The document summarizes information about detecting BGP hijacks in 2014. It provides background on BGP, how prefixes are announced and removed, and examples of prefix hijacks. It describes how a hijacker redirected cryptocurrency miners to earn an estimated $83,000 from February to May 2014. It also outlines active and passive countermeasures networks can take to detect and mitigate against BGP hijacks.
This presentation covers routing security at the Internet Scale in detail with a focus on IRR. It talks about how IRRs work, the challenges in IRR based filtering as well as some of the tools which can be used. It also touches RPKI as well as developments IRR-RPKI integration in the next version of IRR daemon.
PLNOG 9: Piotr Wojciechowski - Multicast Security PROIDEA
The document discusses several approaches for securing multicast networks and traffic. It begins by outlining main security issues like unauthorized access, modification of traffic, and denial of service attacks. It then describes techniques for securing the edge of the multicast network, including filtering PIM messages, preventing RP mapping, using multicast boundaries, and passive interfaces. Additional methods covered include filtering multicast groups, using access control lists (ACLs) on trusted senders and receivers, and securing the rendezvous point (RP).
IP addresses are assigned to devices to identify them on a network. Regional Internet Registries (RIRs) manage and allocate IP addresses and resources regionally. There are currently five RIRs that oversee different global regions. IP addresses are represented as 32-bit numbers that are broken into network and host portions through the use of subnet masks. Subnetting and Variable Length Subnet Masking (VLSM) allow networks to be divided into smaller subnets in an efficient manner. Route summarization helps reduce routing table sizes.
This document discusses using 31-bit prefixes on IPv4 point-to-point links to more efficiently use limited IPv4 address space. It describes how 31-bit prefixes allow creating two point-to-point links using the same IPv4 resource that would traditionally support only one link. The document summarizes configuration of 31-bit prefixes on various router platforms like Cisco, Juniper, MikroTik, and challenges with platforms that do not natively support the RFC specification for 31-bit prefixes. It provides workarounds used to implement 31-bit prefixes on older equipment through configuration improvements and adjustments.
Configuration of Residential Network using Enhanced Interior Gateway Routing ...ijtsrd
A residential area is used in housing predominates, as opposed to industrial and commercial areas. These include single family housing, multi family residential, or mobile homes. Enhanced Interior Gateway Routing Protocol EIGRP is a network protocol that is routers exchange information more efficiently than other protocols. EIGRP is an advanced distance vector routing protocol used on a computer network for automating routing decisions and configuration. EIGRP is used to share routes on a router with other routers within the same autonomous system. Unlike other routing protocols, such as RIP, EIGRP only sends incremental updates, reducing the workload on the router and the amount of data that needs to be transmitted. EIGRP evolved from Interior Gateway Routing Protocol IGRP and routers using EIGRP and IGRP can interoperate for selecting a route with one protocol. Using EIGRP, a router keeps a copy of its neighbors routing tables. If it cant find a route to a destination in one of these tables, it queries its neighbors for a route and query their neighbors until a route is found. When a routing table entry changes in one of the routers, it notifies its neighbors of the change only. Khin Aye Thu | Soe Soe Mon | Thida Soe "Configuration of Residential Network using Enhanced Interior Gateway Routing Protocol" Published in International Journal of Trend in Scientific Research and Development (ijtsrd), ISSN: 2456-6470, Volume-3 | Issue-5 , August 2019, URL: https://www.ijtsrd.com/papers/ijtsrd26581.pdfPaper URL: https://www.ijtsrd.com/computer-science/computer-network/26581/configuration-of-residential-network-using-enhanced-interior-gateway-routing-protocol/khin-aye-thu
This document discusses several VPN technologies including:
1. Naked DMVPN which allows direct spoke-to-spoke tunnels without traversing the hub to lower costs and increase bandwidth.
2. Protected DMVPN which adds IPsec encryption to DMVPN tunnels for added security using ISAKMP/IKE and crypto profiles.
3. IKE call admission control which discusses IKEv1 and IKEv2 protocols used to set up IPsec security associations and their differences like improved NAT traversal and liveness detection in IKEv2.
The document provides information about network configuration and security best practices:
1. HTTPS should be used to transfer credit card information on a company website to encrypt the transmission.
2. A branch office router connecting to headquarters should be configured with encapsulation PPP and IP address 192.168.5.21 to establish the serial connection.
3. The service password-encryption and enable secret commands ensure passwords are encrypted in the router configuration.
This document is a user manual for the Buffalo Technologies WLI-TX4-G54HP High Power Wireless Ethernet Converter. It describes how to install and configure the device through either AOSS setup or manual configuration methods. AOSS allows for wireless setup with compatible routers, while manual configuration can be done through the Ethernet Converter Manager software for Windows PCs, or via the web-based configuration interface using any computer on the network. Detailed instructions are provided for both AOSS and manual setup procedures.
This presentation covers routing security at the Internet Scale in detail with a focus on IRR. It talks about how IRRs work, the challenges in IRR based filtering as well as some of the tools which can be used. It also touches RPKI as well as developments IRR-RPKI integration in the next version of IRR daemon.
PLNOG 9: Piotr Wojciechowski - Multicast Security PROIDEA
The document discusses several approaches for securing multicast networks and traffic. It begins by outlining main security issues like unauthorized access, modification of traffic, and denial of service attacks. It then describes techniques for securing the edge of the multicast network, including filtering PIM messages, preventing RP mapping, using multicast boundaries, and passive interfaces. Additional methods covered include filtering multicast groups, using access control lists (ACLs) on trusted senders and receivers, and securing the rendezvous point (RP).
IP addresses are assigned to devices to identify them on a network. Regional Internet Registries (RIRs) manage and allocate IP addresses and resources regionally. There are currently five RIRs that oversee different global regions. IP addresses are represented as 32-bit numbers that are broken into network and host portions through the use of subnet masks. Subnetting and Variable Length Subnet Masking (VLSM) allow networks to be divided into smaller subnets in an efficient manner. Route summarization helps reduce routing table sizes.
This document discusses using 31-bit prefixes on IPv4 point-to-point links to more efficiently use limited IPv4 address space. It describes how 31-bit prefixes allow creating two point-to-point links using the same IPv4 resource that would traditionally support only one link. The document summarizes configuration of 31-bit prefixes on various router platforms like Cisco, Juniper, MikroTik, and challenges with platforms that do not natively support the RFC specification for 31-bit prefixes. It provides workarounds used to implement 31-bit prefixes on older equipment through configuration improvements and adjustments.
Configuration of Residential Network using Enhanced Interior Gateway Routing ...ijtsrd
A residential area is used in housing predominates, as opposed to industrial and commercial areas. These include single family housing, multi family residential, or mobile homes. Enhanced Interior Gateway Routing Protocol EIGRP is a network protocol that is routers exchange information more efficiently than other protocols. EIGRP is an advanced distance vector routing protocol used on a computer network for automating routing decisions and configuration. EIGRP is used to share routes on a router with other routers within the same autonomous system. Unlike other routing protocols, such as RIP, EIGRP only sends incremental updates, reducing the workload on the router and the amount of data that needs to be transmitted. EIGRP evolved from Interior Gateway Routing Protocol IGRP and routers using EIGRP and IGRP can interoperate for selecting a route with one protocol. Using EIGRP, a router keeps a copy of its neighbors routing tables. If it cant find a route to a destination in one of these tables, it queries its neighbors for a route and query their neighbors until a route is found. When a routing table entry changes in one of the routers, it notifies its neighbors of the change only. Khin Aye Thu | Soe Soe Mon | Thida Soe "Configuration of Residential Network using Enhanced Interior Gateway Routing Protocol" Published in International Journal of Trend in Scientific Research and Development (ijtsrd), ISSN: 2456-6470, Volume-3 | Issue-5 , August 2019, URL: https://www.ijtsrd.com/papers/ijtsrd26581.pdfPaper URL: https://www.ijtsrd.com/computer-science/computer-network/26581/configuration-of-residential-network-using-enhanced-interior-gateway-routing-protocol/khin-aye-thu
This document discusses several VPN technologies including:
1. Naked DMVPN which allows direct spoke-to-spoke tunnels without traversing the hub to lower costs and increase bandwidth.
2. Protected DMVPN which adds IPsec encryption to DMVPN tunnels for added security using ISAKMP/IKE and crypto profiles.
3. IKE call admission control which discusses IKEv1 and IKEv2 protocols used to set up IPsec security associations and their differences like improved NAT traversal and liveness detection in IKEv2.
The document provides information about network configuration and security best practices:
1. HTTPS should be used to transfer credit card information on a company website to encrypt the transmission.
2. A branch office router connecting to headquarters should be configured with encapsulation PPP and IP address 192.168.5.21 to establish the serial connection.
3. The service password-encryption and enable secret commands ensure passwords are encrypted in the router configuration.
This document is a user manual for the Buffalo Technologies WLI-TX4-G54HP High Power Wireless Ethernet Converter. It describes how to install and configure the device through either AOSS setup or manual configuration methods. AOSS allows for wireless setup with compatible routers, while manual configuration can be done through the Ethernet Converter Manager software for Windows PCs, or via the web-based configuration interface using any computer on the network. Detailed instructions are provided for both AOSS and manual setup procedures.
Multicast IP addresses range from 224.0.0.0 to 239.255.255.255. The document discusses well-known multicast addresses, calculating multicast MAC addresses from IP addresses, and protocols for managing multicast traffic distribution including IGMP, CGMP, IGMP snooping, and RGMP. IGMP is used by hosts to join and leave multicast groups and by routers to manage multicast traffic forwarding. Version 2 is the default and includes features like group-specific queries and shorter leave latency. CGMP and IGMP snooping allow switches to optimize multicast forwarding.
