Detecting BGP hijacks in 2014 - PacSec · source: JPNIC ANSSI - Detecting BGP hijacks in 2014 8/53....
Transcript of Detecting BGP hijacks in 2014 - PacSec · source: JPNIC ANSSI - Detecting BGP hijacks in 2014 8/53....
![Page 1: Detecting BGP hijacks in 2014 - PacSec · source: JPNIC ANSSI - Detecting BGP hijacks in 2014 8/53. Access to Internet Resources Allocation The WHOIS protocol $ whois AS4713 aut-num:](https://reader030.fdocuments.in/reader030/viewer/2022041118/5f2fbe68f9fcb3375309ee90/html5/thumbnails/1.jpg)
Detecting BGP hijacks in 2014Guillaume Valadon & Nicolas Vivet
Agence nationale de la sécurité des systèmes d’informationhttp://www.ssi.gouv.fr/enPacSec - November 12th, 2014
ANSSI - Detecting BGP hijacks in 2014 1/53
![Page 2: Detecting BGP hijacks in 2014 - PacSec · source: JPNIC ANSSI - Detecting BGP hijacks in 2014 8/53. Access to Internet Resources Allocation The WHOIS protocol $ whois AS4713 aut-num:](https://reader030.fdocuments.in/reader030/viewer/2022041118/5f2fbe68f9fcb3375309ee90/html5/thumbnails/2.jpg)
BGP Hijacking for Cryptocurrency ProfitReported by Dell SecureWorks on August 7 2014
« From February to May 2014, an hijacker redirectedcryptocurrency miners to his own mining pool, earning anestimated $83,000. »
Attack Requirements• no authentication between a miner and its bitcoin pool• traffic redirection using BGP prefixes hijacks
ANSSI - Detecting BGP hijacks in 2014 2/53
![Page 3: Detecting BGP hijacks in 2014 - PacSec · source: JPNIC ANSSI - Detecting BGP hijacks in 2014 8/53. Access to Internet Resources Allocation The WHOIS protocol $ whois AS4713 aut-num:](https://reader030.fdocuments.in/reader030/viewer/2022041118/5f2fbe68f9fcb3375309ee90/html5/thumbnails/3.jpg)
BGP 101
![Page 4: Detecting BGP hijacks in 2014 - PacSec · source: JPNIC ANSSI - Detecting BGP hijacks in 2014 8/53. Access to Internet Resources Allocation The WHOIS protocol $ whois AS4713 aut-num:](https://reader030.fdocuments.in/reader030/viewer/2022041118/5f2fbe68f9fcb3375309ee90/html5/thumbnails/4.jpg)
What is BGP (Border Gateway Protocol) ?
It is the routing protocol used by all Internet operators.
Some BGP facts• it runs on 179/TCP• it informs that an operator is in charge of IP prefixes
• there is no guarantee that an operator is lying
• it interconnects all Internet operators
ANSSI - Detecting BGP hijacks in 2014 4/53
![Page 5: Detecting BGP hijacks in 2014 - PacSec · source: JPNIC ANSSI - Detecting BGP hijacks in 2014 8/53. Access to Internet Resources Allocation The WHOIS protocol $ whois AS4713 aut-num:](https://reader030.fdocuments.in/reader030/viewer/2022041118/5f2fbe68f9fcb3375309ee90/html5/thumbnails/5.jpg)
What is BGP (Border Gateway Protocol) ?
It is the routing protocol used by all Internet operators.
Some BGP facts• it runs on 179/TCP• it informs that an operator is in charge of IP prefixes
• there is no guarantee that an operator is lying
• it interconnects all Internet operators
ANSSI - Detecting BGP hijacks in 2014 4/53
![Page 6: Detecting BGP hijacks in 2014 - PacSec · source: JPNIC ANSSI - Detecting BGP hijacks in 2014 8/53. Access to Internet Resources Allocation The WHOIS protocol $ whois AS4713 aut-num:](https://reader030.fdocuments.in/reader030/viewer/2022041118/5f2fbe68f9fcb3375309ee90/html5/thumbnails/6.jpg)
What is BGP (Border Gateway Protocol) ?
It is the routing protocol used by all Internet operators.
Some BGP facts• it runs on 179/TCP• it informs that an operator is in charge of IP prefixes
• there is no guarantee that an operator is lying
• it interconnects all Internet operators
ANSSI - Detecting BGP hijacks in 2014 4/53
![Page 7: Detecting BGP hijacks in 2014 - PacSec · source: JPNIC ANSSI - Detecting BGP hijacks in 2014 8/53. Access to Internet Resources Allocation The WHOIS protocol $ whois AS4713 aut-num:](https://reader030.fdocuments.in/reader030/viewer/2022041118/5f2fbe68f9fcb3375309ee90/html5/thumbnails/7.jpg)
What is BGP (Border Gateway Protocol) ?
It is the routing protocol used by all Internet operators.
Some BGP facts• it runs on 179/TCP• it informs that an operator is in charge of IP prefixes
• there is no guarantee that an operator is lying
• it interconnects all Internet operators
ANSSI - Detecting BGP hijacks in 2014 4/53
![Page 8: Detecting BGP hijacks in 2014 - PacSec · source: JPNIC ANSSI - Detecting BGP hijacks in 2014 8/53. Access to Internet Resources Allocation The WHOIS protocol $ whois AS4713 aut-num:](https://reader030.fdocuments.in/reader030/viewer/2022041118/5f2fbe68f9fcb3375309ee90/html5/thumbnails/8.jpg)
Operators Are Numbers !
With BGP, an operator:• is an Autonomous System• has a unique number
3215 47256939
ANSSI - Detecting BGP hijacks in 2014 5/53
![Page 9: Detecting BGP hijacks in 2014 - PacSec · source: JPNIC ANSSI - Detecting BGP hijacks in 2014 8/53. Access to Internet Resources Allocation The WHOIS protocol $ whois AS4713 aut-num:](https://reader030.fdocuments.in/reader030/viewer/2022041118/5f2fbe68f9fcb3375309ee90/html5/thumbnails/9.jpg)
Operators Are Numbers !
With BGP, an operator:• is an Autonomous System• has a unique number
3215 47256939
ANSSI - Detecting BGP hijacks in 2014 5/53
![Page 10: Detecting BGP hijacks in 2014 - PacSec · source: JPNIC ANSSI - Detecting BGP hijacks in 2014 8/53. Access to Internet Resources Allocation The WHOIS protocol $ whois AS4713 aut-num:](https://reader030.fdocuments.in/reader030/viewer/2022041118/5f2fbe68f9fcb3375309ee90/html5/thumbnails/10.jpg)
What Do You Need to Use BGP ?
• a network
• an AS number• an IP prefix• a BGP router• a BGP interconnection
AS transit
ISP providing BGP
Internet
AS42
AS42
2.0.0.0/16
ANSSI - Detecting BGP hijacks in 2014 6/53
![Page 11: Detecting BGP hijacks in 2014 - PacSec · source: JPNIC ANSSI - Detecting BGP hijacks in 2014 8/53. Access to Internet Resources Allocation The WHOIS protocol $ whois AS4713 aut-num:](https://reader030.fdocuments.in/reader030/viewer/2022041118/5f2fbe68f9fcb3375309ee90/html5/thumbnails/11.jpg)
What Do You Need to Use BGP ?
• a network• an AS number• an IP prefix
• a BGP router• a BGP interconnection
AS transit
ISP providing BGP
Internet
AS42AS42
2.0.0.0/16
ANSSI - Detecting BGP hijacks in 2014 6/53
![Page 12: Detecting BGP hijacks in 2014 - PacSec · source: JPNIC ANSSI - Detecting BGP hijacks in 2014 8/53. Access to Internet Resources Allocation The WHOIS protocol $ whois AS4713 aut-num:](https://reader030.fdocuments.in/reader030/viewer/2022041118/5f2fbe68f9fcb3375309ee90/html5/thumbnails/12.jpg)
What Do You Need to Use BGP ?
• a network• an AS number• an IP prefix• a BGP router
• a BGP interconnection
AS transit
ISP providing BGP
Internet
AS42AS42
2.0.0.0/16
ANSSI - Detecting BGP hijacks in 2014 6/53
![Page 13: Detecting BGP hijacks in 2014 - PacSec · source: JPNIC ANSSI - Detecting BGP hijacks in 2014 8/53. Access to Internet Resources Allocation The WHOIS protocol $ whois AS4713 aut-num:](https://reader030.fdocuments.in/reader030/viewer/2022041118/5f2fbe68f9fcb3375309ee90/html5/thumbnails/13.jpg)
What Do You Need to Use BGP ?
• a network• an AS number• an IP prefix• a BGP router• a BGP interconnection
AS transit
ISP providing BGP
InternetAS42AS42
2.0.0.0/16
ANSSI - Detecting BGP hijacks in 2014 6/53
![Page 14: Detecting BGP hijacks in 2014 - PacSec · source: JPNIC ANSSI - Detecting BGP hijacks in 2014 8/53. Access to Internet Resources Allocation The WHOIS protocol $ whois AS4713 aut-num:](https://reader030.fdocuments.in/reader030/viewer/2022041118/5f2fbe68f9fcb3375309ee90/html5/thumbnails/14.jpg)
Internet Resources Allocation
AS & prefixes are allocated by Regional Internet Registry:
Europe
Asia
Africa
North America
Latin America & Caribbean
In Europe, per year, an ASN costs 50€ and a /22 50€.
