: http://lg.netia.pl/
• PLIX: http://lg.plix.pl/
• Orange + TPIX: http://lg.tpnet.pl/, http://lg.tpix.pl/
• Pionier (EDU), Vectra, etc.: sorry!

Other tools
• https://bgpmon.net/, https://bgpstream.com/,
https://twitter.com/bgpmon, https://twitter.com/bgpstream
• https://radar.qrator.net/
• https://bgp.he.net/
• http://www.routeviews.org/
• http://irrexplorer.nlnog.net/
• https://ris-live.ripe.net/
• https://stat.ripe.net/widget/routing-history
• https://rpki-monitor.antd.nist.gov/

SOURCES

Sources
• https://en.wikipedia.org/wiki/BGP_hijacking
• https://blog.donatas.net/blog/2019/02/19/ebgp-requires-policy/
• http://www.securerouting.net/
• https://www.ripe.net/participate/policies/proposals/2019-03
• https://www.arin.net/participate/policy/proposals/2019/ARIN_prop_266_v2/
• „PLNOG22 - Zmierzch tranzytu, sieci tier-1, czyli jak działa internet”:
https://www.youtube.com/watch?v=yfmEODv3m4k

Sources, cont.
• https://dyn.com/blog/internetwide-nearcatastrophela/
• https://zaufanatrzeciastrona.pl/post/polski-operator-inea-wykorzystany-w-zaawansowanym-ataku-
na-obce-sieci/
• https://krebsonsecurity.com/2016/09/ddos-mitigation-firm-has-history-of-hijacks/
• https://bgpmon.net/popular-destinations-rerouted-to-russia/
• https://bgpmon.net/bgpstream-and-the-curious-case-of-as12389/
• https://radar.qrator.net/blog/born-to-hijack (DV-LINK case)
• https://www.theregister.co.uk/2018/04/24/myetherwallet_dns_hijack/
• https://dyn.com/blog/shutting-down-the-bgp-hijack-factory/
• https://www.theregister.co.uk/2018/11/13/google_russia_routing/
• https://medium.com/@qratorlabs/bad-news-everyone-new-hijack-attack-in-the-wild-
428ea761da89
• https://blog.thousandeyes.com/amazon-route-53-dns-and-bgp-hijack/

Sources, cont.
• https://rpki.readthedocs.io/en/latest/index.html
• https://bgpmon.net/securing-bgp-routing-with-rpki-and-roas/
• https://blog.cloudflare.com/rpki-details/
• https://www.ripe.net/manage-ips-and-asns/resource-management/certification/resource-
certification-roa-management
• https://medium.com/@qratorlabs/eliminating-opportunities-for-traffic-hijacking-
153a39395778,
https://ripe77.ripe.net/presentations/118-ripe77.azimov_v2.pdf
• https://www.de-cix.net/Files/11a60fcb156e443c98010211f498f5ae4439dab0/Matthias-
Waehlisch---BGPSec---AS-path-validation.pdf
• https://rule11.tech/bgpsec-and-reality/

LIVE DEMO

Live demo
Let’s hijack 3rd party prefix!
• Victim: AS v, foo/20 (foo/24 to be hijacked)
• Hijacker: AS h
Preparation:
• Hijacker places AS v in his AS-SET (earlier)
• Open RIS Live session with „foo/24” filter

Live demo, cont.
1. Hijacker announces „foo/24 origin AS h”
2. Local verification:
BIRD show route foo/24 export upstream
1. Remote verification:
NLNOG Looking Glass: foo/24 partially visible
RIPE RIS Live: BGP hijacking updates received
Disclaimer: AS v is our friendly customer.

Thank you!
https://netip.me
https://twitter.com/pawmal80
https://www.slideshare.net/atendesoftware/presentations

BGP hijacks and leaks

Recommended

Recommended

More Related Content

Similar to BGP hijacks and leaks

Similar to BGP hijacks and leaks (20)

More from Redge Technologies

More from Redge Technologies (12)

Recently uploaded

Recently uploaded (20)

BGP hijacks and leaks