This document provides an introduction to GPON OMCI V2 voice configuration for SIP and H.248 services. It describes the necessary OMCI management entities (MEs) and configuration steps for the OLT and ONT, including configuring IP hosts, VLANs, QoS profiles, SIP profiles, POTS ports and XML provisioning files. The key steps are 1) configuring the OLT and ONT interfaces, 2) creating service profiles for SIP, H.248 and POTS, and 3) associating these profiles in the proper order for basic call functionality.
The document provides instructions for configuring basic parameters on a Cisco router, including:
- Viewing the default configuration to see initial settings
- Gathering information like IP addresses and authentication details needed for customization
- Configuring global parameters such as the hostname, encrypted passwords, and domain lookup
- Configuring interfaces including Fast Ethernet LAN, WAN, ATM WAN, wireless, and a loopback
- Setting command-line access parameters for the console and virtual terminals
The purpose is to outline the basic steps for customizing the router configuration based on a network design and collected information. Interface configurations and a sample loopback configuration are provided as examples.
The document discusses IPv6 addressing and transitioning from IPv4 to IPv6. It describes the need for a larger address space than IPv4 due to the growing number of internet-connected devices. It then covers various IPv6 features and address types including global unicast addresses, link-local addresses, and address assignment methods like stateless autoconfiguration and DHCPv6. The document also discusses IPv6 routing protocols and transition technologies like dual stack and tunneling to help networks migrate from IPv4 to IPv6.
This document discusses services running on Cisco IOS routers that could create vulnerabilities if not secured properly. It lists services that are enabled by default like BOOTP server, CDP, and HTTP that should be disabled if not in use. It also discusses best practices like disabling unused interfaces and configuring connection timeouts. The document provides commands to disable vulnerable services and secure the router configuration.
This document discusses the configuration and operation of single-area OSPF routing. It begins with an overview of OSPF components and operations, including neighbor discovery using Hello packets, link-state advertisement flooding, and SPF calculations. It then covers practical configuration topics like setting interface costs and passive interfaces. OSPFv3 operation and configuration is also summarized at a high level.
The document provides an overview of implementing the Cisco Adaptive Security Appliance (ASA), including comparing ASA solutions to other routing firewall technologies, explaining ASA operation and models for various use cases. It outlines objectives for configuring basic ASA firewall services like access lists, network address translation, and authentication. The document also covers advanced ASA policies using the modular policy framework.
Community tools to fight against DDoS, SANOG 27APNIC
Community tools can help fight DDoS attacks in three ways:
1. Bogon filtering blocks traffic from bogon address space not assigned to any network. Networks share bogon lists and filter incoming routes.
2. Flow Sonar provides visual network traffic analysis to detect anomalies indicating attacks. It incorporates DDoS alert feeds to identify compromised sources.
3. UTRS implements remote triggered blackhole filtering to divert suspected attack traffic to a null route. Cooperating networks distribute and apply attack filters to mitigate large infrastructure attacks.
Where are we with Securing the Routing System?APNIC
The document discusses security issues with the global routing system and Border Gateway Protocol (BGP). It notes that routing is built on trust but there are no effective defenses against abuse. The base problem is that while routing attacks could have massive effects, no entity has enough incentive to thoroughly audit routing integrity. Possible solutions proposed include securing routers against compromise, securing BGP sessions, and developing ways to verify the legitimacy of routing updates. However, fully solving routing security challenges may be extremely difficult.
The document describes the configuration of a Cisco 7200 router. It connects to a Dynamips VM and boots up IOS. It then configures loopback, FastEthernet and static routes. It pings addresses to verify connectivity and traces routes to test routing.
Updated about cisco isr g2 sec and hsec licensing faqIT Tech
The document discusses Cisco licensing for encryption on ISR G2 routers. The SEC-K9 license enables standard encryption and has throughput limits according to US export restrictions. The HSEC-K9 license removes these restrictions and allows more tunnels and throughput. It is only available on certain ISR G2 models. The document also provides answers to common questions about the licenses and their usage.
How to Configure NetFlow v5 & v9 on Cisco RoutersSolarWinds
This document provides instructions for configuring NetFlow versions 5 and 9 on Cisco routers to monitor network traffic. It explains that NetFlow collects IP traffic data, what versions 5 and 9 are, and how to configure each version on a router by specifying the collector server, export port, and interfaces. It also describes how to verify the NetFlow export and how tools like SolarWinds NetFlow Traffic Analyzer analyze exported data to provide network usage insights.
The document discusses security issues with IPv6 and proposed mitigation techniques. It covers topics such as router advertisements, neighbor discovery protocol, and fragmentation. Specifically, it notes that router advertisements and neighbor solicitations are not authenticated by default, allowing for spoofing attacks. The document proposes several mitigation approaches including cryptographically generated addresses, router authorization, port access control lists, and host isolation to secure IPv6 networks.
The document provides an overview of IPv6 security and recommendations for strengthening IPv6 network security. It highlights IPv6 threats and attack tools, discusses concepts like IPv6 addressing and protocols. It also provides guidance on creating an IPv6 security policy, including network perimeter policies, LAN policies, host hardening, transition mechanisms policy, and using IPSec to secure communications. The overall aim is to create awareness of IPv6 security implications and best practices for mitigating risks.
This document discusses intrusion prevention systems (IPS) and their implementation. It explains the differences between intrusion detection systems (IDS) and IPS, with IDS working passively to detect threats while IPS works inline to detect and stop threats. The document covers IPS deployment considerations, sensor types, signature characteristics that IPS uses to detect threats, and how to configure and monitor IPS using Cisco devices. The overall goal is to help readers understand how to implement IPS technologies to monitor, detect, and prevent network attacks.
How to prevent ssh-tunneling using Palo Alto Networks NGFWYudi Arijanto
SSH tunneling is jus like secure vpn in which you can tunneling your application traffic through ssh protocol. From network security point of view, firewall admin can only see ssh tunneling running on port 22 in traditional firewall (port based control). Using NGFW, we can decrypt ssh protocol, and once ssh tunneling detected, we can block it right away.
All MikroTik newsletters in one place:
NEWSLETTER, ISSUE #67 - SEPTEMBER 2015
NEWSLETTER, ISSUE #66 - JULY 2015
NEWSLETTER, ISSUE #66 - JULY 2015
NEWSLETTER, ISSUE #64 - FEBRUARY 2015
NEWSLETTER, ISSUE #63 - JANUARY 2015
NEWSLETTER, ISSUE #62 - OCTOBER 2014
NEWSLETTER, ISSUE #61 - AUGUST 2014
NEWSLETTER, ISSUE #60 - JULY 2014
This document summarizes a three-part challenge involving cracking a MIPS binary, exploiting a Python/XXE vulnerability in a web application, and decrypting messages from a SecureDrop-like system. The MIPS binary is cracked by inverting its password checking algorithm. The web app is exploited via XXE to retrieve files containing an admin URL and view state details. Python code is modified at runtime to decrypt an AES key and access a "secret.key" file. This key reveals a tarball containing a SecureDrop implementation. A buffer overflow in SecDrop's service is used to run shellcode. Timing attacks via the CPU cache are then used to retrieve the private RSA key and decrypt messages stored by the SecureDrop-
This document discusses practical attacks against HomePlugAV powerline communication devices. It begins with an introduction to PLC technology and the OSI layers used. Previous work analyzing PLC security is summarized, including publications and tools. The document then analyzes the PLC network, describing how the ethernet interface can be used to retrieve device and network information. Basic attacks are discussed, such as intercepting the network passphrase or bruteforcing the network membership key. The document proposes studying default administrator passwords by analyzing devices sold on online marketplaces, to enable a "smart" bruteforce attack against the direct access key.
Multicast IP addresses range from 224.0.0.0 to 239.255.255.255. The document discusses well-known multicast addresses, calculating multicast MAC addresses from IP addresses, and protocols for managing multicast traffic distribution including IGMP, CGMP, IGMP snooping, and RGMP. IGMP is used by hosts to join and leave multicast groups and by routers to manage multicast traffic forwarding. Version 2 is the default and includes features like group-specific queries and shorter leave latency. CGMP and IGMP snooping allow switches to optimize multicast forwarding.
This document provides an introduction to GPON OMCI V2 voice configuration for SIP and H.248 services. It describes the necessary OMCI management entities (MEs) and configuration steps for the OLT and ONT, including configuring IP hosts, VLANs, QoS profiles, SIP profiles, POTS ports and XML provisioning files. The key steps are 1) configuring the OLT and ONT interfaces, 2) creating service profiles for SIP, H.248 and POTS, and 3) associating these profiles in the proper order for basic call functionality.
The document provides instructions for configuring basic parameters on a Cisco router, including:
- Viewing the default configuration to see initial settings
- Gathering information like IP addresses and authentication details needed for customization
- Configuring global parameters such as the hostname, encrypted passwords, and domain lookup
- Configuring interfaces including Fast Ethernet LAN, WAN, ATM WAN, wireless, and a loopback
- Setting command-line access parameters for the console and virtual terminals
The purpose is to outline the basic steps for customizing the router configuration based on a network design and collected information. Interface configurations and a sample loopback configuration are provided as examples.
The document discusses IPv6 addressing and transitioning from IPv4 to IPv6. It describes the need for a larger address space than IPv4 due to the growing number of internet-connected devices. It then covers various IPv6 features and address types including global unicast addresses, link-local addresses, and address assignment methods like stateless autoconfiguration and DHCPv6. The document also discusses IPv6 routing protocols and transition technologies like dual stack and tunneling to help networks migrate from IPv4 to IPv6.
This document discusses services running on Cisco IOS routers that could create vulnerabilities if not secured properly. It lists services that are enabled by default like BOOTP server, CDP, and HTTP that should be disabled if not in use. It also discusses best practices like disabling unused interfaces and configuring connection timeouts. The document provides commands to disable vulnerable services and secure the router configuration.
