APRICOT2016 BGP Hijack Issue on Nov 6 2015
of 33
/33
-
Author
chika-yoshimura -
Category
Internet
-
view
405 -
download
0
Embed Size (px)
Transcript of APRICOT2016 BGP Hijack Issue on Nov 6 2015
-
1Monterey,CA
-
WhoamI?
ChikaYoshimura NTTCommunica;onsNetworkEngineerforAS29143yrsinNTT-GIN(AS2914)10yrsinNTT-OCN(AS4713)
2
-
3SanJose,CA
-
SomewhereintheUS 4
-
5Maytheforcebewithyou!
-
BGPHijackIssueonNov6
6
hWp://www.bgpmon.net/large-scale-bgp-hijack-out-of-india/Maytheforcebewithyou.
-
BGPHijack Toadver;seprefix(es)fromthirdASwhichisnot
allocatedtheprefixes OriginASisdisguisedasthethirdAS Forinstance,2.16.65.0/24
AS2914sprefix IfanASexceptAS2914adver;sesitasitsownprefixBGP
hijack OtherASeswhichreceivethehijackedprefixmight
believeitslegit Thentraffictowardthehijackedprefixwillgotothe
disguisedOriginAS Notsorare 2015/08/01-2015/12/31morethan850hijackissues
occur(perBGPStream)
7
-
TypicalRootCauses MaliciousRootCauses Non-maliciousRootCausesMis-opera;ons (ex)leakingIGPprefixestoEGP (ex)leakingtes;ngprefixestoEGP BGPfilteringmistakesaremostlikely
(FYI)Mul;pleoriginToadver;seaprefixfrommorethan2OriginAsesNotaBGPhijack
8
-
BGPHijackIssueonNov6
9
hWp://www.bgpmon.net/large-scale-bgp-hijack-out-of-india/Maytheforcebewithyou.
-
BGPHijackIssueonNov6 PerBGPMon2015/11/0605:5214:40UTCAS9498(Bhar;Airtel)adver;sed: 16123prefixes
HijackedASes: Morethan2000ASes AS3257/GTT,AS4755/TataCommunica;onsetc AS2914/NTTCommunica;ons(Yesitsus!)
hWp://www.bgpmon.net/large-scale-bgp-hijack-out-of-india/
10
-
RootCauseoftheHijackIssue
S;llUnknownAS2914contactedAS9498Noresponseaboutarootcause
BGPMondoesnthaveinfoofrootcauseNoinfoontheNANOGML
FromwhatIcanguessfromtheactualhijackedprefixesTheymighthavemissedBGPprefixfilters?
11
-
12AS2914SumoandTanukis;ckers
-
AS2914Opera;onalTimestamp Nov06foundourprefixeswerehijacked Nov06AS2914NOCsentane-mailtoAS9498 Nov07AS2914NOCsentanothere-mailtoAS9498
Nov07AS9498responded Noinfoabouttherootcause
Nov07AS2914NOCsentonemoree-mailtoAS9498askingarootcause. Noresponse
StartedanalyzingaffectedprefixeswithBGPMon
13
-
14AS2914Sumoes!
-
Yes,ourprefixeswerehijacked 300prefixesofAS2914werehijackedandadver;sedto
theInternet AS2914generallydoesntallocateourCIDRtocustomers
Thatswhytherewasnosignificantimpacttoourservices
15
announced_prefix base_as src_AS start_3me Peer_count2.16.65.0/24 2914 94982015-11-0605:52:14 682.16.110.0/23 2914 94982015-11-0605:52:20 492.17.196.0/22 2914 94982015-11-0605:52:15 475.158.208.0/21 2914 94982015-11-0605:52:19 372.21.16.0/20 2914 94982015-11-0605:52:15 3323.55.208.0/20 2914 94982015-11-0605:52:26 1023.67.64.0/22 2914 94982015-11-0605:52:26 1023.55.80.0/20 2914 94982015-11-0605:52:26 1023.38.110.0/23 2914 94982015-11-0605:52:26 1023.11.192.0/22 2914 94982015-11-0605:52:23 1023.4.32.0/20 2914 94982015-11-0605:52:20 1023.11.196.0/22 2914 94982015-11-0605:52:23 10
(Apartof)HijackedPrefixesPerBGPMon
-
Nosignificantimpact?Really?
Whethertheresan impactduetoaBGPhijackissuedependsonwhatserviceswedowiththeprefixes
IPWholesalers(likeus)generallydontuseourownprefixes BecausecustomersalreadyhavetheirownASandprefixes
ConsumerServicesuseourownprefixesforcustomers sotherellbealargeimpactwhentheprefixesarehijacked
16
-
17
-
Yes,wereceivedsomeofthem
Dura;on:2015/11/0605:52:05-14:37:41UTC 4513prefixesreceived(IPv4:4512,IPv6:1) MainlyreceivedfromPeerASesWedonthaveanyupstreamASTheresastrictBGPprefixfilterfordownstreamASes
TheresaroughBGPfilterforPeerAses Didntreceiveourownprefixes(AS2914sprefixes)
18
-
BGPUpdatesofHijackedPrefixes Roughly3peaksduringthedura;on Startedhijacking1.x.x.0first,then2.x.x.0,then5.x.x.0. AnyCPUissueduetothemanyBGPupdates?->Wedidnt
facethis;me
19
(AS2914->AS2914)(AS2914->eBGP)
Y:#ofupdate
X:UTCofNov6
9:54:24-9:57:15
10:11:14-10:15:43
10:39:31-10:40:48 14:36:12-14:37:30
05:52:05-5:54:35-1.x.x.0hijacked-2.x.x.0hijacked-5.x.x.0hijacked
09:54:24-10:40:48-1.x.x.0hijacked-2.x.x.0hijacked-5.x.x.0hijacked-6.x.x.0hijacked
-
HijackedPrefixRanges Simpleprefixes
1.0.x.0/24 2.0.x.0/24
samesubnetmaskasIRR S;llanalyzingthough
ProbablyBGPfiltermistakes?