ANSSI - Detecting BGP hijacks in 2014 7/53
![Page 15: Detecting BGP hijacks in 2014 - PacSec · source: JPNIC ANSSI - Detecting BGP hijacks in 2014 8/53. Access to Internet Resources Allocation The WHOIS protocol $ whois AS4713 aut-num:](https://reader030.fdocuments.in/reader030/viewer/2022041118/5f2fbe68f9fcb3375309ee90/html5/thumbnails/15.jpg)
Access to Internet Resources AllocationThe WHOIS protocol
$ whois AS4713
aut-num: AS4713as-name: OCNdescr: NTT Communications Corporation[..]country: JPadmin-c: AY1361JPtech-c: TT10660JPtech-c: TT15086JPchanged: [email protected] 19960911changed: [email protected] 20091113source: JPNIC
ANSSI - Detecting BGP hijacks in 2014 8/53
![Page 16: Detecting BGP hijacks in 2014 - PacSec · source: JPNIC ANSSI - Detecting BGP hijacks in 2014 8/53. Access to Internet Resources Allocation The WHOIS protocol $ whois AS4713 aut-num:](https://reader030.fdocuments.in/reader030/viewer/2022041118/5f2fbe68f9fcb3375309ee90/html5/thumbnails/16.jpg)
Access to Internet Resources AllocationThe WHOIS protocol
$ whois AS4713
aut-num: AS4713as-name: OCNdescr: NTT Communications Corporation[..]country: JPadmin-c: AY1361JPtech-c: TT10660JPtech-c: TT15086JPchanged: [email protected] 19960911changed: [email protected] 20091113source: JPNIC
ANSSI - Detecting BGP hijacks in 2014 8/53
![Page 17: Detecting BGP hijacks in 2014 - PacSec · source: JPNIC ANSSI - Detecting BGP hijacks in 2014 8/53. Access to Internet Resources Allocation The WHOIS protocol $ whois AS4713 aut-num:](https://reader030.fdocuments.in/reader030/viewer/2022041118/5f2fbe68f9fcb3375309ee90/html5/thumbnails/17.jpg)
Access to Internet Resources Allocationhttps://stat.ripe.net
ANSSI - Detecting BGP hijacks in 2014 9/53
![Page 18: Detecting BGP hijacks in 2014 - PacSec · source: JPNIC ANSSI - Detecting BGP hijacks in 2014 8/53. Access to Internet Resources Allocation The WHOIS protocol $ whois AS4713 aut-num:](https://reader030.fdocuments.in/reader030/viewer/2022041118/5f2fbe68f9fcb3375309ee90/html5/thumbnails/18.jpg)
AS Announces & Removes Prefixes
With BGP, an operator uses:
• UPDATE messages to announce its IP prefixes• WITHDRAW messages to remove its IP prefixes
InternetAS43515 AS4713
AS3215
208.117.252.0/22 61.28.192.0/24
2.0.0.0/16
208.117.252.0/22 61.28.192.0/24
2.0.0.0/16208.117.252.0/22
208.117.252.0/22
ANSSI - Detecting BGP hijacks in 2014 10/53
![Page 19: Detecting BGP hijacks in 2014 - PacSec · source: JPNIC ANSSI - Detecting BGP hijacks in 2014 8/53. Access to Internet Resources Allocation The WHOIS protocol $ whois AS4713 aut-num:](https://reader030.fdocuments.in/reader030/viewer/2022041118/5f2fbe68f9fcb3375309ee90/html5/thumbnails/19.jpg)
AS Announces & Removes Prefixes
With BGP, an operator uses:• UPDATE messages to announce its IP prefixes
• WITHDRAW messages to remove its IP prefixes
InternetAS43515 AS4713
AS3215
208.117.252.0/22 61.28.192.0/24
2.0.0.0/16
208.117.252.0/22 61.28.192.0/24
2.0.0.0/16
208.117.252.0/22
208.117.252.0/22
ANSSI - Detecting BGP hijacks in 2014 10/53
![Page 20: Detecting BGP hijacks in 2014 - PacSec · source: JPNIC ANSSI - Detecting BGP hijacks in 2014 8/53. Access to Internet Resources Allocation The WHOIS protocol $ whois AS4713 aut-num:](https://reader030.fdocuments.in/reader030/viewer/2022041118/5f2fbe68f9fcb3375309ee90/html5/thumbnails/20.jpg)
AS Announces & Removes Prefixes
With BGP, an operator uses:• UPDATE messages to announce its IP prefixes• WITHDRAW messages to remove its IP prefixes
InternetAS43515 AS4713
AS3215
208.117.252.0/22 61.28.192.0/24
2.0.0.0/16
208.117.252.0/22 61.28.192.0/24
2.0.0.0/16208.117.252.0/22
208.117.252.0/22
ANSSI - Detecting BGP hijacks in 2014 10/53
![Page 21: Detecting BGP hijacks in 2014 - PacSec · source: JPNIC ANSSI - Detecting BGP hijacks in 2014 8/53. Access to Internet Resources Allocation The WHOIS protocol $ whois AS4713 aut-num:](https://reader030.fdocuments.in/reader030/viewer/2022041118/5f2fbe68f9fcb3375309ee90/html5/thumbnails/21.jpg)
Three Simple BGP Rules
1. messages are forwarded to neighbors, after adding the ASN2. only the shortest AS path is forwarded3. packets are sent to the most specific prefix
AS1 AS2 AS3 Internet
192.0.2.0/24 192.0.2.0/24
192.0.2.0/24 AS1BGP
192.0.2.0/24 AS1 AS2BGP
ANSSI - Detecting BGP hijacks in 2014 11/53
![Page 22: Detecting BGP hijacks in 2014 - PacSec · source: JPNIC ANSSI - Detecting BGP hijacks in 2014 8/53. Access to Internet Resources Allocation The WHOIS protocol $ whois AS4713 aut-num:](https://reader030.fdocuments.in/reader030/viewer/2022041118/5f2fbe68f9fcb3375309ee90/html5/thumbnails/22.jpg)
Three Simple BGP Rules
1. messages are forwarded to neighbors, after adding the ASN2. only the shortest AS path is forwarded3. packets are sent to the most specific prefix
AS1 AS2 AS3 Internet
192.0.2.0/24
192.0.2.0/24
192.0.2.0/24 AS1BGP
192.0.2.0/24 AS1 AS2BGP
ANSSI - Detecting BGP hijacks in 2014 11/53
![Page 23: Detecting BGP hijacks in 2014 - PacSec · source: JPNIC ANSSI - Detecting BGP hijacks in 2014 8/53. Access to Internet Resources Allocation The WHOIS protocol $ whois AS4713 aut-num:](https://reader030.fdocuments.in/reader030/viewer/2022041118/5f2fbe68f9fcb3375309ee90/html5/thumbnails/23.jpg)
Three Simple BGP Rules
1. messages are forwarded to neighbors, after adding the ASN2. only the shortest AS path is forwarded3. packets are sent to the most specific prefix
AS1 AS2 AS3 Internet
192.0.2.0/24 192.0.2.0/24
192.0.2.0/24 AS1BGP
192.0.2.0/24 AS1 AS2BGP
ANSSI - Detecting BGP hijacks in 2014 11/53
![Page 24: Detecting BGP hijacks in 2014 - PacSec · source: JPNIC ANSSI - Detecting BGP hijacks in 2014 8/53. Access to Internet Resources Allocation The WHOIS protocol $ whois AS4713 aut-num:](https://reader030.fdocuments.in/reader030/viewer/2022041118/5f2fbe68f9fcb3375309ee90/html5/thumbnails/24.jpg)
Three Simple BGP Rules
1. messages are forwarded to neighbors, after adding the ASN2. only the shortest AS path is forwarded3. packets are sent to the most specific prefix
AS1 AS2
AS3
AS4 Internet
192.0.2.0/24 AS1192.0.2.0/24 AS1 AS3
BGP
192.0.2.0/24 AS1192.0.2.0/24 AS1 AS3
BGP192.0.2.0/24 AS1 AS2
BGP
192.0.2.0/24
ANSSI - Detecting BGP hijacks in 2014 11/53
![Page 25: Detecting BGP hijacks in 2014 - PacSec · source: JPNIC ANSSI - Detecting BGP hijacks in 2014 8/53. Access to Internet Resources Allocation The WHOIS protocol $ whois AS4713 aut-num:](https://reader030.fdocuments.in/reader030/viewer/2022041118/5f2fbe68f9fcb3375309ee90/html5/thumbnails/25.jpg)
Three Simple BGP Rules
1. messages are forwarded to neighbors, after adding the ASN2. only the shortest AS path is forwarded3. packets are sent to the most specific prefix
AS1 AS2
AS3
AS4 Internet
192.0.2.0/24 AS1192.0.2.0/24 AS1 AS3
BGP192.0.2.0/24 AS1192.0.2.0/24 AS1 AS3
BGP192.0.2.0/24 AS1 AS2
BGP
192.0.2.0/24
ANSSI - Detecting BGP hijacks in 2014 11/53
![Page 26: Detecting BGP hijacks in 2014 - PacSec · source: JPNIC ANSSI - Detecting BGP hijacks in 2014 8/53. Access to Internet Resources Allocation The WHOIS protocol $ whois AS4713 aut-num:](https://reader030.fdocuments.in/reader030/viewer/2022041118/5f2fbe68f9fcb3375309ee90/html5/thumbnails/26.jpg)
Three Simple BGP Rules
1. messages are forwarded to neighbors, after adding the ASN2. only the shortest AS path is forwarded3. packets are sent to the most specific prefix
AS1 AS2
AS3
AS4
Internet
192.0.0.0/16
192.0.2.0/24
192.0.0.0/16 AS4 AS1192.0.2.0/24 AS3 AS1
BGP192.0.0.0/16 AS4 AS1192.0.2.0/24 AS3 AS1
BGP
192.0.2.42
ANSSI - Detecting BGP hijacks in 2014 11/53
![Page 27: Detecting BGP hijacks in 2014 - PacSec · source: JPNIC ANSSI - Detecting BGP hijacks in 2014 8/53. Access to Internet Resources Allocation The WHOIS protocol $ whois AS4713 aut-num:](https://reader030.fdocuments.in/reader030/viewer/2022041118/5f2fbe68f9fcb3375309ee90/html5/thumbnails/27.jpg)
Three Simple BGP Rules
1. messages are forwarded to neighbors, after adding the ASN2. only the shortest AS path is forwarded3. packets are sent to the most specific prefix
AS1 AS2
AS3
AS4
Internet
192.0.0.0/16
192.0.2.0/24
192.0.0.0/16 AS4 AS1192.0.2.0/24 AS3 AS1
BGP192.0.0.0/16 AS4 AS1192.0.2.0/24 AS3 AS1
BGP
192.0.2.42
ANSSI - Detecting BGP hijacks in 2014 11/53
![Page 28: Detecting BGP hijacks in 2014 - PacSec · source: JPNIC ANSSI - Detecting BGP hijacks in 2014 8/53. Access to Internet Resources Allocation The WHOIS protocol $ whois AS4713 aut-num:](https://reader030.fdocuments.in/reader030/viewer/2022041118/5f2fbe68f9fcb3375309ee90/html5/thumbnails/28.jpg)
Three Simple BGP Rules
1. messages are forwarded to neighbors, after adding the ASN2. only the shortest AS path is forwarded3. packets are sent to the most specific prefix
AS1 AS2
AS3
AS4
Internet
192.0.0.0/16
192.0.2.0/24
192.0.0.0/16 AS4 AS1192.0.2.0/24 AS3 AS1
BGP
192.0.0.0/16 AS4 AS1192.0.2.0/24 AS3 AS1
BGP
192.0.2.42
ANSSI - Detecting BGP hijacks in 2014 11/53
![Page 29: Detecting BGP hijacks in 2014 - PacSec · source: JPNIC ANSSI - Detecting BGP hijacks in 2014 8/53. Access to Internet Resources Allocation The WHOIS protocol $ whois AS4713 aut-num:](https://reader030.fdocuments.in/reader030/viewer/2022041118/5f2fbe68f9fcb3375309ee90/html5/thumbnails/29.jpg)
Three Simple BGP Rules
1. messages are forwarded to neighbors, after adding the ASN2. only the shortest AS path is forwarded3. packets are sent to the most specific prefix
AS1 AS2
AS3
AS4
Internet
192.0.0.0/16
192.0.2.0/24
192.0.0.0/16 AS4 AS1192.0.2.0/24 AS3 AS1
BGP192.0.0.0/16 AS4 AS1192.0.2.0/24 AS3 AS1
BGP
192.0.2.42
ANSSI - Detecting BGP hijacks in 2014 11/53
![Page 30: Detecting BGP hijacks in 2014 - PacSec · source: JPNIC ANSSI - Detecting BGP hijacks in 2014 8/53. Access to Internet Resources Allocation The WHOIS protocol $ whois AS4713 aut-num:](https://reader030.fdocuments.in/reader030/viewer/2022041118/5f2fbe68f9fcb3375309ee90/html5/thumbnails/30.jpg)
Hijacks 101
![Page 31: Detecting BGP hijacks in 2014 - PacSec · source: JPNIC ANSSI - Detecting BGP hijacks in 2014 8/53. Access to Internet Resources Allocation The WHOIS protocol $ whois AS4713 aut-num:](https://reader030.fdocuments.in/reader030/viewer/2022041118/5f2fbe68f9fcb3375309ee90/html5/thumbnails/31.jpg)
What is a Prefix Hijack?BGP rule #2 in action
An hijack is a conflicting BGP announcement.
