APRICOT2016 BGP Hijack Issue on Nov 6 2015
-
Upload
chika-yoshimura -
Category
Internet
-
view
406 -
download
0
Transcript of APRICOT2016 BGP Hijack Issue on Nov 6 2015
WhoamI?
• ChikaYoshimura• NTTCommunica;ons– NetworkEngineerforAS2914– 3yrsinNTT-GIN(AS2914)– 10yrsinNTT-OCN(AS4713)
2
BGPHijackIssueonNov6
6
hWp://www.bgpmon.net/large-scale-bgp-hijack-out-of-india/Maytheforcebewithyou….
BGPHijack• Toadver;seprefix(es)fromthirdASwhichisnot
allocatedtheprefixes– OriginASisdisguisedasthethirdAS– Forinstance,2.16.65.0/24
• AS2914’sprefix• IfanASexceptAS2914adver;sesitasitsownprefix≒BGP
hijack• OtherASeswhichreceivethehijackedprefixmight
believeit’slegit• Thentraffictowardthehijackedprefixwillgotothe
disguisedOriginAS• Notsorare– 2015/08/01-2015/12/31:morethan850hijackissues
occur(perBGPStream)
7
TypicalRootCauses• MaliciousRootCauses• Non-maliciousRootCauses– Mis-opera;ons– (ex)leakingIGPprefixestoEGP– (ex)leakingtes;ngprefixestoEGP– BGPfilteringmistakesaremostlikely
• (FYI)Mul;pleorigin– Toadver;seaprefixfrommorethan2OriginAses– NotaBGPhijack
8
BGPHijackIssueonNov6
9
hWp://www.bgpmon.net/large-scale-bgp-hijack-out-of-india/Maytheforcebewithyou….
BGPHijackIssueonNov6• PerBGPMon– 2015/11/0605:52–14:40UTC– AS9498(Bhar;Airtel)adver;sed:• 16123prefixes
– HijackedASes:• Morethan2000ASes• AS3257/GTT,AS4755/TataCommunica;onsetc• AS2914/NTTCommunica;ons(Yesit’sus!)
hWp://www.bgpmon.net/large-scale-bgp-hijack-out-of-india/
10
RootCauseoftheHijackIssue
• S;llUnknown– AS2914contactedAS9498• Noresponseaboutarootcause
– BGPMondoesn’thaveinfoofrootcause– NoinfoontheNANOGML
• FromwhatIcanguessfromtheactualhijackedprefixes…– TheymighthavemissedBGPprefixfilters?
11
AS2914Opera;onalTimestamp• Nov06foundourprefixeswerehijacked• Nov06AS2914NOCsentane-mailtoAS9498• Nov07AS2914NOCsentanothere-mailtoAS9498
• Nov07AS9498responded– Noinfoabouttherootcause
• Nov07AS2914NOCsentonemoree-mailtoAS9498askingarootcause.– Noresponse
• StartedanalyzingaffectedprefixeswithBGPMon
13
Yes,ourprefixeswerehijacked• 300prefixesofAS2914werehijackedandadver;sedto
theInternet• AS2914generallydoesn’tallocateourCIDRtocustomers
– That’swhytherewasnosignificantimpacttoourservices
15
announced_prefix base_as src_AS start_3me Peer_count2.16.65.0/24 2914 94982015-11-0605:52:14 682.16.110.0/23 2914 94982015-11-0605:52:20 492.17.196.0/22 2914 94982015-11-0605:52:15 475.158.208.0/21 2914 94982015-11-0605:52:19 372.21.16.0/20 2914 94982015-11-0605:52:15 3323.55.208.0/20 2914 94982015-11-0605:52:26 1023.67.64.0/22 2914 94982015-11-0605:52:26 1023.55.80.0/20 2914 94982015-11-0605:52:26 1023.38.110.0/23 2914 94982015-11-0605:52:26 1023.11.192.0/22 2914 94982015-11-0605:52:23 1023.4.32.0/20 2914 94982015-11-0605:52:20 1023.11.196.0/22 2914 94982015-11-0605:52:23 10
(Apartof)HijackedPrefixes–PerBGPMon
Nosignificantimpact?Really?