This document discusses the configuration and operation of single-area OSPF routing. It begins with an overview of OSPF components and operations, including neighbor discovery using Hello packets, link-state advertisement flooding, and SPF calculations. It then covers practical configuration topics like setting interface costs and passive interfaces. OSPFv3 operation and configuration is also summarized at a high level.
The document provides an overview of implementing the Cisco Adaptive Security Appliance (ASA), including comparing ASA solutions to other routing firewall technologies, explaining ASA operation and models for various use cases. It outlines objectives for configuring basic ASA firewall services like access lists, network address translation, and authentication. The document also covers advanced ASA policies using the modular policy framework.
Community tools to fight against DDoS, SANOG 27APNIC
Community tools can help fight DDoS attacks in three ways:
1. Bogon filtering blocks traffic from bogon address space not assigned to any network. Networks share bogon lists and filter incoming routes.
2. Flow Sonar provides visual network traffic analysis to detect anomalies indicating attacks. It incorporates DDoS alert feeds to identify compromised sources.
3. UTRS implements remote triggered blackhole filtering to divert suspected attack traffic to a null route. Cooperating networks distribute and apply attack filters to mitigate large infrastructure attacks.
Where are we with Securing the Routing System?APNIC
The document discusses security issues with the global routing system and Border Gateway Protocol (BGP). It notes that routing is built on trust but there are no effective defenses against abuse. The base problem is that while routing attacks could have massive effects, no entity has enough incentive to thoroughly audit routing integrity. Possible solutions proposed include securing routers against compromise, securing BGP sessions, and developing ways to verify the legitimacy of routing updates. However, fully solving routing security challenges may be extremely difficult.
The document describes the configuration of a Cisco 7200 router. It connects to a Dynamips VM and boots up IOS. It then configures loopback, FastEthernet and static routes. It pings addresses to verify connectivity and traces routes to test routing.
Updated about cisco isr g2 sec and hsec licensing faqIT Tech
The document discusses Cisco licensing for encryption on ISR G2 routers. The SEC-K9 license enables standard encryption and has throughput limits according to US export restrictions. The HSEC-K9 license removes these restrictions and allows more tunnels and throughput. It is only available on certain ISR G2 models. The document also provides answers to common questions about the licenses and their usage.
How to Configure NetFlow v5 & v9 on Cisco RoutersSolarWinds
This document provides instructions for configuring NetFlow versions 5 and 9 on Cisco routers to monitor network traffic. It explains that NetFlow collects IP traffic data, what versions 5 and 9 are, and how to configure each version on a router by specifying the collector server, export port, and interfaces. It also describes how to verify the NetFlow export and how tools like SolarWinds NetFlow Traffic Analyzer analyze exported data to provide network usage insights.
The document discusses security issues with IPv6 and proposed mitigation techniques. It covers topics such as router advertisements, neighbor discovery protocol, and fragmentation. Specifically, it notes that router advertisements and neighbor solicitations are not authenticated by default, allowing for spoofing attacks. The document proposes several mitigation approaches including cryptographically generated addresses, router authorization, port access control lists, and host isolation to secure IPv6 networks.
The document provides an overview of IPv6 security and recommendations for strengthening IPv6 network security. It highlights IPv6 threats and attack tools, discusses concepts like IPv6 addressing and protocols. It also provides guidance on creating an IPv6 security policy, including network perimeter policies, LAN policies, host hardening, transition mechanisms policy, and using IPSec to secure communications. The overall aim is to create awareness of IPv6 security implications and best practices for mitigating risks.
This document discusses intrusion prevention systems (IPS) and their implementation. It explains the differences between intrusion detection systems (IDS) and IPS, with IDS working passively to detect threats while IPS works inline to detect and stop threats. The document covers IPS deployment considerations, sensor types, signature characteristics that IPS uses to detect threats, and how to configure and monitor IPS using Cisco devices. The overall goal is to help readers understand how to implement IPS technologies to monitor, detect, and prevent network attacks.
How to prevent ssh-tunneling using Palo Alto Networks NGFWYudi Arijanto
SSH tunneling is jus like secure vpn in which you can tunneling your application traffic through ssh protocol. From network security point of view, firewall admin can only see ssh tunneling running on port 22 in traditional firewall (port based control). Using NGFW, we can decrypt ssh protocol, and once ssh tunneling detected, we can block it right away.
All MikroTik newsletters in one place:
NEWSLETTER, ISSUE #67 - SEPTEMBER 2015
NEWSLETTER, ISSUE #66 - JULY 2015
NEWSLETTER, ISSUE #66 - JULY 2015
NEWSLETTER, ISSUE #64 - FEBRUARY 2015
NEWSLETTER, ISSUE #63 - JANUARY 2015
NEWSLETTER, ISSUE #62 - OCTOBER 2014
NEWSLETTER, ISSUE #61 - AUGUST 2014
NEWSLETTER, ISSUE #60 - JULY 2014
This document summarizes a three-part challenge involving cracking a MIPS binary, exploiting a Python/XXE vulnerability in a web application, and decrypting messages from a SecureDrop-like system. The MIPS binary is cracked by inverting its password checking algorithm. The web app is exploited via XXE to retrieve files containing an admin URL and view state details. Python code is modified at runtime to decrypt an AES key and access a "secret.key" file. This key reveals a tarball containing a SecureDrop implementation. A buffer overflow in SecDrop's service is used to run shellcode. Timing attacks via the CPU cache are then used to retrieve the private RSA key and decrypt messages stored by the SecureDrop-
This document discusses practical attacks against HomePlugAV powerline communication devices. It begins with an introduction to PLC technology and the OSI layers used. Previous work analyzing PLC security is summarized, including publications and tools. The document then analyzes the PLC network, describing how the ethernet interface can be used to retrieve device and network information. Basic attacks are discussed, such as intercepting the network passphrase or bruteforcing the network membership key. The document proposes studying default administrator passwords by analyzing devices sold on online marketplaces, to enable a "smart" bruteforce attack against the direct access key.
NSC #2 - D2 01 - Andrea Allievi - Windows 8.1 Patch ProtectionsNoSuchCon
This document discusses defeating Windows 8.1's Kernel Patch Protection. It begins with introductions and definitions. It then explains how Patchguard and driver signing enforcement work in Windows 8.1, providing more protection than previous versions. The implementation of Kernel Patch Protection is described, including how it initializes, verifies the kernel, and crashes the system if modifications are detected. Previous methods of attacking Patchguard are reviewed, noting they have all been defeated in the latest version. The document aims to provide information to understand and potentially find new ways of attacking Patchguard.
This document discusses cryptographic backdoors. It begins by explaining why research on backdoors is important, both to detect them and to understand how to implement them properly if required. It then provides an overview of different types of backdoors, such as weakened algorithms, covert channels, and key escrow. Specific sabotage tactics are described, like manipulating constants or elliptic curve parameters. Implementation issues are also covered, like introducing bugs or omitting validation checks. The document concludes by outlining characteristics of a "perfect backdoor" that would be undetectable.
The document provides statistics from a Capture the Flag (CTF) cybersecurity competition that tested skills in reversing, exploit writing, and cryptography. Over 850 participants completed the first level, while 159 reversed engineering challenges, 22 evaded detection in level 2, and 5 completed the hardest level 3. The event also saw security scans and many blocked reverse connects and failed payload attempts, showing it provided a realistic testing environment.
NSC #2 - D2 05 - Andrea Barisani - Forging the USB ArmoryNoSuchCon
The document describes the USB armory, an open source flash drive-sized computer designed for personal security applications. It has an ARM Cortex-A8 CPU, 512MB RAM, runs Linux, and can emulate devices over USB. Its goals are to be compact, powered by USB, have secure boot and storage, and be customizable. The timeline shows development from a concept in 2014 to shipping units in late 2014. It aims to provide an open platform for applications like encryption, VPNs, password management, and penetration testing.
NSC #2 - D1 02 - Georgi Geshev - Your Q is my QNoSuchCon
This document discusses message queue security and contains the following information:
- It describes common message queue concepts like asynchronous message exchange, publish/subscribe, and message queue protocols.
- It outlines the typical attack surface for message queues including common misconfigurations, vulnerabilities in XML processing and LDAP authentication.
- It provides examples of attack scenarios from the perspective of an anonymous attacker, authenticated client, or compromised broker.
- Methods for hardening message queue security are proposed such as restricting protocols, removing default accounts, and disabling unnecessary management interfaces.
NSC #2 - D3 02 - Peter Hlavaty - Attack on the CoreNoSuchCon
This document discusses kernel exploitation techniques. It begins by explaining the KernelIo technique for reading and writing kernel memory on Windows and Linux despite protections like SMAP and SMEP. It then discusses several vulnerability cases that can enable KernelIo like out of bounds writes, kmalloc overflows, and abusing KASLR. Next, it analyzes design flaws in kernels like linked lists, hidden pointers, and callback mechanisms. It evaluates the state of exploitation on modern systems and envisions future hardened operating system designs. It advocates moving to C++ for exploitation development rather than shellcoding and introduces a C++ exploitation framework. The document was presented by Peter Hlavaty of the Keen Team and encourages recruitment for vulnerability research.
NSC #2 - D2 06 - Richard Johnson - SAGEly AdviceNoSuchCon
The document discusses automated testing techniques for software, including fuzzing and concolic testing. Fuzzing involves generating random inputs to exercise a program, while concolic testing uses symbolic execution to track data flows and observe how program logic is influenced by inputs. Concolic testing can generate inputs that cover more program states but requires instrumenting the code to analyze execution.