AS0 AS1 AS2
AS3
192.0.2.0/23
192.0.2.0/23
192.0.2.0/23 AS1 AS0
192.0.2.0/23 AS3
BGP
192.0.2.0/23 AS1 AS0192.0.2.0/23 AS3
BGP
Rule #2 applies: traffic is redirected to AS3 !
ANSSI - Detecting BGP hijacks in 2014 13/53
![Page 32: Detecting BGP hijacks in 2014 - PacSec · source: JPNIC ANSSI - Detecting BGP hijacks in 2014 8/53. Access to Internet Resources Allocation The WHOIS protocol $ whois AS4713 aut-num:](https://reader030.fdocuments.in/reader030/viewer/2022041118/5f2fbe68f9fcb3375309ee90/html5/thumbnails/32.jpg)
What is a Prefix Hijack?BGP rule #2 in action
An hijack is a conflicting BGP announcement.
AS0 AS1 AS2
AS3
192.0.2.0/23192.0.2.0/23192.0.2.0/23 AS1 AS0
192.0.2.0/23 AS3
BGP
192.0.2.0/23 AS1 AS0192.0.2.0/23 AS3
BGP
Rule #2 applies: traffic is redirected to AS3 !
ANSSI - Detecting BGP hijacks in 2014 13/53
![Page 33: Detecting BGP hijacks in 2014 - PacSec · source: JPNIC ANSSI - Detecting BGP hijacks in 2014 8/53. Access to Internet Resources Allocation The WHOIS protocol $ whois AS4713 aut-num:](https://reader030.fdocuments.in/reader030/viewer/2022041118/5f2fbe68f9fcb3375309ee90/html5/thumbnails/33.jpg)
What is a Prefix Hijack?BGP rule #2 in action
An hijack is a conflicting BGP announcement.
AS0 AS1 AS2
AS3
192.0.2.0/23192.0.2.0/23192.0.2.0/23 AS1 AS0
192.0.2.0/23 AS3
BGP192.0.2.0/23 AS1 AS0192.0.2.0/23 AS3
BGP
Rule #2 applies: traffic is redirected to AS3 !
ANSSI - Detecting BGP hijacks in 2014 13/53
![Page 34: Detecting BGP hijacks in 2014 - PacSec · source: JPNIC ANSSI - Detecting BGP hijacks in 2014 8/53. Access to Internet Resources Allocation The WHOIS protocol $ whois AS4713 aut-num:](https://reader030.fdocuments.in/reader030/viewer/2022041118/5f2fbe68f9fcb3375309ee90/html5/thumbnails/34.jpg)
Active CountermeasureUse BGP rule #3 !
AS0 AS1 AS2
AS3
192.0.2.0/23
192.0.2.0/23
192.0.2.0/24192.0.3.0/24
192.0.2.0/23 AS1 AS0192.0.2.0/23 AS3
192.0.2.0/24 AS1 AS0192.0.3.0/24 AS1 AS0
192.0.2.0/23 AS1 AS0192.0.2.0/23 AS3192.0.2.0/24 AS1 AS0192.0.3.0/24 AS1 AS0
BGP
The origin AS announces more specific prefixes.
Rule #3 applies: traffic is sent to AS0 !
ANSSI - Detecting BGP hijacks in 2014 14/53
![Page 35: Detecting BGP hijacks in 2014 - PacSec · source: JPNIC ANSSI - Detecting BGP hijacks in 2014 8/53. Access to Internet Resources Allocation The WHOIS protocol $ whois AS4713 aut-num:](https://reader030.fdocuments.in/reader030/viewer/2022041118/5f2fbe68f9fcb3375309ee90/html5/thumbnails/35.jpg)
Active CountermeasureUse BGP rule #3 !
AS0 AS1 AS2
AS3
192.0.2.0/23
192.0.2.0/23
192.0.2.0/24192.0.3.0/24
192.0.2.0/23 AS1 AS0192.0.2.0/23 AS3192.0.2.0/24 AS1 AS0192.0.3.0/24 AS1 AS0
192.0.2.0/23 AS1 AS0192.0.2.0/23 AS3192.0.2.0/24 AS1 AS0192.0.3.0/24 AS1 AS0
BGP
The origin AS announces more specific prefixes.
Rule #3 applies: traffic is sent to AS0 !
ANSSI - Detecting BGP hijacks in 2014 14/53
![Page 36: Detecting BGP hijacks in 2014 - PacSec · source: JPNIC ANSSI - Detecting BGP hijacks in 2014 8/53. Access to Internet Resources Allocation The WHOIS protocol $ whois AS4713 aut-num:](https://reader030.fdocuments.in/reader030/viewer/2022041118/5f2fbe68f9fcb3375309ee90/html5/thumbnails/36.jpg)
Active CountermeasureUse BGP rule #3 !
AS0 AS1 AS2
AS3
192.0.2.0/23
192.0.2.0/23
192.0.2.0/24192.0.3.0/24
192.0.2.0/23 AS1 AS0192.0.2.0/23 AS3
192.0.2.0/24 AS1 AS0
192.0.3.0/24 AS1 AS0
192.0.2.0/23 AS1 AS0192.0.2.0/23 AS3192.0.2.0/24 AS1 AS0192.0.3.0/24 AS1 AS0
BGP
The origin AS announces more specific prefixes.
Rule #3 applies: traffic is sent to AS0 !
ANSSI - Detecting BGP hijacks in 2014 14/53
![Page 37: Detecting BGP hijacks in 2014 - PacSec · source: JPNIC ANSSI - Detecting BGP hijacks in 2014 8/53. Access to Internet Resources Allocation The WHOIS protocol $ whois AS4713 aut-num:](https://reader030.fdocuments.in/reader030/viewer/2022041118/5f2fbe68f9fcb3375309ee90/html5/thumbnails/37.jpg)
Active CountermeasureUse BGP rule #3 !
AS0 AS1 AS2
AS3
192.0.2.0/23
192.0.2.0/23
192.0.2.0/24192.0.3.0/24
192.0.2.0/23 AS1 AS0192.0.2.0/23 AS3
192.0.2.0/24 AS1 AS0
192.0.3.0/24 AS1 AS0
192.0.2.0/23 AS1 AS0192.0.2.0/23 AS3192.0.2.0/24 AS1 AS0192.0.3.0/24 AS1 AS0
BGP
The origin AS announces more specific prefixes.
Rule #3 applies: traffic is sent to AS0 !