• Whetherthere’san impactduetoaBGPhijackissuedependsonwhatserviceswedowiththeprefixes
• IPWholesalers(likeus)generallydon’tuseourownprefixes– BecausecustomersalreadyhavetheirownASandprefixes
• ConsumerServicesuseourownprefixesforcustomers– sothere’llbealargeimpactwhentheprefixesarehijacked
16
Yes,wereceivedsomeofthem
• Dura;on:2015/11/0605:52:05-14:37:41UTC• 4513prefixesreceived(IPv4:4512,IPv6:1)• MainlyreceivedfromPeerASes– Wedon’thaveanyupstreamAS– There’sastrictBGPprefixfilterfordownstreamASes
– There’saroughBGPfilterforPeerAses• Didn’treceiveourownprefixes(AS2914’sprefixes)
18
BGPUpdatesofHijackedPrefixes• Roughly3peaksduringthedura;on• Startedhijacking1.x.x.0first,then2.x.x.0,then5.x.x.0….• AnyCPUissueduetothemanyBGPupdates?->Wedidn’t
facethis;me
19
(AS2914->AS2914)(AS2914->eBGP)
Y:#ofupdate
X:UTCofNov6
9:54:24-9:57:15
10:11:14-10:15:43
10:39:31-10:40:48 14:36:12-14:37:30
05:52:05-5:54:35-1.x.x.0hijacked-2.x.x.0hijacked-5.x.x.0hijacked…
09:54:24-10:40:48-1.x.x.0hijacked-2.x.x.0hijacked-5.x.x.0hijacked-6.x.x.0hijacked…
HijackedPrefixRanges• Simpleprefixes
– 1.0.x.0/24– 2.0.x.0/24
• samesubnetmaskasIRR– S;llanalyzingthough
• ProbablyBGPfiltermistakes?
• Probablyrouteleaking?– ReceivedfromEGP
→distributetoIGP→distributetoEGPagain
• ThisdataisjustwhatwesawinsideAS2914sothereweremorehijackedprefixes
20
range #ofhijackedprefix1.x 13312.x 1755.x 17716.x 348.x 85812.x 22914.x 823.x 124.x 227.x 9661.x 164.x 1125.x 1177.x 4
2c0f:fe90:: 1total 4513
WhatASestheHijackedPrefixesBelongto?
21
ASN Name Country
39891SaudiTelecomCompany SA
24378TotalAccessCommunica3on TH
12586 GHOSTnet DE
18403
TheCorpora3onforFinancing&Promo3ngTechnology VN
35819E3hadE3salatCompany SA
4788 TMNet MY38266 VodafoneEssar IN
23089HotwireCommunica3ons US
45083BeijingCheeryZoneScitech CN
21299 2DAYTelecom KZ
• Mostofthemaren’tAS2914’scustomer– otherwisecustomerbutnotadver;sedprefixestoAS2914
• TheirprefixesneedtobereceivedfromotherASes– Mainlyfrompeers
Wheredidthehijackedprefixescomefrom?
• WereceivedthehijackedprefixesfromourpeerASes(mainlyTier1Ases)
22
38.87%
23.06%
13.23%
10.51%
8.56%
1.90%1.53% 2.33% _174_9498_(Cogent)
_6762_9498_(TelcomItalia)
_3491_9498_(PCCW)
_1299_9498(TeliaSonera)
_1299_10026_9498(TeliaSonera_Pacnet)_3257_7473_9498(Tinet_Singtel)_7473_9498(Singtel)
Others
WhatimportBGPFilterdoweapply?
• ToPeer– Bogonetc– uRPF– Maxprefixfilter– (akindof)ASpathfilter– It’snotrealis;ctoapplyastrictBGPfiltertoPeers(Tier1ASes)becausetheyadver;sealmostofthefullBGPtableprefixes
– AccurateIRRdataforallTier1networksisnotavailableforbuildingstrictprefixfilters
24
WhatimportBGPFilterdoweapply?(cont)
• (FYI)ToCustomers– uRPF– Maxprefixfilter– Prefixfilter(basedonIRR)
25
Adver;semorespecificprefix(es)• Whenyourprefix10.0.0.0/16ishijacked– Adver;se/17– IfotherASesacceptthe/17,trafficcomestoyou– IfotherAsesdon’t,itdoesn’tL
• ASeslikelyfilter(ed)IPv4/25orlongerandIPv6/64orlonger
• We’rebeWertoacceptmorespecificmasks– upto/28– IPv4allocatedmaskgeqngmorespecificarerIPv4exhaus;on
– ARIN:allocates/24-/28from23.128.0.0/10
27
ApplyBGPFilters
• Nottoreceive/leakhijackedprefixes• Notleakre-distributedprefixestootherprotocols– EGP->IGP->EGP
• Notleakanyprefixesusedintestenvironment• However,strictBGPfilteringsome;mesnotmatch(ex.toupstreamAS,toPeer)
29
BGPOriginValida;on• (Almost)Ul;mateSolu;on• IssueROAsothatotherAScanvalidateyourprefixes
• IntroduceBGPOriginValida;onsothatyourASacceptslegitprefixes
• Challenge:OriginValida;oncan’tbedonebyonlyoneAS– ROAforeachprefixisneeded
30
BGPOriginValida;on• (Almost)Ul;mateSolu;on• IssueROAsothatotherAScanvalidateyourprefixes
• IntroduceBGPOriginValida;onsothatyourASacceptslegitprefixes
• Challenge:OriginValida;oncan’tbedonebyonlyoneAS– ROAforeachprefixisneeded
31