NSC #2 - D2 02 - Benjamin Delpy - MimikatzNoSuchCon
Benjamin Delpy is a security researcher known for creating the tool mimikatz. Mimikatz can extract plaintext credentials and keys from memory. Kerberos authentication relies on encrypting tickets with various keys, including NTLM hashes and AES keys derived from the password. Mimikatz can perform pass-the-hash and over-pass-the-hash attacks by extracting these keys from memory and using them to authenticate.
This document discusses new process protection mechanisms introduced in Windows 8.1 that extend the protected process model to key non-DRM system processes. It protects processes like LSA even from Administrators, and mitigates pass-the-hash attacks. Digital signatures and code signing add another boundary of protection beyond just load/don't load. Processes can now be designated as protected or protected light, assigned a protected signer like Windows or Antimalware, and have increased restrictions on access.
NSC #2 - D3 01 - Thomas Braden - Exploitation of hardened MSP430-based deviceNoSuchCon
The document discusses reverse engineering the firmware of a real estate lockbox device. Key points include:
- The lockbox uses an MSP430 microcontroller protected by a JTAG fuse and BSL interface
- Traditional BSL attacks like timing and voltage glitching failed due to inconsistencies
- A "Paparazzi" attack was successful, bypassing the JTAG fuse using a camera flash to induce a photoelectric effect
- Firmware analysis revealed conventions like register usage and a "sparse index" switch statement technique
NSC #2 - D1 01 - Rolf Rolles - Program synthesis in reverse engineeringNoSuchCon
The document discusses program synthesis in reverse engineering. It describes using program synthesis techniques to automatically generate CPU emulators by synthesizing descriptions of instruction behaviors from input-output examples of executing the instructions. The key steps involve generating hypotheses about instruction behaviors from templates, sampling instruction behaviors, filtering hypotheses that do not match the samples, and checking equivalence of remaining hypotheses. The goal is to produce a single accurate description of each instruction's behavior.
NSC #2 - D2 03 - Nicolas Collignon - Google Apps Engine SecurityNoSuchCon
The document discusses attacking Google App Engine (GAE) applications and infrastructure. It describes how vulnerabilities in app implementations, APIs, and developer mistakes can be exploited. It also analyzes how the GAE Python sandbox can be evaded to enable arbitrary code execution on Google servers despite protections. The conclusion is that while Google security is robust with layered defenses, focused attacks have potential to compromise apps and other services due to developer errors.
NSC #2 - D2 04 - Ezequiel Gutesman - Blended Web and Database AttacksNoSuchCon
The document discusses blended web and database attacks on in-memory platforms like SAP HANA, outlining potential threat vectors such as SQL injection, cross-site scripting, integration with R server, and post-exploitation using C/C++. It notes that SAP HANA uses a blended web and database architecture, with code and data stored directly in the database, and that vulnerabilities could allow an attacker to access sensitive business and customer data, disrupt operations, or enable fraud. The presentation covers the architecture of SAP HANA, programming languages used, and how attacks may have a greater impact or different execution compared to traditional web application scenarios.
This document provides an overview and outline of a talk on quantum computing in practice and applications to cryptography. The talk will introduce quantum physics basics, discuss the state of quantum computing and cryptography, explain how to build quantum circuits, and provide tools and access for practicing quantum computing. It will cover fundamental quantum algorithms, attacks against cryptography, simulations and tools for quantum computing, and the future of post-quantum cryptography.
This document provides an overview of BGP (Border Gateway Protocol) basics and configuration for internet service providers. It discusses BGP attributes, path selection, and applying routing policies. The key points covered include the purpose of BGP in exchanging routing information between autonomous systems, BGP neighbor configuration for internal and external peers, and using attributes like AS path, local preference, communities to influence best path selection.
The document provides an overview of the Border Gateway Protocol (BGP). It discusses BGP basics including terminology, protocol operation, message types, and configuration. Specific topics covered include autonomous systems, interior and exterior routing protocols, BGP peer relationships, route attributes, and network reachability information exchange.
The document provides an overview of multihoming and BGP routing. It discusses how multihoming works without BGP by default routing traffic out multiple connections, but requiring the ISPs to advertise routes to bring traffic back in. It then explains how BGP allows networks to advertise specific routes and policies to control traffic flow when multihomed. The document outlines basic BGP concepts like autonomous systems, route attributes, and how routes and policies are exchanged between networks using BGP.
The document provides information about Border Gateway Protocol (BGP). It discusses BGP basics including terminology, protocol operation, message types, and configuration of BGP peers. Specific topics covered include BGP neighbor and peer relationships, route attributes, and route advertisement between autonomous systems.
Interautonomous System PLS VPN Advanced ConceptsBrozaa
- The document discusses routing and traffic engineering techniques for inter-autonomous system MPLS VPNs. It describes using route reflectors to exchange routes between sub-autonomous systems and using next-hop-self to modify next-hop attributes. It also covers scaling inter-AS routing with techniques like automatic route filtering and inbound route filtering. Additional topics include downstream route target allocation for filtering, load balancing traffic across multiple inter-AS links, and using redundant PE-ASBR routers.
Cloud Traffic Engineer – Google Espresso Project by Shaowen MaMyNOG
The document discusses using an SDN controller and BGP EPE to enable inter-domain traffic engineering. The solution uses the controller to calculate optimal paths, push MPLS labels to ingress routers, and dynamically steer traffic to peering links. This allows automatic optimization for congestion and latency while simplifying ASBRs to only label switching with no IP lookup or policies. Telemetry from the network is also used for analytics and machine learning to enable predictive and adaptive traffic engineering across domains.
This document discusses routing security and the Mutually Agreed Norms for Routing Security (MANRS) initiative. It begins with an overview of routing security issues like route hijacking and leaks that occur due to limitations in the Border Gateway Protocol (BGP). It then describes the four key actions of MANRS - filtering, anti-spoofing, coordination, and global validation - to address these problems. The rest of the document provides examples and explanations of how network operators can implement these MANRS actions to improve routing security.
The document discusses different peering options and requirements for setting up peering between internet service providers (ISPs). It describes the steps to set up bi-lateral peering between two ISPs as an example. The main peering options covered are: 1) Mandatory multi-lateral peering using a route server, 2) Bi-lateral peering agreements resulting in a partial or full mesh, and 3) A hybrid model combining multi-lateral and bi-lateral peering. The advantages and disadvantages of each option are provided.
This document provides an overview of MANRS (Mutually Agreed Norms for Routing Security) for network operators in Bangladesh. It discusses key routing security issues like prefix hijacking and route leaks. It describes the four MANRS actions for network operators: filtering, anti-spoofing, coordination, and global validation. Filtering involves setting policies to accept only valid routing announcements. Anti-spoofing uses techniques like uRPF to prevent spoofed source IP addresses. Coordination means maintaining up-to-date contact details in databases. Global validation facilitates routing validation through tools like the IRR and RPKI. The document explains how these actions improve routing security and reliability. It also outlines MANRS' goals and
The document discusses inter-domain routing and the Border Gateway Protocol (BGP). BGP allows different autonomous systems (AS) that operate independently to exchange routing and reachability information. Each AS abstracts its internal network as a single node and exchanges prefix reachability information with neighboring ASes. BGP selects the best path for each prefix based on attributes like AS path length and relationships between ASes.
The document discusses different approaches to merging multiple autonomous systems (ASNs) operated by an Internet service provider (ISP) into a single network. It evaluates using BGP with neighbor roles, BGP confederations, and migration techniques. The preferred approach uses BGP with roles and confederations to synchronize policies, implement "hot potato" routing, prevent route leaks, and merge the ASNs without increasing path lengths. The summary outlines key steps for the migration process and benefits of this approach over alternatives.
Dynamische Routingprotokolle Aufzucht und Pflege - BGPMaximilan Wilhelm
Sie möchten Ihr großes internes Netzwerk - ein Autonomes System - mit dem Internet verbinden, eine IP-Fabric aufbauen oder interne Dienste per Anycast in Ihrem Netzwerk anbieten. Für all diese Dinge ist das Border Gateway Protokoll entwickelt worden und auch hervorragend geeignet.
Dieser Vortag vermittelt die Funktionsweise von BGP im externen und internen Einsatz, gibt einen Überblick über die Steuermechanismen und Stellschrauben und zeigt den praktischen Einsatz mit dem Bird Internet Routing Daemon auf.
BGP is a popular routing protocol used in the Data Center (DC). But as the protocol that powers the Internet, it also comes armed with a lot of sophistication that scares many who think a CCIE or CCNA is required to even understand it.
Watch this presentation and learn:
*How BGP fits in the DC with specific use cases
*How to configure and manage BGP traditionally and via new methods
This document proposes a Recurrence Quantification Analysis (RQA) scheme to detect Border Gateway Protocol (BGP) anomalies in real-time. It models BGP speakers as dynamic systems and uses RQA, a nonlinear analysis technique based on phase plane concepts, to measure characteristics of BGP traffic that can identify anomalies. The scheme is evaluated using a BGP controlled testbed and real-world anomaly events. An open-source real-time BGP anomaly detection tool is also presented.
This document provides an overview of multiarea OSPF routing. It discusses how multiarea OSPF implements a two-layer hierarchy with an area 0 backbone and other connected areas. It describes the different types of LSAs exchanged between areas and how routes are summarized. Configuration and verification commands are also presented.
The document provides an introduction and overview of the Border Gateway Protocol version 4 (BGP 4). It discusses key BGP concepts like path vector routing, route aggregation, autonomous system types, classless inter-domain routing, and exterior routes. The document also covers BGP operations, configuration, troubleshooting, and differences between Juniper and Cisco implementations.