ANSSI - Detecting BGP hijacks in 2014 14/53
![Page 38: Detecting BGP hijacks in 2014 - PacSec · source: JPNIC ANSSI - Detecting BGP hijacks in 2014 8/53. Access to Internet Resources Allocation The WHOIS protocol $ whois AS4713 aut-num:](https://reader030.fdocuments.in/reader030/viewer/2022041118/5f2fbe68f9fcb3375309ee90/html5/thumbnails/38.jpg)
A Recent Example on October 16Hijack against a French AS
x
ANSSI - Detecting BGP hijacks in 2014 15/53
![Page 39: Detecting BGP hijacks in 2014 - PacSec · source: JPNIC ANSSI - Detecting BGP hijacks in 2014 8/53. Access to Internet Resources Allocation The WHOIS protocol $ whois AS4713 aut-num:](https://reader030.fdocuments.in/reader030/viewer/2022041118/5f2fbe68f9fcb3375309ee90/html5/thumbnails/39.jpg)
A Recent Example on October 16Hijack against a French AS
ANSSI - Detecting BGP hijacks in 2014 15/53
![Page 40: Detecting BGP hijacks in 2014 - PacSec · source: JPNIC ANSSI - Detecting BGP hijacks in 2014 8/53. Access to Internet Resources Allocation The WHOIS protocol $ whois AS4713 aut-num:](https://reader030.fdocuments.in/reader030/viewer/2022041118/5f2fbe68f9fcb3375309ee90/html5/thumbnails/40.jpg)
Passive CountermeasureStrict filter on an interconnection
AS0 AS1 AS2
AS3
192.0.2.0/23
192.0.2.0/23
192.0.2.0/23 64501 64500BGP
• a BGP router can filter prefix in UPDATE messages• useful filtering can only be done by the upstream provider
ANSSI - Detecting BGP hijacks in 2014 16/53
![Page 41: Detecting BGP hijacks in 2014 - PacSec · source: JPNIC ANSSI - Detecting BGP hijacks in 2014 8/53. Access to Internet Resources Allocation The WHOIS protocol $ whois AS4713 aut-num:](https://reader030.fdocuments.in/reader030/viewer/2022041118/5f2fbe68f9fcb3375309ee90/html5/thumbnails/41.jpg)
Passive CountermeasureStrict filter on an interconnection
AS0 AS1 AS2
AS3
192.0.2.0/23
192.0.2.0/23192.0.2.0/23 64501 64500BGP
• a BGP router can filter prefix in UPDATE messages• useful filtering can only be done by the upstream provider
ANSSI - Detecting BGP hijacks in 2014 16/53
![Page 42: Detecting BGP hijacks in 2014 - PacSec · source: JPNIC ANSSI - Detecting BGP hijacks in 2014 8/53. Access to Internet Resources Allocation The WHOIS protocol $ whois AS4713 aut-num:](https://reader030.fdocuments.in/reader030/viewer/2022041118/5f2fbe68f9fcb3375309ee90/html5/thumbnails/42.jpg)
Passive CountermeasureAutomate filter maintenance
A route object:• is declared by the AS in charge of an IP prefix• tells who can announce the prefix with BGP
• the operator, its DDoS mitigation provider, its clients, …
$ whois -T route 185.50.64.0/22
route: 185.50.64.0/22descr: Observatory IPv4 prefix.origin: AS202214mnt-by: ASOBS-MNTsource: RIPE # Filtered
ANSSI - Detecting BGP hijacks in 2014 17/53
![Page 43: Detecting BGP hijacks in 2014 - PacSec · source: JPNIC ANSSI - Detecting BGP hijacks in 2014 8/53. Access to Internet Resources Allocation The WHOIS protocol $ whois AS4713 aut-num:](https://reader030.fdocuments.in/reader030/viewer/2022041118/5f2fbe68f9fcb3375309ee90/html5/thumbnails/43.jpg)
Offline Hijack Detection
![Page 44: Detecting BGP hijacks in 2014 - PacSec · source: JPNIC ANSSI - Detecting BGP hijacks in 2014 8/53. Access to Internet Resources Allocation The WHOIS protocol $ whois AS4713 aut-num:](https://reader030.fdocuments.in/reader030/viewer/2022041118/5f2fbe68f9fcb3375309ee90/html5/thumbnails/44.jpg)
BGP messages
ANSSI - Detecting BGP hijacks in 2014 19/53
![Page 45: Detecting BGP hijacks in 2014 - PacSec · source: JPNIC ANSSI - Detecting BGP hijacks in 2014 8/53. Access to Internet Resources Allocation The WHOIS protocol $ whois AS4713 aut-num:](https://reader030.fdocuments.in/reader030/viewer/2022041118/5f2fbe68f9fcb3375309ee90/html5/thumbnails/45.jpg)
Collecting BGP Archiveshttps://www.ris.ripe.net
AS1 AS2 AS3
AS4
AS5
AS6 AS666
192.168.0.0/16 192.168.0.0/24
BGP collector
Routing Information Service (RIS)• 13 BGP collectors all over the world
• 263 BGP peers• BGP messages dumped into binary files
• 550 GB per yearANSSI - Detecting BGP hijacks in 2014 20/53
![Page 46: Detecting BGP hijacks in 2014 - PacSec · source: JPNIC ANSSI - Detecting BGP hijacks in 2014 8/53. Access to Internet Resources Allocation The WHOIS protocol $ whois AS4713 aut-num:](https://reader030.fdocuments.in/reader030/viewer/2022041118/5f2fbe68f9fcb3375309ee90/html5/thumbnails/46.jpg)
Parsing BGP Archiveshttps://github.com/ANSSI-FR/parsifal
Raw BGP BGP parser
Need for a dedicated BGP parser• fast & trusted parser
• written in OCaml• convert BGP messages to JSON
• human readable / writable format
ANSSI - Detecting BGP hijacks in 2014 21/53
![Page 47: Detecting BGP hijacks in 2014 - PacSec · source: JPNIC ANSSI - Detecting BGP hijacks in 2014 8/53. Access to Internet Resources Allocation The WHOIS protocol $ whois AS4713 aut-num:](https://reader030.fdocuments.in/reader030/viewer/2022041118/5f2fbe68f9fcb3375309ee90/html5/thumbnails/47.jpg)
Parsing BGP Archiveshttps://github.com/ANSSI-FR/parsifal
{ "timestamp":1409750436, "collector": "rrc07","as_path":"25152 6939 17922 7862 4761 9957 7500 ","announce":[" 192.50.44.0/24 "], "withdraw":[] }
{ "timestamp":1409782437, "collector": "rrc07","as_path":"25152 6939 667 666 ","announce":[" 192.50.44.0/24 "], "withdraw":[] }
Need for a dedicated BGP parser• fast & trusted parser
• written in OCaml• convert BGP messages to JSON
• human readable / writable format
ANSSI - Detecting BGP hijacks in 2014 21/53
![Page 48: Detecting BGP hijacks in 2014 - PacSec · source: JPNIC ANSSI - Detecting BGP hijacks in 2014 8/53. Access to Internet Resources Allocation The WHOIS protocol $ whois AS4713 aut-num:](https://reader030.fdocuments.in/reader030/viewer/2022041118/5f2fbe68f9fcb3375309ee90/html5/thumbnails/48.jpg)
Parsing BGP Archiveshttps://github.com/ANSSI-FR/parsifal
{ "timestamp":1409750436, "collector": "rrc07","as_path":"25152 6939 17922 7862 4761 9957 7500 ","announce":[" 192.50.44.0/24 "], "withdraw":[] }
{ "timestamp":1409782437, "collector": "rrc07","as_path":"25152 6939 667 666 ","announce":[" 192.50.44.0/24 "], "withdraw":[] }
Need for a dedicated BGP parser• fast & trusted parser
• written in OCaml• convert BGP messages to JSON
• human readable / writable format
ANSSI - Detecting BGP hijacks in 2014 21/53
![Page 49: Detecting BGP hijacks in 2014 - PacSec · source: JPNIC ANSSI - Detecting BGP hijacks in 2014 8/53. Access to Internet Resources Allocation The WHOIS protocol $ whois AS4713 aut-num:](https://reader030.fdocuments.in/reader030/viewer/2022041118/5f2fbe68f9fcb3375309ee90/html5/thumbnails/49.jpg)
Parsing BGP Archiveshttps://github.com/ANSSI-FR/parsifal
{ "timestamp":1409750436, "collector": "rrc07","as_path":"25152 6939 17922 7862 4761 9957 7500 ","announce":[" 192.50.44.0/24 "], "withdraw":[] }
{ "timestamp":1409782437, "collector": "rrc07","as_path":"25152 6939 667 666 ","announce":[" 192.50.44.0/24 "], "withdraw":[] }
Need for a dedicated BGP parser• fast & trusted parser
• written in OCaml• convert BGP messages to JSON
• human readable / writable format
ANSSI - Detecting BGP hijacks in 2014 21/53
![Page 50: Detecting BGP hijacks in 2014 - PacSec · source: JPNIC ANSSI - Detecting BGP hijacks in 2014 8/53. Access to Internet Resources Allocation The WHOIS protocol $ whois AS4713 aut-num:](https://reader030.fdocuments.in/reader030/viewer/2022041118/5f2fbe68f9fcb3375309ee90/html5/thumbnails/50.jpg)
How to Detect Conflicts?
1. emulate a BGP router
2. process messages as a flow
UPDATE WITHDRAW UPDATE UPDATE WITHDRAW
Time
ANSSI - Detecting BGP hijacks in 2014 22/53
![Page 51: Detecting BGP hijacks in 2014 - PacSec · source: JPNIC ANSSI - Detecting BGP hijacks in 2014 8/53. Access to Internet Resources Allocation The WHOIS protocol $ whois AS4713 aut-num:](https://reader030.fdocuments.in/reader030/viewer/2022041118/5f2fbe68f9fcb3375309ee90/html5/thumbnails/51.jpg)
Emulating a BGP Routerhttps://code.google.com/p/py-radix/
192.0.0.0/8 AS1
192.28.0.0/22 AS2 AS3 192.128.0.0/10 AS4 AS5
192.160.0.0/11 AS7 192.168.128.0/22 AS42
Build the routing table• fast IP lookup library
• similar to a router & the Linux kernel• the tree is updated with each BGP messages
• duplicated entries are conflictsANSSI - Detecting BGP hijacks in 2014 23/53
![Page 52: Detecting BGP hijacks in 2014 - PacSec · source: JPNIC ANSSI - Detecting BGP hijacks in 2014 8/53. Access to Internet Resources Allocation The WHOIS protocol $ whois AS4713 aut-num:](https://reader030.fdocuments.in/reader030/viewer/2022041118/5f2fbe68f9fcb3375309ee90/html5/thumbnails/52.jpg)
Emulating a BGP Routerhttps://code.google.com/p/py-radix/
192.0.0.0/8 AS1
192.28.0.0/22 AS2 AS3 192.128.0.0/10 AS4 AS5
192.160.0.0/11 AS7 192.168.128.0/22 AS42
Processing an UPDATE message{ "timestamp":1409750436, "peer_as":25152,"as_path":"1234 666 ","announce":[" 192.168.128.0/24 "], "withdraw":[] }
ANSSI - Detecting BGP hijacks in 2014 23/53
![Page 53: Detecting BGP hijacks in 2014 - PacSec · source: JPNIC ANSSI - Detecting BGP hijacks in 2014 8/53. Access to Internet Resources Allocation The WHOIS protocol $ whois AS4713 aut-num:](https://reader030.fdocuments.in/reader030/viewer/2022041118/5f2fbe68f9fcb3375309ee90/html5/thumbnails/53.jpg)
Emulating a BGP Routerhttps://code.google.com/p/py-radix/
192.0.0.0/8 AS1
192.28.0.0/22 AS2 AS3 192.128.0.0/10 AS4 AS5
192.160.0.0/11 AS7 192.168.128.0/22 AS42
Processing an UPDATE message{ "timestamp":1409750436, "peer_as":25152,"as_path":"1234 666 ","announce":[" 192.168.128.0/24 "], "withdraw":[] }