Probablyrouteleaking? ReceivedfromEGP
distributetoIGPdistributetoEGPagain
ThisdataisjustwhatwesawinsideAS2914sothereweremorehijackedprefixes
20
range #ofhijackedprefix1.x 13312.x 1755.x 17716.x 348.x 858
12.x 22914.x 823.x 124.x 227.x 9661.x 164.x 1
125.x 1177.x 4
2c0f:fe90:: 1total 4513
-
WhatASestheHijackedPrefixesBelongto?
21
ASN Name Country
39891SaudiTelecomCompany SA
24378TotalAccessCommunica3on TH
12586 GHOSTnet DE
18403
TheCorpora3onforFinancing&Promo3ngTechnology VN
35819E3hadE3salatCompany SA
4788 TMNet MY38266 VodafoneEssar IN
23089HotwireCommunica3ons US
45083BeijingCheeryZoneScitech CN
21299 2DAYTelecom KZ
MostofthemarentAS2914scustomerotherwisecustomerbutnotadver;sedprefixestoAS2914
TheirprefixesneedtobereceivedfromotherASesMainlyfrompeers
-
Wheredidthehijackedprefixescomefrom?
WereceivedthehijackedprefixesfromourpeerASes(mainlyTier1Ases)
22
38.87%
23.06%
13.23%
10.51%
8.56%
1.90%1.53% 2.33%_174_9498_(Cogent)
_6762_9498_(TelcomItalia)
_3491_9498_(PCCW)
_1299_9498(TeliaSonera)
_1299_10026_9498(TeliaSonera_Pacnet)_3257_7473_9498(Tinet_Singtel)_7473_9498(Singtel)
Others
-
23AS2914Sumoes
-
WhatimportBGPFilterdoweapply?
ToPeerBogonetcuRPFMaxprefixfilter (akindof)ASpathfilter Itsnotrealis;ctoapplyastrictBGPfiltertoPeers(Tier1ASes)becausetheyadver;sealmostofthefullBGPtableprefixes
AccurateIRRdataforallTier1networksisnotavailableforbuildingstrictprefixfilters
24
-
WhatimportBGPFilterdoweapply?(cont)
(FYI)ToCustomersuRPFMaxprefixfilterPrefixfilter(basedonIRR)
25
-
26Monterey,CA
-
Adver;semorespecificprefix(es) Whenyourprefix10.0.0.0/16ishijacked Adver;se/17 IfotherASesacceptthe/17,trafficcomestoyou IfotherAsesdont,itdoesntL
ASeslikelyfilter(ed)IPv4/25orlongerandIPv6/64orlonger
WerebeWertoacceptmorespecificmasks upto/28 IPv4allocatedmaskgeqngmorespecificarerIPv4exhaus;on
ARIN:allocates/24-/28from23.128.0.0/10
27
-
28Sedona,AZ
-
ApplyBGPFilters
Nottoreceive/leakhijackedprefixes Notleakre-distributedprefixestootherprotocolsEGP->IGP->EGP
Notleakanyprefixesusedintestenvironment However,strictBGPfilteringsome;mesnotmatch(ex.toupstreamAS,toPeer)
29
-
BGPOriginValida;on (Almost)Ul;mateSolu;on IssueROAsothatotherAScanvalidateyourprefixes
IntroduceBGPOriginValida;onsothatyourASacceptslegitprefixes
Challenge:OriginValida;oncantbedonebyonlyoneASROAforeachprefixisneeded
30
-
BGPOriginValida;on (Almost)Ul;mateSolu;on IssueROAsothatotherAScanvalidateyourprefixes
IntroduceBGPOriginValida;onsothatyourASacceptslegitprefixes
Challenge:OriginValida;oncantbedonebyonlyoneASROAforeachprefixisneeded
31
-
32Sedona,AZ
-
Monterey,CA 33
![RAPTOR: Routing Attacks on Privacy in Torpmittal/publications/raptor-USENIX15.pdf · Traffic Analysis BGP Churn BGP Hijack BGP Interception Symmetric Known [45, 46] Novel (x4) Novel](https://static.fdocuments.in/doc/165x107/5bb73d3b09d3f20c668d8bcd/raptor-routing-attacks-on-privacy-in-pmittalpublicationsraptor-usenix15pdf.jpg?t=1679768030)
![RAPTOR: Routing Attacks on Privacy in Torannee/pdf/usenixsec15.pdf · Traffic Analysis BGP Churn BGP Hijack BGP Interception Symmetric Known [45, 46] Novel (x4) Novel (x5) Novel](https://static.fdocuments.in/doc/165x107/5af0efec7f8b9aa17b8fa33c/raptor-routing-attacks-on-privacy-in-tor-anneepdfusenixsec15pdftrafc-analysis.jpg?t=1679768030)