This summary provides the key details about the document in 3 sentences:
The document discusses security issues with the Border Gateway Protocol (BGP) and proposes a method to secure BGP using cyclic shift algorithm and secure hash algorithm-1 (SHA-1) to authenticate BGP peers and establish secure sessions. It analyzes how prefix hijacking can disrupt routing and communication. The proposed approach uses hashing of a dynamically generated key via SHA-1 to authenticate BGP peers during session establishment and secure the exchange of routing updates between trusted peers.
The document discusses BGP (Border Gateway Protocol) and provides an overview of BGP configuration and a lab exercise. It begins with an introduction to BGP and the differences between iBGP and eBGP. Requirements for BGP configuration are outlined along with key commands. Finally, a lab diagram and steps for setting up BGP between two routers are described.
This document discusses IPv6 security. It begins with an overview of IPv6 address types and headers. It then notes that some initial assumptions about IPv6 security being more robust have been disproven in reality. Specifically, IPv6 is now the target of around 20% of malicious attacks. The document outlines several IPv6 security threats such as address spoofing, extension header attacks, neighbor discovery spoofing, and rogue router advertisements. It recommends approaches like ingress filtering, RA guard, and SEND to help detect and mitigate these threats. Tools like NDPMon can monitor for anomalies in neighbor discovery behavior. Overall, network operators must apply similar security practices to IPv6 as with IPv4, including access controls, host hardening, and
Monitoring for Network Security: BGP Hijacks, DDoS Attacks and DNS PoisoningThousandEyes
The networks of financial services firms experience a wide range of network threats, from BGP route hijacks to DDoS attacks and DNS cache poisoning. Yet many firms do not have in-depth, real-time monitoring and alerting for these threats. ThousandEyes helps security and network operations teams to gain in-depth DNS, network and BGP visibility of security events as they're happening.
Reviewing real life examples from the financial services industry, we share how to:
Visualize key network services such as BGP and DNS
Create alerts based on security threats
Troubleshoot and take action during situations such as BGP hijacks, DDoS attacks and DNS cache poisoning.
Watch the recorded webinar with live demo here: https://www.thousandeyes.com/resources/network-security-webinar
Similar to NSC #2 - D3 04 - Guillaume Valadon & Nicolas Vivet - Detecting BGP hijacks (20)
Ivanti’s Patch Tuesday breakdown goes beyond patching your applications and brings you the intelligence and guidance needed to prioritize where to focus your attention first. Catch early analysis on our Ivanti blog, then join industry expert Chris Goettl for the Patch Tuesday Webinar Event. There we’ll do a deep dive into each of the bulletins and give guidance on the risks associated with the newly-identified vulnerabilities.
GraphRAG for Life Science to increase LLM accuracyTomaz Bratanic
GraphRAG for life science domain, where you retriever information from biomedical knowledge graphs using LLMs to increase the accuracy and performance of generated answers
Best 20 SEO Techniques To Improve Website Visibility In SERPPixlogix Infotech
Boost your website's visibility with proven SEO techniques! Our latest blog dives into essential strategies to enhance your online presence, increase traffic, and rank higher on search engines. From keyword optimization to quality content creation, learn how to make your site stand out in the crowded digital landscape. Discover actionable tips and expert insights to elevate your SEO game.
In his public lecture, Christian Timmerer provides insights into the fascinating history of video streaming, starting from its humble beginnings before YouTube to the groundbreaking technologies that now dominate platforms like Netflix and ORF ON. Timmerer also presents provocative contributions of his own that have significantly influenced the industry. He concludes by looking at future challenges and invites the audience to join in a discussion.
How to Get CNIC Information System with Paksim Ga.pptxdanishmna97
Pakdata Cf is a groundbreaking system designed to streamline and facilitate access to CNIC information. This innovative platform leverages advanced technology to provide users with efficient and secure access to their CNIC details.
OpenID AuthZEN Interop Read Out - AuthorizationDavid Brossard
During Identiverse 2024 and EIC 2024, members of the OpenID AuthZEN WG got together and demoed their authorization endpoints conforming to the AuthZEN API
“An Outlook of the Ongoing and Future Relationship between Blockchain Technologies and Process-aware Information Systems.” Invited talk at the joint workshop on Blockchain for Information Systems (BC4IS) and Blockchain for Trusted Data Sharing (B4TDS), co-located with with the 36th International Conference on Advanced Information Systems Engineering (CAiSE), 3 June 2024, Limassol, Cyprus.
Cosa hanno in comune un mattoncino Lego e la backdoor XZ?Speck&Tech
ABSTRACT: A prima vista, un mattoncino Lego e la backdoor XZ potrebbero avere in comune il fatto di essere entrambi blocchi di costruzione, o dipendenze di progetti creativi e software. La realtà è che un mattoncino Lego e il caso della backdoor XZ hanno molto di più di tutto ciò in comune.
Partecipate alla presentazione per immergervi in una storia di interoperabilità, standard e formati aperti, per poi discutere del ruolo importante che i contributori hanno in una comunità open source sostenibile.
BIO: Sostenitrice del software libero e dei formati standard e aperti. È stata un membro attivo dei progetti Fedora e openSUSE e ha co-fondato l'Associazione LibreItalia dove è stata coinvolta in diversi eventi, migrazioni e formazione relativi a LibreOffice. In precedenza ha lavorato a migrazioni e corsi di formazione su LibreOffice per diverse amministrazioni pubbliche e privati. Da gennaio 2020 lavora in SUSE come Software Release Engineer per Uyuni e SUSE Manager e quando non segue la sua passione per i computer e per Geeko coltiva la sua curiosità per l'astronomia (da cui deriva il suo nickname deneb_alpha).
HCL Notes and Domino License Cost Reduction in the World of DLAUpanagenda
Webinar Recording: https://www.panagenda.com/webinars/hcl-notes-and-domino-license-cost-reduction-in-the-world-of-dlau/
The introduction of DLAU and the CCB & CCX licensing model caused quite a stir in the HCL community. As a Notes and Domino customer, you may have faced challenges with unexpected user counts and license costs. You probably have questions on how this new licensing approach works and how to benefit from it. Most importantly, you likely have budget constraints and want to save money where possible. Don’t worry, we can help with all of this!
We’ll show you how to fix common misconfigurations that cause higher-than-expected user counts, and how to identify accounts which you can deactivate to save money. There are also frequent patterns that can cause unnecessary cost, like using a person document instead of a mail-in for shared mailboxes. We’ll provide examples and solutions for those as well. And naturally we’ll explain the new licensing model.
Join HCL Ambassador Marc Thomas in this webinar with a special guest appearance from Franz Walder. It will give you the tools and know-how to stay on top of what is going on with Domino licensing. You will be able lower your cost through an optimized configuration and keep it low going forward.
These topics will be covered
- Reducing license cost by finding and fixing misconfigurations and superfluous accounts
- How do CCB and CCX licenses really work?
- Understanding the DLAU tool and how to best utilize it
- Tips for common problem areas, like team mailboxes, functional/test users, etc
- Practical examples and best practices to implement right away
In the rapidly evolving landscape of technologies, XML continues to play a vital role in structuring, storing, and transporting data across diverse systems. The recent advancements in artificial intelligence (AI) present new methodologies for enhancing XML development workflows, introducing efficiency, automation, and intelligent capabilities. This presentation will outline the scope and perspective of utilizing AI in XML development. The potential benefits and the possible pitfalls will be highlighted, providing a balanced view of the subject.
We will explore the capabilities of AI in understanding XML markup languages and autonomously creating structured XML content. Additionally, we will examine the capacity of AI to enrich plain text with appropriate XML markup. Practical examples and methodological guidelines will be provided to elucidate how AI can be effectively prompted to interpret and generate accurate XML markup.
Further emphasis will be placed on the role of AI in developing XSLT, or schemas such as XSD and Schematron. We will address the techniques and strategies adopted to create prompts for generating code, explaining code, or refactoring the code, and the results achieved.
The discussion will extend to how AI can be used to transform XML content. In particular, the focus will be on the use of AI XPath extension functions in XSLT, Schematron, Schematron Quick Fixes, or for XML content refactoring.
The presentation aims to deliver a comprehensive overview of AI usage in XML development, providing attendees with the necessary knowledge to make informed decisions. Whether you’re at the early stages of adopting AI or considering integrating it in advanced XML development, this presentation will cover all levels of expertise.
By highlighting the potential advantages and challenges of integrating AI with XML development tools and languages, the presentation seeks to inspire thoughtful conversation around the future of XML development. We’ll not only delve into the technical aspects of AI-powered XML development but also discuss practical implications and possible future directions.
Your One-Stop Shop for Python Success: Top 10 US Python Development Providersakankshawande
Simplify your search for a reliable Python development partner! This list presents the top 10 trusted US providers offering comprehensive Python development services, ensuring your project's success from conception to completion.
Full-RAG: A modern architecture for hyper-personalizationZilliz
Mike Del Balso, CEO & Co-Founder at Tecton, presents "Full RAG," a novel approach to AI recommendation systems, aiming to push beyond the limitations of traditional models through a deep integration of contextual insights and real-time data, leveraging the Retrieval-Augmented Generation architecture. This talk will outline Full RAG's potential to significantly enhance personalization, address engineering challenges such as data management and model training, and introduce data enrichment with reranking as a key solution. Attendees will gain crucial insights into the importance of hyperpersonalization in AI, the capabilities of Full RAG for advanced personalization, and strategies for managing complex data integrations for deploying cutting-edge AI solutions.
AI 101: An Introduction to the Basics and Impact of Artificial IntelligenceIndexBug
Imagine a world where machines not only perform tasks but also learn, adapt, and make decisions. This is the promise of Artificial Intelligence (AI), a technology that's not just enhancing our lives but revolutionizing entire industries.