ANSSI - Detecting BGP hijacks in 2014 23/53
![Page 54: Detecting BGP hijacks in 2014 - PacSec · source: JPNIC ANSSI - Detecting BGP hijacks in 2014 8/53. Access to Internet Resources Allocation The WHOIS protocol $ whois AS4713 aut-num:](https://reader030.fdocuments.in/reader030/viewer/2022041118/5f2fbe68f9fcb3375309ee90/html5/thumbnails/54.jpg)
Emulating a BGP Routerhttps://code.google.com/p/py-radix/
192.0.0.0/8 AS1
192.28.0.0/22 AS2 AS3 192.128.0.0/10 AS4 AS5
192.160.0.0/11 AS7 192.168.128.0/22 AS42
Processing an UPDATE message{ "timestamp":1409750436, "peer_as":25152,"as_path":"1234 666 ","announce":[" 192.168.128.0/24 "], "withdraw":[] }
ANSSI - Detecting BGP hijacks in 2014 23/53
![Page 55: Detecting BGP hijacks in 2014 - PacSec · source: JPNIC ANSSI - Detecting BGP hijacks in 2014 8/53. Access to Internet Resources Allocation The WHOIS protocol $ whois AS4713 aut-num:](https://reader030.fdocuments.in/reader030/viewer/2022041118/5f2fbe68f9fcb3375309ee90/html5/thumbnails/55.jpg)
Putting Everything Together
Raw BGP BGP parser Emulate BGP{ }JSON
A simple processing chain• each month is processed separately• fast enough if few ASes are monitored
ANSSI - Detecting BGP hijacks in 2014 24/53
![Page 56: Detecting BGP hijacks in 2014 - PacSec · source: JPNIC ANSSI - Detecting BGP hijacks in 2014 8/53. Access to Internet Resources Allocation The WHOIS protocol $ whois AS4713 aut-num:](https://reader030.fdocuments.in/reader030/viewer/2022041118/5f2fbe68f9fcb3375309ee90/html5/thumbnails/56.jpg)
Putting Everything Together
Raw BGP BGP parser Emulate BGP{ }JSON
Processing 50k ASes• emulated routers handle different AS• with 8 cores, a month is processed in 10 hours
With 13 collectors, 156 months must be processed per year !ANSSI - Detecting BGP hijacks in 2014 24/53
![Page 57: Detecting BGP hijacks in 2014 - PacSec · source: JPNIC ANSSI - Detecting BGP hijacks in 2014 8/53. Access to Internet Resources Allocation The WHOIS protocol $ whois AS4713 aut-num:](https://reader030.fdocuments.in/reader030/viewer/2022041118/5f2fbe68f9fcb3375309ee90/html5/thumbnails/57.jpg)
Faster Conflicts DetectionScaling by adding cores
Raw BGP BGP parser Emulate BGP{ }JSON
Raw BGP BGP parser Emulate BGP{ }JSON
Raw BGP BGP parser Emulate BGP{ }JSON
Raw BGP BGP parser Emulate BGP{ }JSON
Conflicts detection• completes in one week with 120 cores on 5 servers
• generates 130 GB per year• 11 536 345 959 conflicts
• from January to October 2014
ANSSI - Detecting BGP hijacks in 2014 25/53
![Page 58: Detecting BGP hijacks in 2014 - PacSec · source: JPNIC ANSSI - Detecting BGP hijacks in 2014 8/53. Access to Internet Resources Allocation The WHOIS protocol $ whois AS4713 aut-num:](https://reader030.fdocuments.in/reader030/viewer/2022041118/5f2fbe68f9fcb3375309ee90/html5/thumbnails/58.jpg)
Faster Conflicts DetectionScaling by adding cores
Raw BGP BGP parser Emulate BGP{ }JSON
Raw BGP BGP parser Emulate BGP{ }JSON
Raw BGP BGP parser Emulate BGP{ }JSON
Raw BGP BGP parser Emulate BGP{ }JSON
Conflict example{ "timestamp":1409782437, "collector": "rrc07",
"announce": { "prefix": " 192.50.44.0/24 ", "asn": 666 ,"as_path": "25152 6939 667 666"},
"conflict_with": {"prefix": " 192.50.44.0/24 ", "asn": 7500 }}
ANSSI - Detecting BGP hijacks in 2014 25/53
![Page 59: Detecting BGP hijacks in 2014 - PacSec · source: JPNIC ANSSI - Detecting BGP hijacks in 2014 8/53. Access to Internet Resources Allocation The WHOIS protocol $ whois AS4713 aut-num:](https://reader030.fdocuments.in/reader030/viewer/2022041118/5f2fbe68f9fcb3375309ee90/html5/thumbnails/59.jpg)
Accessing The Datahttp://discoproject.org
Disco?• automatic data distribution & replication
• like HDFS• MapReduce framework in Python
• like Hadoop
ANSSI - Detecting BGP hijacks in 2014 26/53
![Page 60: Detecting BGP hijacks in 2014 - PacSec · source: JPNIC ANSSI - Detecting BGP hijacks in 2014 8/53. Access to Internet Resources Allocation The WHOIS protocol $ whois AS4713 aut-num:](https://reader030.fdocuments.in/reader030/viewer/2022041118/5f2fbe68f9fcb3375309ee90/html5/thumbnails/60.jpg)
Accessing The Datahttp://discoproject.org
From BIG DATA to small data
• one hour to extract conflicts targeting 1000 ASes• close to the number of French & Japanese ASes
• 70 millions conflicts per country• 200MB
ANSSI - Detecting BGP hijacks in 2014 26/53
![Page 61: Detecting BGP hijacks in 2014 - PacSec · source: JPNIC ANSSI - Detecting BGP hijacks in 2014 8/53. Access to Internet Resources Allocation The WHOIS protocol $ whois AS4713 aut-num:](https://reader030.fdocuments.in/reader030/viewer/2022041118/5f2fbe68f9fcb3375309ee90/html5/thumbnails/61.jpg)
Classifying Conflicts - 1/3Using route objects
Validating a single conflict{ "timestamp": 1409782437, "collector": "rrc07",
"announce": { "prefix": " 192.50.44.0/24 ", "asn": 666 ,"as_path": "25152 6939 667 666"},
"conflict_with": {"prefix": "192.50.44.0/24", "asn": 7500}}
ANSSI - Detecting BGP hijacks in 2014 27/53
![Page 62: Detecting BGP hijacks in 2014 - PacSec · source: JPNIC ANSSI - Detecting BGP hijacks in 2014 8/53. Access to Internet Resources Allocation The WHOIS protocol $ whois AS4713 aut-num:](https://reader030.fdocuments.in/reader030/viewer/2022041118/5f2fbe68f9fcb3375309ee90/html5/thumbnails/62.jpg)
Classifying Conflicts - 1/3Using route objects
Validating a single conflict{ "timestamp": 1409782437, "collector": "rrc07",
"announce": { "prefix": " 192.50.44.0/24 ", "asn": 666 ,"as_path": "25152 6939 667 666"},
"conflict_with": {"prefix": "192.50.44.0/24", "asn": 7500}}
$ whois -T route 192.50.44.0/24
route: 192.50.44.0/24descr: Example prefixorigin: AS666mnt-by: AS666-MNT
ANSSI - Detecting BGP hijacks in 2014 27/53
![Page 63: Detecting BGP hijacks in 2014 - PacSec · source: JPNIC ANSSI - Detecting BGP hijacks in 2014 8/53. Access to Internet Resources Allocation The WHOIS protocol $ whois AS4713 aut-num:](https://reader030.fdocuments.in/reader030/viewer/2022041118/5f2fbe68f9fcb3375309ee90/html5/thumbnails/63.jpg)
Classifying Conflicts - 1/3Using route objects
Validating a single conflict{ "timestamp": 1409782437, "collector": "rrc07",
"announce": { "prefix": " 192.50.44.0/24 ", "asn": 666 ,"as_path": "25152 6939 667 666"},
"conflict_with": {"prefix": "192.50.44.0/24", "asn": 7500}}
$ whois -T route 192.50.44.0/24
route: 192.50.44.0/24descr: Example prefixorigin: AS666mnt-by: AS666-MNT
ANSSI - Detecting BGP hijacks in 2014 27/53
![Page 64: Detecting BGP hijacks in 2014 - PacSec · source: JPNIC ANSSI - Detecting BGP hijacks in 2014 8/53. Access to Internet Resources Allocation The WHOIS protocol $ whois AS4713 aut-num:](https://reader030.fdocuments.in/reader030/viewer/2022041118/5f2fbe68f9fcb3375309ee90/html5/thumbnails/64.jpg)
Classifying Conflicts - 1/3Using route objects
Validating 70 millions conflicts• all of them must be verified• online queries are too slow
• WHOIS databases are loaded daily into PostgreSQL• the ip4r type is used for fast prefix lookups
>>> client = Client("ripe")>>> client.check("210.158.206.0/24", 17676, "2014/07/28")True
0.01% conflicts removed32% conflicts removed
ANSSI - Detecting BGP hijacks in 2014 27/53
![Page 65: Detecting BGP hijacks in 2014 - PacSec · source: JPNIC ANSSI - Detecting BGP hijacks in 2014 8/53. Access to Internet Resources Allocation The WHOIS protocol $ whois AS4713 aut-num:](https://reader030.fdocuments.in/reader030/viewer/2022041118/5f2fbe68f9fcb3375309ee90/html5/thumbnails/65.jpg)
Classifying Conflicts - 2/3Using relations between AS objects
$ whois AS15557aut-num: AS15557as-name: LDCOMNETdescr: SFRorg: ORG-LA7-RIPEadmin-c: LD699-RIPEtech-c: LDC76-RIPEstatus: ASSIGNEDmnt-by: LDCOM-MNTmnt-routes: FMCF-MNTmnt-routes: LDCOM-MNTsource: RIPE
$ whois AS41272aut-num: AS41272as-name: MOSELLE-TELE-ASdescr: MOSELLE TELECOMorg: ORG-MT18-RIPEadmin-c: LD699-RIPEtech-c: LDC76-RIPEstatus: ASSIGNEDmnt-by: MOSELLE-TELE-MNT
mnt-routes: MOSELLE-TELE-MNTsource: RIPE
2% conflicts removed54% conflicts removed
ANSSI - Detecting BGP hijacks in 2014 28/53
![Page 66: Detecting BGP hijacks in 2014 - PacSec · source: JPNIC ANSSI - Detecting BGP hijacks in 2014 8/53. Access to Internet Resources Allocation The WHOIS protocol $ whois AS4713 aut-num:](https://reader030.fdocuments.in/reader030/viewer/2022041118/5f2fbe68f9fcb3375309ee90/html5/thumbnails/66.jpg)
Classifying Conflicts - 3/3Using client/provider connectivity
{ "timestamp": 1409750436,"announce": { "prefix": "192.0.2.0/24", "asn": 666,
"as_path": "... 1000 666" },"conflict_with": {"prefix": "192.0.0.0/16", "asn": 1000 } }
Client/Provider relation
Internet AS1000 AS666
192.168.0.0/16 1000192.0.2.0/24 1000 666
BGP
5% conflicts removed3% conflicts removed
ANSSI - Detecting BGP hijacks in 2014 29/53
![Page 67: Detecting BGP hijacks in 2014 - PacSec · source: JPNIC ANSSI - Detecting BGP hijacks in 2014 8/53. Access to Internet Resources Allocation The WHOIS protocol $ whois AS4713 aut-num:](https://reader030.fdocuments.in/reader030/viewer/2022041118/5f2fbe68f9fcb3375309ee90/html5/thumbnails/67.jpg)
Classifying Conflicts - 3/3Using client/provider connectivity
{ "timestamp": 1409750436,"announce": { "prefix": "192.0.2.0/24", "asn": 666,
"as_path": "... 1000 666" },"conflict_with": {"prefix": "192.0.0.0/16", "asn": 1000 } }
Client/Provider relation
Internet AS1000 AS666
192.168.0.0/16 1000192.0.2.0/24 1000 666
BGP
5% conflicts removed3% conflicts removed
ANSSI - Detecting BGP hijacks in 2014 29/53