1. Detecting BGP hijacks in 2014
Guillaume Valadon & Nicolas Vivet
Agence nationale de la sécurité des systèmes d’information
http://www.ssi.gouv.fr/en
NSC - November 21th, 2014
ANSSI - Detecting BGP hijacks in 2014 1/52
2. BGP Hijacking for Cryptocurrency Profit
Reported by Dell SecureWorks on August 7 2014
« From February to May 2014, an hijacker redirected
cryptocurrency miners to his own mining pool, earning an
estimated $83,000. »
Attack Requirements
• no authentication between a miner and its bitcoin pool
• traffic redirection using BGP prefixes hijacks
ANSSI - Detecting BGP hijacks in 2014 2/52
4. What is BGP (Border Gateway Protocol) ?
It is the routing protocol used by all Internet operators.
Some BGP facts
• it runs on 179/TCP
• it informs that an operator is in charge of IP prefixes
• there is no guarantee that an operator is lying
ANSSI - Detecting BGP hijacks in 2014 4/52
5. What is BGP (Border Gateway Protocol) ?
It is the routing protocol used by all Internet operators.
Some BGP facts
• it runs on 179/TCP
• it informs that an operator is in charge of IP prefixes
• there is no guarantee that an operator is lying
• it interconnects all Internet operators
ANSSI - Detecting BGP hijacks in 2014 4/52
6. What is BGP (Border Gateway Protocol) ?
It is the routing protocol used by all Internet operators.
Some BGP facts
• it runs on 179/TCP
• it informs that an operator is in charge of IP prefixes
• there is no guarantee that an operator is lying
• it interconnects all Internet operators
ANSSI - Detecting BGP hijacks in 2014 4/52
7. What is BGP (Border Gateway Protocol) ?
It is the routing protocol used by all Internet operators.
Some BGP facts
• it runs on 179/TCP
• it informs that an operator is in charge of IP prefixes
• there is no guarantee that an operator is lying
• it interconnects all Internet operators
ANSSI - Detecting BGP hijacks in 2014 4/52
8. What Do You Need to Use BGP ?
• a network
AS42
ANSSI - Detecting BGP hijacks in 2014 5/52
9. What Do You Need to Use BGP ?
• a network
• an AS number that identifies your network
• an IP prefix
AS42AS42
2.0.0.0/16
ANSSI - Detecting BGP hijacks in 2014 5/52
10. What Do You Need to Use BGP ?
• a network
• an AS number that identifies your network
• an IP prefix
• a BGP router
AS42AS42
2.0.0.0/16
ANSSI - Detecting BGP hijacks in 2014 5/52
11. What Do You Need to Use BGP ?
• a network
• an AS number that identifies your network
• an IP prefix
• a BGP router
• a BGP interconnection
AS transit
ISP providing BGP
InternetAS42AS42
2.0.0.0/16
ANSSI - Detecting BGP hijacks in 2014 5/52
12. Internet Resources Allocation
AS & prefixes are allocated by Regional Internet Registry:
Europe
Asia
Africa
North America
Latin America & Caribbean
In Europe, per year, an ASN costs 50€ and a /22 50€.
ANSSI - Detecting BGP hijacks in 2014 6/52
14. Access to Internet Resources Allocation
https://stat.ripe.net
ANSSI - Detecting BGP hijacks in 2014 8/52
15. AS Announces & Removes Prefixes
With BGP, an operator uses:
InternetAS43515 AS4713
AS3215
208.117.252.0/22 61.28.192.0/24
2.0.0.0/16
ANSSI - Detecting BGP hijacks in 2014 9/52
16. AS Announces & Removes Prefixes
With BGP, an operator uses:
• UPDATE messages to announce its IP prefixes
InternetAS43515 AS4713
AS3215
208.117.252.0/22 61.28.192.0/24
2.0.0.0/16
208.117.252.0/22 61.28.192.0/24
2.0.0.0/16
ANSSI - Detecting BGP hijacks in 2014 9/52
17. AS Announces & Removes Prefixes
With BGP, an operator uses:
• UPDATE messages to announce its IP prefixes
• WITHDRAW messages to remove its IP prefixes
InternetAS43515 AS4713
AS3215
208.117.252.0/22 61.28.192.0/24
2.0.0.0/16
208.117.252.0/22 61.28.192.0/24
2.0.0.0/16208.117.252.0/22
208.117.252.0/22
ANSSI - Detecting BGP hijacks in 2014 9/52
18. Three Simple BGP Rules
1. messages are forwarded to neighbors, after adding the ASN
2. only the shortest AS path is forwarded
3. packets are sent to the most specific prefix
AS1 AS2 AS3 Internet
ANSSI - Detecting BGP hijacks in 2014 10/52
19. Three Simple BGP Rules
1. messages are forwarded to neighbors, after adding the ASN
2. only the shortest AS path is forwarded
3. packets are sent to the most specific prefix
AS1 AS2 AS3 Internet
192.0.2.0/24
192.0.2.0/24 AS1
BGP
ANSSI - Detecting BGP hijacks in 2014 10/52
20. Three Simple BGP Rules
1. messages are forwarded to neighbors, after adding the ASN
2. only the shortest AS path is forwarded
3. packets are sent to the most specific prefix
AS1 AS2 AS3 Internet
192.0.2.0/24 192.0.2.0/24
192.0.2.0/24 AS1
BGP
192.0.2.0/24 AS1 AS2
BGP
ANSSI - Detecting BGP hijacks in 2014 10/52
21. Three Simple BGP Rules
1. messages are forwarded to neighbors, after adding the ASN
2. only the shortest AS path is forwarded
3. packets are sent to the most specific prefix
AS1 AS2
AS3
AS4 Internet
192.0.2.0/24 AS1
192.0.2.0/24 AS1 AS3
BGP
ANSSI - Detecting BGP hijacks in 2014 10/52
22. Three Simple BGP Rules
1. messages are forwarded to neighbors, after adding the ASN
2. only the shortest AS path is forwarded
3. packets are sent to the most specific prefix
AS1 AS2
AS3
AS4 Internet
192.0.2.0/24 AS1
192.0.2.0/24 AS1 AS3
BGP
192.0.2.0/24 AS1
192.0.2.0/24 AS1 AS3
BGP
192.0.2.0/24 AS1 AS2
BGP
192.0.2.0/24
ANSSI - Detecting BGP hijacks in 2014 10/52
23. Three Simple BGP Rules
1. messages are forwarded to neighbors, after adding the ASN
2. only the shortest AS path is forwarded
3. packets are sent to the most specific prefix
AS1 AS2
AS3
AS4
Internet
ANSSI - Detecting BGP hijacks in 2014 10/52
24. Three Simple BGP Rules
1. messages are forwarded to neighbors, after adding the ASN
2. only the shortest AS path is forwarded
3. packets are sent to the most specific prefix
AS1 AS2
AS3
AS4
Internet
192.0.0.0/16
192.0.2.0/24
ANSSI - Detecting BGP hijacks in 2014 10/52
25. Three Simple BGP Rules
1. messages are forwarded to neighbors, after adding the ASN
2. only the shortest AS path is forwarded
3. packets are sent to the most specific prefix
AS1 AS2
AS3
AS4
Internet
192.0.0.0/16
192.0.2.0/24
192.0.0.0/16 AS4 AS1
192.0.2.0/24 AS3 AS1
BGP
ANSSI - Detecting BGP hijacks in 2014 10/52
26. Three Simple BGP Rules
1. messages are forwarded to neighbors, after adding the ASN
2. only the shortest AS path is forwarded
3. packets are sent to the most specific prefix
AS1 AS2
AS3
AS4
Internet
192.0.0.0/16
192.0.2.0/24
192.0.0.0/16 AS4 AS1
192.0.2.0/24 AS3 AS1
BGP
192.0.0.0/16 AS4 AS1
192.0.2.0/24 AS3 AS1
BGP
192.0.2.42
ANSSI - Detecting BGP hijacks in 2014 10/52
28. What is a Prefix Hijack?
BGP rule #2 in action
An hijack is a conflicting BGP announcement.
AS0 AS1 AS2
AS3
192.0.2.0/23
192.0.2.0/23 AS1 AS0
BGP
ANSSI - Detecting BGP hijacks in 2014 12/52
29. What is a Prefix Hijack?
BGP rule #2 in action
An hijack is a conflicting BGP announcement.
AS0 AS1 AS2
AS3
192.0.2.0/23
192.0.2.0/23192.0.2.0/23 AS1 AS0
192.0.2.0/23 AS3
BGP
ANSSI - Detecting BGP hijacks in 2014 12/52
30. What is a Prefix Hijack?
BGP rule #2 in action
An hijack is a conflicting BGP announcement.
AS0 AS1 AS2
AS3
192.0.2.0/23
192.0.2.0/23192.0.2.0/23 AS1 AS0
192.0.2.0/23 AS3
BGP
192.0.2.0/23 AS1 AS0
192.0.2.0/23 AS3
BGP
Rule #2 applies: traffic is redirected to AS3 !
ANSSI - Detecting BGP hijacks in 2014 12/52
31. Active Countermeasure
Use BGP rule #3 !
AS0 AS1 AS2
AS3
192.0.2.0/23
192.0.2.0/23
192.0.2.0/23 AS1 AS0
192.0.2.0/23 AS3
BGP
The origin AS announces more specific prefixes.
ANSSI - Detecting BGP hijacks in 2014 13/52
32. Active Countermeasure
Use BGP rule #3 !
AS0 AS1 AS2
AS3
192.0.2.0/23
192.0.2.0/23
192.0.2.0/24
192.0.3.0/24
192.0.2.0/23 AS1 AS0
192.0.2.0/23 AS3
192.0.2.0/24 AS1 AS0
192.0.3.0/24 AS1 AS0
BGP
The origin AS announces more specific prefixes.
ANSSI - Detecting BGP hijacks in 2014 13/52
33. Active Countermeasure
Use BGP rule #3 !
AS0 AS1 AS2
AS3
192.0.2.0/23
192.0.2.0/23
192.0.2.0/24
192.0.3.0/24
192.0.2.0/23 AS1 AS0
192.0.2.0/23 AS3
192.0.3.0/24 AS1 AS0
192.0.2.0/23 AS1 AS0
192.0.2.0/23 AS3
192.0.2.0/24 AS1 AS0
192.0.3.0/24 AS1 AS0
BGP
The origin AS announces more specific prefixes.
ANSSI - Detecting BGP hijacks in 2014 13/52
34. Active Countermeasure
Use BGP rule #3 !
AS0 AS1 AS2
AS3
192.0.2.0/23
192.0.2.0/23
192.0.2.0/24
192.0.3.0/24
192.0.2.0/23 AS1 AS0
192.0.2.0/23 AS3
192.0.3.0/24 AS1 AS0
192.0.2.0/23 AS1 AS0
192.0.2.0/23 AS3
192.0.2.0/24 AS1 AS0
192.0.3.0/24 AS1 AS0
BGP
The origin AS announces more specific prefixes.
Rule #3 applies: traffic is sent to AS0 !
ANSSI - Detecting BGP hijacks in 2014 13/52
35. A Recent Example on October 16
Hijack against a French AS
x
ANSSI - Detecting BGP hijacks in 2014 14/52
36. A Recent Example on October 16
Hijack against a French AS
ANSSI - Detecting BGP hijacks in 2014 14/52
37. Passive Countermeasure
Strict filter on an interconnection
AS0 AS1 AS2
AS3
192.0.2.0/23
192.0.2.0/23 64501 64500
BGP
• a BGP router can filter prefix in UPDATE messages
• useful filtering can only be done by the upstream provider
ANSSI - Detecting BGP hijacks in 2014 15/52
38. Passive Countermeasure
Strict filter on an interconnection
AS0 AS1 AS2
AS3
192.0.2.0/23
192.0.2.0/23192.0.2.0/23 64501 64500
BGP
• a BGP router can filter prefix in UPDATE messages
• useful filtering can only be done by the upstream provider
ANSSI - Detecting BGP hijacks in 2014 15/52
39. Passive Countermeasure
Automate filter maintenance
A route object:
• is declared by the AS in charge of an IP prefix
• tells who can announce the prefix with BGP
• the operator, its DDoS mitigation provider, its clients, …
$ whois -T route 185.50.64.0/22
route: 185.50.64.0/22
descr: Observatory IPv4 prefix.
origin: AS202214
mnt-by: ASOBS-MNT
source: RIPE # Filtered
ANSSI - Detecting BGP hijacks in 2014 16/52
42. Collecting BGP Archives
https://www.ris.ripe.net
AS1 AS2 AS3
AS4
AS5
AS6 AS666
192.168.0.0/16 192.168.0.0/24
BGP collector
Routing Information Service (RIS)
• 13 BGP collectors all over the world
• 263 BGP peers
• BGP messages dumped into binary files
• 550 GB per year
ANSSI - Detecting BGP hijacks in 2014 19/52
43. Parsing BGP Archives
https://github.com/ANSSI-FR/parsifal
Raw BGP BGP parser
Need for a dedicated BGP parser
• fast & trusted parser
• written in OCaml
• convert BGP messages to JSON
• human readable / writable format
ANSSI - Detecting BGP hijacks in 2014 20/52
44. Parsing BGP Archives
https://github.com/ANSSI-FR/parsifal
{ "timestamp":1409750436, "collector": "rrc07",
"as_path":"25152 6939 17922 7862 4761 9957 7500 ",
"announce":[" 192.50.44.0/24 "], "withdraw":[] }
{ "timestamp":1409782437, "collector": "rrc07",
"as_path":"25152 6939 667 666 ",
"announce":[" 192.50.44.0/24 "], "withdraw":[] }
Need for a dedicated BGP parser
• fast & trusted parser
• written in OCaml
• convert BGP messages to JSON
• human readable / writable format
ANSSI - Detecting BGP hijacks in 2014 20/52
45. Parsing BGP Archives
https://github.com/ANSSI-FR/parsifal
{ "timestamp":1409750436, "collector": "rrc07",
"as_path":"25152 6939 17922 7862 4761 9957 7500 ",
"announce":[" 192.50.44.0/24 "], "withdraw":[] }
{ "timestamp":1409782437, "collector": "rrc07",
"as_path":"25152 6939 667 666 ",
"announce":[" 192.50.44.0/24 "], "withdraw":[] }
Need for a dedicated BGP parser
• fast & trusted parser
• written in OCaml
• convert BGP messages to JSON
• human readable / writable format
ANSSI - Detecting BGP hijacks in 2014 20/52
46. Parsing BGP Archives
https://github.com/ANSSI-FR/parsifal
{ "timestamp":1409750436, "collector": "rrc07",
"as_path":"25152 6939 17922 7862 4761 9957 7500 ",
"announce":[" 192.50.44.0/24 "], "withdraw":[] }
{ "timestamp":1409782437, "collector": "rrc07",
"as_path":"25152 6939 667 666 ",
"announce":[" 192.50.44.0/24 "], "withdraw":[] }
Need for a dedicated BGP parser
• fast & trusted parser
• written in OCaml
• convert BGP messages to JSON
• human readable / writable format
ANSSI - Detecting BGP hijacks in 2014 20/52
47. Emulating a BGP Router
https://code.google.com/p/py-radix/
192.0.0.0/8 AS1
192.28.0.0/22 AS2 AS3 192.128.0.0/10 AS4 AS5
192.160.0.0/11 AS7 192.168.128.0/22 AS42
Build the routing table
• fast IP lookup library
• similar to a router & the Linux kernel
• the tree is updated with each BGP messages
• duplicated entries are conflicts
ANSSI - Detecting BGP hijacks in 2014 21/52
51. Putting Everything Together
Raw BGP BGP parser Emulate BGP
{ }
JSON
Processing 50k ASes
• emulated routers handle different AS
• with 8 cores, a month is processed in 10 hours
With 13 collectors, 156 months must be processed per year !
ANSSI - Detecting BGP hijacks in 2014 22/52
52. Faster Conflicts Detection
Scaling by adding cores
Raw BGP BGP parser Emulate BGP
{ }
JSON
Raw BGP BGP parser Emulate BGP
{ }
JSON
Raw BGP BGP parser Emulate BGP
{ }
JSON
Raw BGP BGP parser Emulate BGP
{ }
JSON
Conflicts detection
• completes in one week with 120 cores on 5 servers
• generates 130 GB per year
• 11 536 345 959 conflicts
• from January to October 2014
ANSSI - Detecting BGP hijacks in 2014 23/52
55. Accessing The Data
http://discoproject.org
From BIG DATA to small data
• one hour to extract conflicts targeting 1000 ASes
• close to the number of French & Japanese ASes
• 70 millions conflicts per country
• 200MB
ANSSI - Detecting BGP hijacks in 2014 24/52
59. Classifying Conflicts - 1/3
Using route objects
Validating 70 millions conflicts
• all of them must be verified
• online queries are too slow
• WHOIS databases are loaded daily into PostgreSQL
• the ip4r type is used for fast prefix lookups
>>> client = Client("ripe")
>>> client.check("210.158.206.0/24", 17676, "2014/07/28")
True
0.01% conflicts removed
32% conflicts removed
ANSSI - Detecting BGP hijacks in 2014 25/52
67. Events Visualization
A French AS
10/28/2014 localhost:2807/timeslots/AS3215
2014 February March April May June July August September October No
ANSSI - Detecting BGP hijacks in 2014 30/52
68. Reducing The Number of Events
Automatically
Simple rules
• remove events that change categories
• remove events if ASes belongs to the same country
• remove events longer than 6 months
• remove associated events
From 2154 prefixes in conflict to 557
From 4519 prefixes in conflict to 289
ANSSI - Detecting BGP hijacks in 2014 31/52
70. Reducing The Number of Events
Manually
Interesting results
• similar AS names
• PACNET-MY Pacnet MY and PACNET Pacnet Global Ltd
• AS under DDoS protection
• the DDoS mitigation companies announces /24
• typos in AS numbers
• 2208 and 208
• hijacks that were used to steal bitcoins
• AS18863 was at the origin of some of these hijacks
• some events were never detected by operators
• ...