![Page 68: Detecting BGP hijacks in 2014 - PacSec · source: JPNIC ANSSI - Detecting BGP hijacks in 2014 8/53. Access to Internet Resources Allocation The WHOIS protocol $ whois AS4713 aut-num:](https://reader030.fdocuments.in/reader030/viewer/2022041118/5f2fbe68f9fcb3375309ee90/html5/thumbnails/68.jpg)
Classifying Conflicts - 3/3Using client/provider connectivity
{ "timestamp": 1409750436,"announce": { "prefix": "192.0.2.0/24", "asn": 666,
"as_path": "... 1000 666" },"conflict_with": {"prefix": "192.0.0.0/16", "asn": 1000 } }
Client/Provider relation
Internet AS1000 AS666
192.168.0.0/16 1000192.0.2.0/24 1000 666
BGP
5% conflicts removed3% conflicts removed
ANSSI - Detecting BGP hijacks in 2014 29/53
![Page 69: Detecting BGP hijacks in 2014 - PacSec · source: JPNIC ANSSI - Detecting BGP hijacks in 2014 8/53. Access to Internet Resources Allocation The WHOIS protocol $ whois AS4713 aut-num:](https://reader030.fdocuments.in/reader030/viewer/2022041118/5f2fbe68f9fcb3375309ee90/html5/thumbnails/69.jpg)
Classifying conflictsSummary
Validated Related Connected Abnormal0 %
30 %
60 %
90 %
32
54
311
0 2 5
93
Perc
enta
geof
confl
icts
France Japan
42 millions abnormal conflicts8 millions abnormal conflicts
ANSSI - Detecting BGP hijacks in 2014 30/53
![Page 70: Detecting BGP hijacks in 2014 - PacSec · source: JPNIC ANSSI - Detecting BGP hijacks in 2014 8/53. Access to Internet Resources Allocation The WHOIS protocol $ whois AS4713 aut-num:](https://reader030.fdocuments.in/reader030/viewer/2022041118/5f2fbe68f9fcb3375309ee90/html5/thumbnails/70.jpg)
Computing durationsFrom conflicts to events
Time| | | | | | | | | | | |
Before aggregation{ "timestamp": 20141111.0, "collector": "rrc99" ,
"type": "RELATION","announce": { "prefix": "1.6.28.0/24", "asn": 666 }"conflict_with": {"prefix": "1.6.0.0/18", "asn": 1000 } }
{ "timestamp": 20141231.0, "collector": "rrc66" ,type": "RELATION","announce": { "prefix": "1.6.28.0/24", "asn": 666 }"conflict_with": {"prefix": "1.6.0.0/18", "asn": 1000 } }
ANSSI - Detecting BGP hijacks in 2014 31/53
![Page 71: Detecting BGP hijacks in 2014 - PacSec · source: JPNIC ANSSI - Detecting BGP hijacks in 2014 8/53. Access to Internet Resources Allocation The WHOIS protocol $ whois AS4713 aut-num:](https://reader030.fdocuments.in/reader030/viewer/2022041118/5f2fbe68f9fcb3375309ee90/html5/thumbnails/71.jpg)
Computing durationsFrom conflicts to events
Time| | | | | | | | | | | |
After aggregation{ "conflict_with" : { "prefix" : "1.6.0.0/18", "asn" : 1000 },
"origin" : { "prefix" : "1.6.28.0/24", "asn" : 666 },"begin": 20141111.0, "end" : 20141231.0,"peers" : [ "rrc99", "rrc66" ],"type" : "RELATION" }
74 084 events73 902 events
ANSSI - Detecting BGP hijacks in 2014 31/53
![Page 72: Detecting BGP hijacks in 2014 - PacSec · source: JPNIC ANSSI - Detecting BGP hijacks in 2014 8/53. Access to Internet Resources Allocation The WHOIS protocol $ whois AS4713 aut-num:](https://reader030.fdocuments.in/reader030/viewer/2022041118/5f2fbe68f9fcb3375309ee90/html5/thumbnails/72.jpg)
Events VisualizationA French AS
10/28/2014 localhost:2807/timeslots/AS3215
http://localhost:2807/timeslots/AS3215 1/1
2014 February March April May June July August September October November December
ANSSI - Detecting BGP hijacks in 2014 32/53
![Page 73: Detecting BGP hijacks in 2014 - PacSec · source: JPNIC ANSSI - Detecting BGP hijacks in 2014 8/53. Access to Internet Resources Allocation The WHOIS protocol $ whois AS4713 aut-num:](https://reader030.fdocuments.in/reader030/viewer/2022041118/5f2fbe68f9fcb3375309ee90/html5/thumbnails/73.jpg)
Events VisualizationA Japanese AS
10/28/2014 localhost:2807/timeslots/AS2706
http://localhost:2807/timeslots/AS2706 1/1
2014 February March April May June July August September October
ANSSI - Detecting BGP hijacks in 2014 32/53
![Page 74: Detecting BGP hijacks in 2014 - PacSec · source: JPNIC ANSSI - Detecting BGP hijacks in 2014 8/53. Access to Internet Resources Allocation The WHOIS protocol $ whois AS4713 aut-num:](https://reader030.fdocuments.in/reader030/viewer/2022041118/5f2fbe68f9fcb3375309ee90/html5/thumbnails/74.jpg)
Reducing The Number of EventsAutomatically
Simple rules• remove events that change categories• remove events if ASes belongs to the same country• remove events longer than 6 months• remove associated events
From 2154 prefixes in conflict to 557From 4519 prefixes in conflict to 289
ANSSI - Detecting BGP hijacks in 2014 33/53
![Page 75: Detecting BGP hijacks in 2014 - PacSec · source: JPNIC ANSSI - Detecting BGP hijacks in 2014 8/53. Access to Internet Resources Allocation The WHOIS protocol $ whois AS4713 aut-num:](https://reader030.fdocuments.in/reader030/viewer/2022041118/5f2fbe68f9fcb3375309ee90/html5/thumbnails/75.jpg)
Looking For Hijacks
ANSSI - Detecting BGP hijacks in 2014 34/53
![Page 76: Detecting BGP hijacks in 2014 - PacSec · source: JPNIC ANSSI - Detecting BGP hijacks in 2014 8/53. Access to Internet Resources Allocation The WHOIS protocol $ whois AS4713 aut-num:](https://reader030.fdocuments.in/reader030/viewer/2022041118/5f2fbe68f9fcb3375309ee90/html5/thumbnails/76.jpg)
Reducing The Number of EventsManually
Interesting results• similar AS names
• PACNET-MY Pacnet MY and PACNET Pacnet Global Ltd
• AS under DDoS protection• the DDoS mitigation companies announces /24
• typos in AS numbers• 2208 and 208
• hijacks that were used to steal bitcoins• AS18863 was at the origin of some of these hijacks
• some events were never detected by operators• ...
ANSSI - Detecting BGP hijacks in 2014 35/53
![Page 77: Detecting BGP hijacks in 2014 - PacSec · source: JPNIC ANSSI - Detecting BGP hijacks in 2014 8/53. Access to Internet Resources Allocation The WHOIS protocol $ whois AS4713 aut-num:](https://reader030.fdocuments.in/reader030/viewer/2022041118/5f2fbe68f9fcb3375309ee90/html5/thumbnails/77.jpg)
Closing Remarks
Since January 2014, there are:
69 suspicious events102 suspicious events
Around 10 hijacks per year target French operators
ANSSI - Detecting BGP hijacks in 2014 36/53
![Page 78: Detecting BGP hijacks in 2014 - PacSec · source: JPNIC ANSSI - Detecting BGP hijacks in 2014 8/53. Access to Internet Resources Allocation The WHOIS protocol $ whois AS4713 aut-num:](https://reader030.fdocuments.in/reader030/viewer/2022041118/5f2fbe68f9fcb3375309ee90/html5/thumbnails/78.jpg)
Real-time BGP Hijack Detection
![Page 79: Detecting BGP hijacks in 2014 - PacSec · source: JPNIC ANSSI - Detecting BGP hijacks in 2014 8/53. Access to Internet Resources Allocation The WHOIS protocol $ whois AS4713 aut-num:](https://reader030.fdocuments.in/reader030/viewer/2022041118/5f2fbe68f9fcb3375309ee90/html5/thumbnails/79.jpg)
Targeted Internet Traffic MisdirectionReported by Renesys on November, 2013
ANSSI - Detecting BGP hijacks in 2014 38/53
![Page 80: Detecting BGP hijacks in 2014 - PacSec · source: JPNIC ANSSI - Detecting BGP hijacks in 2014 8/53. Access to Internet Resources Allocation The WHOIS protocol $ whois AS4713 aut-num:](https://reader030.fdocuments.in/reader030/viewer/2022041118/5f2fbe68f9fcb3375309ee90/html5/thumbnails/80.jpg)
Real-time Detection Goals
BGP messages Hijacks
Alerts
Measurements
ANSSI - Detecting BGP hijacks in 2014 39/53
![Page 81: Detecting BGP hijacks in 2014 - PacSec · source: JPNIC ANSSI - Detecting BGP hijacks in 2014 8/53. Access to Internet Resources Allocation The WHOIS protocol $ whois AS4713 aut-num:](https://reader030.fdocuments.in/reader030/viewer/2022041118/5f2fbe68f9fcb3375309ee90/html5/thumbnails/81.jpg)
Detection Requirementshttps://github.com/spotify/luigi
{ }
Fetching Tasks• Internet registries• raw BGP data
Processing Tasks• synchronise whois databases• parse BGP data to JSON• create IP prefix to origin AS mapping
ANSSI - Detecting BGP hijacks in 2014 40/53
![Page 82: Detecting BGP hijacks in 2014 - PacSec · source: JPNIC ANSSI - Detecting BGP hijacks in 2014 8/53. Access to Internet Resources Allocation The WHOIS protocol $ whois AS4713 aut-num:](https://reader030.fdocuments.in/reader030/viewer/2022041118/5f2fbe68f9fcb3375309ee90/html5/thumbnails/82.jpg)
Detection Requirementshttps://github.com/spotify/luigi
{ }
Fetching Tasks• Internet registries• raw BGP data
Processing Tasks• synchronise whois databases• parse BGP data to JSON• create IP prefix to origin AS mapping
ANSSI - Detecting BGP hijacks in 2014 40/53
![Page 83: Detecting BGP hijacks in 2014 - PacSec · source: JPNIC ANSSI - Detecting BGP hijacks in 2014 8/53. Access to Internet Resources Allocation The WHOIS protocol $ whois AS4713 aut-num:](https://reader030.fdocuments.in/reader030/viewer/2022041118/5f2fbe68f9fcb3375309ee90/html5/thumbnails/83.jpg)
BGP Hijack Reporting
What must be reported• only suspicious BGP hijacks• about 50 events per week
< hadron> 2a04:8000::/29 is announced from multiple origins:< hadron> SFR-BUSINESS-TEAM (AS12566)< hadron> Ukraine-AS (AS200000)< hadron> First originated from SFR-BUSINESS-TEAM (AS12566)
ANSSI - Detecting BGP hijacks in 2014 41/53
![Page 84: Detecting BGP hijacks in 2014 - PacSec · source: JPNIC ANSSI - Detecting BGP hijacks in 2014 8/53. Access to Internet Resources Allocation The WHOIS protocol $ whois AS4713 aut-num:](https://reader030.fdocuments.in/reader030/viewer/2022041118/5f2fbe68f9fcb3375309ee90/html5/thumbnails/84.jpg)
BGP Hijack ReportingIRC is so 2014
What must be reported• only suspicious BGP hijacks• about 50 events per week