ANSSI - Detecting BGP hijacks in 2014 33/52
71. Closing Remarks
Since January 2014, there are:
69 suspicious events
102 suspicious events
Around 10 hijacks per year target French operators
ANSSI - Detecting BGP hijacks in 2014 34/52
77. BGP Hijack Reporting
What must be reported
• only suspicious BGP hijacks
• about 50 events per week
ANSSI - Detecting BGP hijacks in 2014 39/52
78. BGP Hijack Reporting
IRC is so 2014
What must be reported
• only suspicious BGP hijacks
• about 50 events per week
< hadron> 2a04:8000::/29 is announced from multiple origins:
< hadron> SFR-BUSINESS-TEAM (AS12566)
< hadron> Ukraine-AS (AS200000)
< hadron> First originated from SFR-BUSINESS-TEAM (AS12566)
ANSSI - Detecting BGP hijacks in 2014 39/52
79. BGP Hijack Troubleshooting
< hadron> 2a04:8000::/29 is announced from multiple origins:
< hadron> SFR-BUSINESS-TEAM (AS12566)
< hadron> Ukraine-AS (AS200000)
< hadron> First originated from SFR-BUSINESS-TEAM (AS12566)
ANSSI - Detecting BGP hijacks in 2014 40/52
80. BGP Hijack Troubleshooting
< hadron> 2a04:8000::/29 is announced from multiple origins:
< hadron> SFR-BUSINESS-TEAM (AS12566)
< hadron> Ukraine-AS (AS200000)
< hadron> First originated from SFR-BUSINESS-TEAM (AS12566)
$ whois 2a04:8000::/29
inet6num: 2a04:8000::/29
netname: UA-UAHOSTING
descr: Hosting Ukraine
country: UA
org: ORG-HUL6-RIPE
ANSSI - Detecting BGP hijacks in 2014 40/52
81. BGP Hijack Troubleshooting
< hadron> 2a04:8000::/29 is announced from multiple origins:
< hadron> SFR-BUSINESS-TEAM (AS12566)
< hadron> Ukraine-AS (AS200000)
< hadron> First originated from SFR-BUSINESS-TEAM (AS12566)
$ whois 2a04:8000::/29
inet6num: 2a04:8000::/29
netname: UA-UAHOSTING
descr: Hosting Ukraine
country: UA
org: ORG-HUL6-RIPE
$ whois -i org ORG-HUL6-RIPE
ANSSI - Detecting BGP hijacks in 2014 40/52
82. BGP Hijack Troubleshooting
< hadron> 2a04:8000::/29 is announced from multiple origins:
< hadron> SFR-BUSINESS-TEAM (AS12566)
< hadron> Ukraine-AS (AS200000)
< hadron> First originated from SFR-BUSINESS-TEAM (AS12566)
$ whois 2a04:8000::/29
inet6num: 2a04:8000::/29
netname: UA-UAHOSTING
descr: Hosting Ukraine
country: UA
org: ORG-HUL6-RIPE
$ whois -i org ORG-HUL6-RIPE
aut-num: AS200000
as-name: Ukraine-AS
descr: Hosting Ukraine
org: ORG-HUL6-RIPE
ANSSI - Detecting BGP hijacks in 2014 40/52
83. BGP Hijack Troubleshooting
< hadron> 2a04:8000::/29 is announced from multiple origins:
< hadron> SFR-BUSINESS-TEAM (AS12566)
< hadron> Ukraine-AS (AS200000)
< hadron> First originated from SFR-BUSINESS-TEAM (AS12566)
$ whois 2a04:8000::/29
inet6num: 2a04:8000::/29
netname: UA-UAHOSTING
descr: Hosting Ukraine
country: UA
org: ORG-HUL6-RIPE
$ whois -i org ORG-HUL6-RIPE
aut-num: AS200000
as-name: Ukraine-AS
descr: Hosting Ukraine
org: ORG-HUL6-RIPE
ANSSI - Detecting BGP hijacks in 2014 40/52
84. BGP Hijack Troubleshooting
< hadron> 2a04:8000::/29 is announced from multiple origins:
< hadron> SFR-BUSINESS-TEAM (AS12566)
< hadron> Ukraine-AS (AS200000)
< hadron> First originated from SFR-BUSINESS-TEAM (AS12566)
Analysis Result
• 2a04:8000::/29 belongs to the Ukrainian operator
ANSSI - Detecting BGP hijacks in 2014 41/52
85. BGP Hijack Troubleshooting
< hadron> 2a04:8000::/29 is announced from multiple origins:
< hadron> SFR-BUSINESS-TEAM (AS12566)
< hadron> Ukraine-AS (AS200000)
< hadron> First originated from SFR-BUSINESS-TEAM (AS12566)
Analysis Result
• 2a04:8000::/29 belongs to the Ukrainian operator
• 2a04:0800::/29 belongs to the French operator
• French operator made a mistake in its BGP configuration
ANSSI - Detecting BGP hijacks in 2014 41/52
86. BGP Hijack Troubleshooting
< hadron> 2a04:8000::/29 is announced from multiple origins:
< hadron> SFR-BUSINESS-TEAM (AS12566)
< hadron> Ukraine-AS (AS200000)
< hadron> First originated from SFR-BUSINESS-TEAM (AS12566)
Analysis Result
• 2a04:8000::/29 belongs to the Ukrainian operator
• 2a04:0800::/29 belongs to the French operator
• French operator made a mistake in its BGP configuration
It was a false positive, the route6 object was created a few days
later by the Ukrainian operator.
ANSSI - Detecting BGP hijacks in 2014 41/52
87. Malicious BGP Hijack
< hadron> 185.73.204.0/22 is announced from multiple origins:
< hadron> ALPHALINK-AS (AS25540)
< hadron> TEHNOGRUP (AS198596)
ANSSI - Detecting BGP hijacks in 2014 42/52
89. Malicious BGP Hijack
Infected AS_PATH
< hadron> 185.73.204.0/22 is announced from multiple origins:
< hadron> ALPHALINK-AS (AS25540)
< hadron> TEHNOGRUP (AS198596)
< hadron> AS_PATH: 8607 39792 44050 131788 198596
ANSSI - Detecting BGP hijacks in 2014 44/52
90. Malicious BGP Hijack
Infected AS_PATH
< hadron> 185.73.204.0/22 is announced from multiple origins:
< hadron> ALPHALINK-AS (AS25540)
< hadron> TEHNOGRUP (AS198596)
< hadron> AS_PATH: 8607 39792 44050 131788 198596
Definition
• infected ASes accepted the hijacking BGP update
• traffic to the hijacked prefix go to the hijacker’s network
ANSSI - Detecting BGP hijacks in 2014 44/52
91. Malicious BGP Hijack
Infected AS_PATH
< hadron> 185.73.204.0/22 is announced from multiple origins:
< hadron> ALPHALINK-AS (AS25540)
< hadron> TEHNOGRUP (AS198596)
< hadron> AS_PATH: 8607 39792 44050 131788 198596
Definition
• infected ASes accepted the hijacking BGP update
• traffic to the hijacked prefix go to the hijacker’s network
How do we launch active measurements from these ASes?
ANSSI - Detecting BGP hijacks in 2014 44/52
92. RIPE Atlas Measurement Project
https://atlas.ripe.net/
• 7100 probes in around 2000 ASes
• probes hosted by the community
• user-defined measurements
• ping, traceroute, HTTP, TLS and DNS
• public API
ANSSI - Detecting BGP hijacks in 2014 45/52
94. Atlas Meets Our Needs
We always found a probe to launch our measurements!
• 250 possible hijacks from september to november 2014
• AS_PATH are from the London based RIPE collector
ANSSI - Detecting BGP hijacks in 2014 47/52
95. Atlas Meets Our Needs
We always found a probe to launch our measurements!
• 250 possible hijacks from september to november 2014
• AS_PATH are from the London based RIPE collector
Number of probes found in infected ASes:
2 4 6 8 10 12 14
0 %
5 %
10 %
15 %
20 %
Num of probes
Hijacks
ANSSI - Detecting BGP hijacks in 2014 47/52
96. Traceroute Example
< hadron> 185.73.204.0/22 is announced from multiple origins:
< hadron> ALPHALINK-AS (AS25540)
< hadron> TEHNOGRUP (AS198596)
< hadron> AS_PATH: 8607 39792 44050 131788 198596
ANSSI - Detecting BGP hijacks in 2014 48/52
97. Traceroute Example
< hadron> 185.73.204.0/22 is announced from multiple origins:
< hadron> ALPHALINK-AS (AS25540)
< hadron> TEHNOGRUP (AS198596)
< hadron> AS_PATH: 8607 39792 44050 131788 198596
ANSSI - Detecting BGP hijacks in 2014 48/52
98. Traceroute Example
< hadron> 185.73.204.0/22 is announced from multiple origins:
< hadron> ALPHALINK-AS (AS25540)
< hadron> TEHNOGRUP (AS198596)
< hadron> AS_PATH: 8607 39792 44050 131788 198596
Traceroute to
185.73.204.1
ANSSI - Detecting BGP hijacks in 2014 48/52
99. Traceroute Example
< hadron> 185.73.204.0/22 is announced from multiple origins:
< hadron> ALPHALINK-AS (AS25540)
< hadron> TEHNOGRUP (AS198596)
< hadron> AS_PATH: 8607 39792 44050 131788 198596
Traceroute to
185.73.204.1
ANSSI - Detecting BGP hijacks in 2014 48/52
100. Traceroute Example
< hadron> 185.73.204.0/22 is announced from multiple origins:
< hadron> ALPHALINK-AS (AS25540)
< hadron> TEHNOGRUP (AS198596)
< hadron> AS_PATH: 8607 39792 44050 131788 198596
1. 10.10.10.1
2. 82.118.96.1
3. 188.124.228.1
4. 95.215.3.78
5. * * *
ANSSI - Detecting BGP hijacks in 2014 48/52
101. Traceroute Example
< hadron> 185.73.204.0/22 is announced from multiple origins:
< hadron> ALPHALINK-AS (AS25540)
< hadron> TEHNOGRUP (AS198596)
< hadron> AS_PATH: 8607 39792 44050 131788 198596
Closing Remarks
• traceroute stops at AS44050 (PIN-AS)
• AS131788 and AS198596 are most certainly placeholders
• AS44050 (PIN-AS) is already known for previous hijacks
ANSSI - Detecting BGP hijacks in 2014 49/52
103. Conclusion
• wide scale BGP hijacks automatic detection
• only a few real hijacks per year regarding France and Japan
• early detection and reporting
• on-going work to identify traffic redirection
Take away messages
1. packets can be redirected on the Internet
2. traffic must be encrypted and authenticated
3. monitor prefixes and be ready to send more specific ones
4. networking Best Current Practices must be enforced
ANSSI - Detecting BGP hijacks in 2014 51/52
104. Questions?
A question == A Japanese Kit Kat
Related publication
• BGP configuration best practices (English & French)
ANSSI - Detecting BGP hijacks in 2014 52/52