< hadron> 2a04:8000::/29 is announced from multiple origins:< hadron> SFR-BUSINESS-TEAM (AS12566)< hadron> Ukraine-AS (AS200000)< hadron> First originated from SFR-BUSINESS-TEAM (AS12566)
ANSSI - Detecting BGP hijacks in 2014 41/53
![Page 85: Detecting BGP hijacks in 2014 - PacSec · source: JPNIC ANSSI - Detecting BGP hijacks in 2014 8/53. Access to Internet Resources Allocation The WHOIS protocol $ whois AS4713 aut-num:](https://reader030.fdocuments.in/reader030/viewer/2022041118/5f2fbe68f9fcb3375309ee90/html5/thumbnails/85.jpg)
BGP Hijack Troubleshooting
< hadron> 2a04:8000::/29 is announced from multiple origins:< hadron> SFR-BUSINESS-TEAM (AS12566)< hadron> Ukraine-AS (AS200000)< hadron> First originated from SFR-BUSINESS-TEAM (AS12566)
$ whois 2a04:8000::/29inet6num: 2a04:8000::/29netname: UA-UAHOSTINGdescr: Hosting Ukrainecountry: UAorg: ORG-HUL6-RIPE
$ whois -i org ORG-HUL6-RIPEaut-num: AS200000as-name: Ukraine-ASdescr: Hosting Ukraineorg: ORG-HUL6-RIPE
ANSSI - Detecting BGP hijacks in 2014 42/53
![Page 86: Detecting BGP hijacks in 2014 - PacSec · source: JPNIC ANSSI - Detecting BGP hijacks in 2014 8/53. Access to Internet Resources Allocation The WHOIS protocol $ whois AS4713 aut-num:](https://reader030.fdocuments.in/reader030/viewer/2022041118/5f2fbe68f9fcb3375309ee90/html5/thumbnails/86.jpg)
BGP Hijack Troubleshooting
< hadron> 2a04:8000::/29 is announced from multiple origins:< hadron> SFR-BUSINESS-TEAM (AS12566)< hadron> Ukraine-AS (AS200000)< hadron> First originated from SFR-BUSINESS-TEAM (AS12566)
$ whois 2a04:8000::/29inet6num: 2a04:8000::/29netname: UA-UAHOSTINGdescr: Hosting Ukrainecountry: UAorg: ORG-HUL6-RIPE
$ whois -i org ORG-HUL6-RIPEaut-num: AS200000as-name: Ukraine-ASdescr: Hosting Ukraineorg: ORG-HUL6-RIPE
ANSSI - Detecting BGP hijacks in 2014 42/53
![Page 87: Detecting BGP hijacks in 2014 - PacSec · source: JPNIC ANSSI - Detecting BGP hijacks in 2014 8/53. Access to Internet Resources Allocation The WHOIS protocol $ whois AS4713 aut-num:](https://reader030.fdocuments.in/reader030/viewer/2022041118/5f2fbe68f9fcb3375309ee90/html5/thumbnails/87.jpg)
BGP Hijack Troubleshooting
< hadron> 2a04:8000::/29 is announced from multiple origins:< hadron> SFR-BUSINESS-TEAM (AS12566)< hadron> Ukraine-AS (AS200000)< hadron> First originated from SFR-BUSINESS-TEAM (AS12566)
$ whois 2a04:8000::/29inet6num: 2a04:8000::/29netname: UA-UAHOSTINGdescr: Hosting Ukrainecountry: UAorg: ORG-HUL6-RIPE
$ whois -i org ORG-HUL6-RIPE
aut-num: AS200000as-name: Ukraine-ASdescr: Hosting Ukraineorg: ORG-HUL6-RIPE
ANSSI - Detecting BGP hijacks in 2014 42/53
![Page 88: Detecting BGP hijacks in 2014 - PacSec · source: JPNIC ANSSI - Detecting BGP hijacks in 2014 8/53. Access to Internet Resources Allocation The WHOIS protocol $ whois AS4713 aut-num:](https://reader030.fdocuments.in/reader030/viewer/2022041118/5f2fbe68f9fcb3375309ee90/html5/thumbnails/88.jpg)
BGP Hijack Troubleshooting
< hadron> 2a04:8000::/29 is announced from multiple origins:< hadron> SFR-BUSINESS-TEAM (AS12566)< hadron> Ukraine-AS (AS200000)< hadron> First originated from SFR-BUSINESS-TEAM (AS12566)
$ whois 2a04:8000::/29inet6num: 2a04:8000::/29netname: UA-UAHOSTINGdescr: Hosting Ukrainecountry: UAorg: ORG-HUL6-RIPE
$ whois -i org ORG-HUL6-RIPEaut-num: AS200000as-name: Ukraine-ASdescr: Hosting Ukraineorg: ORG-HUL6-RIPE
ANSSI - Detecting BGP hijacks in 2014 42/53
![Page 89: Detecting BGP hijacks in 2014 - PacSec · source: JPNIC ANSSI - Detecting BGP hijacks in 2014 8/53. Access to Internet Resources Allocation The WHOIS protocol $ whois AS4713 aut-num:](https://reader030.fdocuments.in/reader030/viewer/2022041118/5f2fbe68f9fcb3375309ee90/html5/thumbnails/89.jpg)
BGP Hijack Troubleshooting
< hadron> 2a04:8000::/29 is announced from multiple origins:< hadron> SFR-BUSINESS-TEAM (AS12566)< hadron> Ukraine-AS (AS200000)< hadron> First originated from SFR-BUSINESS-TEAM (AS12566)
$ whois 2a04:8000::/29inet6num: 2a04:8000::/29netname: UA-UAHOSTINGdescr: Hosting Ukrainecountry: UAorg: ORG-HUL6-RIPE
$ whois -i org ORG-HUL6-RIPEaut-num: AS200000as-name: Ukraine-ASdescr: Hosting Ukraineorg: ORG-HUL6-RIPE
ANSSI - Detecting BGP hijacks in 2014 42/53
![Page 90: Detecting BGP hijacks in 2014 - PacSec · source: JPNIC ANSSI - Detecting BGP hijacks in 2014 8/53. Access to Internet Resources Allocation The WHOIS protocol $ whois AS4713 aut-num:](https://reader030.fdocuments.in/reader030/viewer/2022041118/5f2fbe68f9fcb3375309ee90/html5/thumbnails/90.jpg)
BGP Hijack Troubleshooting
< hadron> 2a04:8000::/29 is announced from multiple origins:< hadron> SFR-BUSINESS-TEAM (AS12566)< hadron> Ukraine-AS (AS200000)< hadron> First originated from SFR-BUSINESS-TEAM (AS12566)
Analysis Result• 2a04:8000::/29 belongs to the Ukrainian operator
• 2a04:0800::/29 belongs to the French operator• French operator made a mistake in its BGP configuration
It was a false positive, the route6 object was created a few dayslater by the Ukrainian operator.
ANSSI - Detecting BGP hijacks in 2014 43/53
![Page 91: Detecting BGP hijacks in 2014 - PacSec · source: JPNIC ANSSI - Detecting BGP hijacks in 2014 8/53. Access to Internet Resources Allocation The WHOIS protocol $ whois AS4713 aut-num:](https://reader030.fdocuments.in/reader030/viewer/2022041118/5f2fbe68f9fcb3375309ee90/html5/thumbnails/91.jpg)
BGP Hijack Troubleshooting
< hadron> 2a04:8000::/29 is announced from multiple origins:< hadron> SFR-BUSINESS-TEAM (AS12566)< hadron> Ukraine-AS (AS200000)< hadron> First originated from SFR-BUSINESS-TEAM (AS12566)
Analysis Result• 2a04:8000::/29 belongs to the Ukrainian operator• 2a04:0800::/29 belongs to the French operator• French operator made a mistake in its BGP configuration
It was a false positive, the route6 object was created a few dayslater by the Ukrainian operator.
ANSSI - Detecting BGP hijacks in 2014 43/53
![Page 92: Detecting BGP hijacks in 2014 - PacSec · source: JPNIC ANSSI - Detecting BGP hijacks in 2014 8/53. Access to Internet Resources Allocation The WHOIS protocol $ whois AS4713 aut-num:](https://reader030.fdocuments.in/reader030/viewer/2022041118/5f2fbe68f9fcb3375309ee90/html5/thumbnails/92.jpg)
BGP Hijack Troubleshooting
< hadron> 2a04:8000::/29 is announced from multiple origins:< hadron> SFR-BUSINESS-TEAM (AS12566)< hadron> Ukraine-AS (AS200000)< hadron> First originated from SFR-BUSINESS-TEAM (AS12566)
Analysis Result• 2a04:8000::/29 belongs to the Ukrainian operator• 2a04:0800::/29 belongs to the French operator• French operator made a mistake in its BGP configuration
It was a false positive, the route6 object was created a few dayslater by the Ukrainian operator.
ANSSI - Detecting BGP hijacks in 2014 43/53
![Page 93: Detecting BGP hijacks in 2014 - PacSec · source: JPNIC ANSSI - Detecting BGP hijacks in 2014 8/53. Access to Internet Resources Allocation The WHOIS protocol $ whois AS4713 aut-num:](https://reader030.fdocuments.in/reader030/viewer/2022041118/5f2fbe68f9fcb3375309ee90/html5/thumbnails/93.jpg)
Malicious BGP Hijack
< hadron> 185.73.204.0/22 is announced from multiple origins:< hadron> ALPHALINK-AS (AS25540)< hadron> TEHNOGRUP (AS198596)
ANSSI - Detecting BGP hijacks in 2014 44/53
![Page 94: Detecting BGP hijacks in 2014 - PacSec · source: JPNIC ANSSI - Detecting BGP hijacks in 2014 8/53. Access to Internet Resources Allocation The WHOIS protocol $ whois AS4713 aut-num:](https://reader030.fdocuments.in/reader030/viewer/2022041118/5f2fbe68f9fcb3375309ee90/html5/thumbnails/94.jpg)
https://stat.ripe.net/AS198596
Announces from September to October 2014
ANSSI - Detecting BGP hijacks in 2014 45/53
![Page 95: Detecting BGP hijacks in 2014 - PacSec · source: JPNIC ANSSI - Detecting BGP hijacks in 2014 8/53. Access to Internet Resources Allocation The WHOIS protocol $ whois AS4713 aut-num:](https://reader030.fdocuments.in/reader030/viewer/2022041118/5f2fbe68f9fcb3375309ee90/html5/thumbnails/95.jpg)
Malicious BGP HijackInfected AS_PATH
< hadron> 185.73.204.0/22 is announced from multiple origins:< hadron> ALPHALINK-AS (AS25540)< hadron> TEHNOGRUP (AS198596)< hadron> AS_PATH: 8607 39792 44050 131788 198596
ANSSI - Detecting BGP hijacks in 2014 46/53
![Page 96: Detecting BGP hijacks in 2014 - PacSec · source: JPNIC ANSSI - Detecting BGP hijacks in 2014 8/53. Access to Internet Resources Allocation The WHOIS protocol $ whois AS4713 aut-num:](https://reader030.fdocuments.in/reader030/viewer/2022041118/5f2fbe68f9fcb3375309ee90/html5/thumbnails/96.jpg)
Malicious BGP HijackInfected AS_PATH
< hadron> 185.73.204.0/22 is announced from multiple origins:< hadron> ALPHALINK-AS (AS25540)< hadron> TEHNOGRUP (AS198596)< hadron> AS_PATH: 8607 39792 44050 131788 198596
Definition• infected ASes accepted the hijacking BGP update• traffic to the hijacked prefix go to the hijacker’s network
ANSSI - Detecting BGP hijacks in 2014 46/53
![Page 97: Detecting BGP hijacks in 2014 - PacSec · source: JPNIC ANSSI - Detecting BGP hijacks in 2014 8/53. Access to Internet Resources Allocation The WHOIS protocol $ whois AS4713 aut-num:](https://reader030.fdocuments.in/reader030/viewer/2022041118/5f2fbe68f9fcb3375309ee90/html5/thumbnails/97.jpg)
Malicious BGP HijackInfected AS_PATH
< hadron> 185.73.204.0/22 is announced from multiple origins:< hadron> ALPHALINK-AS (AS25540)< hadron> TEHNOGRUP (AS198596)< hadron> AS_PATH: 8607 39792 44050 131788 198596
Definition• infected ASes accepted the hijacking BGP update• traffic to the hijacked prefix go to the hijacker’s network
How do we launch active measurements from these ASes?
ANSSI - Detecting BGP hijacks in 2014 46/53
![Page 98: Detecting BGP hijacks in 2014 - PacSec · source: JPNIC ANSSI - Detecting BGP hijacks in 2014 8/53. Access to Internet Resources Allocation The WHOIS protocol $ whois AS4713 aut-num:](https://reader030.fdocuments.in/reader030/viewer/2022041118/5f2fbe68f9fcb3375309ee90/html5/thumbnails/98.jpg)
RIPE Atlas Measurement Projecthttps://atlas.ripe.net/
• 7100 probes in around 2000 ASes• probes hosted by the community• user-defined measurements• ping, traceroute, HTTP, TLS and DNS• public API
ANSSI - Detecting BGP hijacks in 2014 47/53
![Page 99: Detecting BGP hijacks in 2014 - PacSec · source: JPNIC ANSSI - Detecting BGP hijacks in 2014 8/53. Access to Internet Resources Allocation The WHOIS protocol $ whois AS4713 aut-num:](https://reader030.fdocuments.in/reader030/viewer/2022041118/5f2fbe68f9fcb3375309ee90/html5/thumbnails/99.jpg)
ANSSI - Detecting BGP hijacks in 2014 48/53
![Page 100: Detecting BGP hijacks in 2014 - PacSec · source: JPNIC ANSSI - Detecting BGP hijacks in 2014 8/53. Access to Internet Resources Allocation The WHOIS protocol $ whois AS4713 aut-num:](https://reader030.fdocuments.in/reader030/viewer/2022041118/5f2fbe68f9fcb3375309ee90/html5/thumbnails/100.jpg)
Atlas Meets Our Needs
We always found a probe to launch our measurements!• 250 possible hijacks from september to november 2014• AS_PATH are from the London based RIPE collector
Number of probes found in infected ASes:
2 4 6 8 10 12 140 %
5 %
10 %
15 %
20 %
Num of probes
Hija
cks
ANSSI - Detecting BGP hijacks in 2014 49/53
![Page 101: Detecting BGP hijacks in 2014 - PacSec · source: JPNIC ANSSI - Detecting BGP hijacks in 2014 8/53. Access to Internet Resources Allocation The WHOIS protocol $ whois AS4713 aut-num:](https://reader030.fdocuments.in/reader030/viewer/2022041118/5f2fbe68f9fcb3375309ee90/html5/thumbnails/101.jpg)
Atlas Meets Our Needs
We always found a probe to launch our measurements!• 250 possible hijacks from september to november 2014• AS_PATH are from the London based RIPE collector
Number of probes found in infected ASes:
2 4 6 8 10 12 140 %
5 %
10 %
15 %
20 %
Num of probes
Hija
cks
ANSSI - Detecting BGP hijacks in 2014 49/53
![Page 102: Detecting BGP hijacks in 2014 - PacSec · source: JPNIC ANSSI - Detecting BGP hijacks in 2014 8/53. Access to Internet Resources Allocation The WHOIS protocol $ whois AS4713 aut-num:](https://reader030.fdocuments.in/reader030/viewer/2022041118/5f2fbe68f9fcb3375309ee90/html5/thumbnails/102.jpg)
Traceroute Example
< hadron> 185.73.204.0/22 is announced from multiple origins:< hadron> ALPHALINK-AS (AS25540)< hadron> TEHNOGRUP (AS198596)< hadron> AS_PATH: 8607 39792 44050 131788 198596
Traceroute to185.73.204.1
1. 10.10.10.12. 82.118.96.13. 188.124.228.14. 95.215.3.785. * * *
ANSSI - Detecting BGP hijacks in 2014 50/53
![Page 103: Detecting BGP hijacks in 2014 - PacSec · source: JPNIC ANSSI - Detecting BGP hijacks in 2014 8/53. Access to Internet Resources Allocation The WHOIS protocol $ whois AS4713 aut-num:](https://reader030.fdocuments.in/reader030/viewer/2022041118/5f2fbe68f9fcb3375309ee90/html5/thumbnails/103.jpg)
Traceroute Example
< hadron> 185.73.204.0/22 is announced from multiple origins:< hadron> ALPHALINK-AS (AS25540)< hadron> TEHNOGRUP (AS198596)< hadron> AS_PATH: 8607 39792 44050 131788 198596
Traceroute to185.73.204.1
1. 10.10.10.12. 82.118.96.13. 188.124.228.14. 95.215.3.785. * * *
ANSSI - Detecting BGP hijacks in 2014 50/53
![Page 104: Detecting BGP hijacks in 2014 - PacSec · source: JPNIC ANSSI - Detecting BGP hijacks in 2014 8/53. Access to Internet Resources Allocation The WHOIS protocol $ whois AS4713 aut-num:](https://reader030.fdocuments.in/reader030/viewer/2022041118/5f2fbe68f9fcb3375309ee90/html5/thumbnails/104.jpg)
Traceroute Example
< hadron> 185.73.204.0/22 is announced from multiple origins:< hadron> ALPHALINK-AS (AS25540)< hadron> TEHNOGRUP (AS198596)< hadron> AS_PATH: 8607 39792 44050 131788 198596
Traceroute to185.73.204.1
1. 10.10.10.12. 82.118.96.13. 188.124.228.14. 95.215.3.785. * * *
ANSSI - Detecting BGP hijacks in 2014 50/53
![Page 105: Detecting BGP hijacks in 2014 - PacSec · source: JPNIC ANSSI - Detecting BGP hijacks in 2014 8/53. Access to Internet Resources Allocation The WHOIS protocol $ whois AS4713 aut-num:](https://reader030.fdocuments.in/reader030/viewer/2022041118/5f2fbe68f9fcb3375309ee90/html5/thumbnails/105.jpg)
Traceroute Example
< hadron> 185.73.204.0/22 is announced from multiple origins:< hadron> ALPHALINK-AS (AS25540)< hadron> TEHNOGRUP (AS198596)< hadron> AS_PATH: 8607 39792 44050 131788 198596
Traceroute to185.73.204.1
1. 10.10.10.12. 82.118.96.13. 188.124.228.14. 95.215.3.785. * * *
ANSSI - Detecting BGP hijacks in 2014 50/53
![Page 106: Detecting BGP hijacks in 2014 - PacSec · source: JPNIC ANSSI - Detecting BGP hijacks in 2014 8/53. Access to Internet Resources Allocation The WHOIS protocol $ whois AS4713 aut-num:](https://reader030.fdocuments.in/reader030/viewer/2022041118/5f2fbe68f9fcb3375309ee90/html5/thumbnails/106.jpg)
Traceroute Example
< hadron> 185.73.204.0/22 is announced from multiple origins:< hadron> ALPHALINK-AS (AS25540)< hadron> TEHNOGRUP (AS198596)< hadron> AS_PATH: 8607 39792 44050 131788 198596
Traceroute to185.73.204.1
1. 10.10.10.12. 82.118.96.13. 188.124.228.14. 95.215.3.785. * * *
ANSSI - Detecting BGP hijacks in 2014 50/53
![Page 107: Detecting BGP hijacks in 2014 - PacSec · source: JPNIC ANSSI - Detecting BGP hijacks in 2014 8/53. Access to Internet Resources Allocation The WHOIS protocol $ whois AS4713 aut-num:](https://reader030.fdocuments.in/reader030/viewer/2022041118/5f2fbe68f9fcb3375309ee90/html5/thumbnails/107.jpg)
Traceroute Example
< hadron> 185.73.204.0/22 is announced from multiple origins:< hadron> ALPHALINK-AS (AS25540)< hadron> TEHNOGRUP (AS198596)< hadron> AS_PATH: 8607 39792 44050 131788 198596
Closing Remarks• traceroute stops at AS44050 (PIN-AS)• AS131788 and AS198596 are most certainly placeholders• AS44050 (PIN-AS) is already known for previous hijacks
ANSSI - Detecting BGP hijacks in 2014 51/53
![Page 108: Detecting BGP hijacks in 2014 - PacSec · source: JPNIC ANSSI - Detecting BGP hijacks in 2014 8/53. Access to Internet Resources Allocation The WHOIS protocol $ whois AS4713 aut-num:](https://reader030.fdocuments.in/reader030/viewer/2022041118/5f2fbe68f9fcb3375309ee90/html5/thumbnails/108.jpg)
Conclusion
• wide scale BGP hijacks automatic detection• only a few really hijacks per year regarding France and Japan• early detection and reporting• on-going work to identify traffic redirection
Take away messages1. packets can be redirected on the Internet2. traffic must be encrypted and authenticated3. operators must monitor their prefixes and be ready to make
more specific announcements4. networking Best Current Practices must be enforced
ANSSI - Detecting BGP hijacks in 2014 52/53
![Page 109: Detecting BGP hijacks in 2014 - PacSec · source: JPNIC ANSSI - Detecting BGP hijacks in 2014 8/53. Access to Internet Resources Allocation The WHOIS protocol $ whois AS4713 aut-num:](https://reader030.fdocuments.in/reader030/viewer/2022041118/5f2fbe68f9fcb3375309ee90/html5/thumbnails/109.jpg)
Questions?
Related publication• BGP configuration best practices (English & French)
ANSSI - Detecting BGP hijacks in 2014 53/53