1 / 32

BGPmon

BGPmon.net. Prefix hijacking! Do you know who's routing your network? Andree Toonk Andree@bgpmon.net. Where will we go today. The Internet & BGP 101 Example hijacks Methods to detect hijacks Demo Questions. This session contains technical content. Why Should You Care?.

lberryman
Download Presentation

BGPmon

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. BGPmon.net Prefix hijacking! Do you know who's routing your network? Andree Toonk Andree@bgpmon.net

  2. Where will we go today • The Internet & BGP 101 • Example hijacks • Methods to detect hijacks • Demo • Questions This session contains technical content

  3. Why Should You Care? • Because others can intercept your traffic without you noticing it. • Because your traffic can be altered, dropped, stored, etc • Because if your Internet connection is essential for your business • It will cost you money!

  4. The Internet & BGP 101 AS1 AS2 AS3 • Collection of Networks called Autonomous Systems • AS identified by a number • Together make up the Internet AS5 AS4 AS7 AS6 AS8

  5. The Internet & BGP 101 AS2 AS3 192.0.2.0/24 Hi, AS3, Just sent all your traffic to me and I make sure it will get to its destination AS5 • AS3 is a collection of prefixes • AS3 has 1 upstream ISP: (AS5) • AS3 and AS2 are direct peers

  6. The Internet & BGP 101 AS1 AS2 AS3 • How to get from AS6 to AS3? • Shortage path: 4 5 3 • AS path: 4 5 3 • Several longer alternative paths AS5 AS4 AS7 AS6 AS8

  7. The Internet & BGP 101 I’m AS2 and my prefixes are:10.10.10.0/24 12.12.0.0/16 I’m AS3 and my prefixes are: 10.0.0.0/8 11.11.0.0/16 2 3 4 6 7 Remember more specific always wins. If you want to reach 10.10.10.10 10.10.10.0/24 is chosen over 10.0.0.0/8 I’m AS6, my BGP table: My BGP table: *> 10.0.0.0/8: 4 3 *> 10.10.10.0/24: 4 2*> 11.11.0.0/16: 4 3 *> 12.12.0.0/16: 4 2

  8. The Internet & BGP 101 • Each AS talks BGP to its neighbors (peers) • Each AS announces its prefixes to his peers • Upstream ISP’s re-announce that to its peers • AS path is used for loop prevention and to see how it’s routed • Today in global routing table: • ~290.000 prefixes • ~ 32.000 ASns

  9. What’s the problem? Inter domain routing is based on trust Anyone can start announcing someone else prefix and start attracting traffic for that network Well known example is the YouTube.com Hijack, Feb. 2008

  10. What’s the problem? Very secure Online banking server 10.10.10.10 AS100 AS200 I can reach 10.10.0.0/16 AS300 Bob

  11. What’s the problem? Very secure Online banking server 10.10.10.10 FAKE Very secure Online banking server10.10.10.10 AS100 AS200 I can reach 10.10.0.0/16 I can reach 10.10.10.0/24 AS300 Bob

  12. YouTube.com Hijack ~$ host www.youtube.com www.youtube.com is an alias for youtube.l.google.com. youtube.l.google.com has address 208.65.153.25 Stable situation: Hijack by Pakistan Telecom:February 24 2008 > Pakistan’s government orders Pakistan Telecom to block YouTube.com. They accidentally ‘leak’ this to the rest of the Internet. Result:YouTube traffic is now routed to Pakistan. YouTube.com unreachable, millions of unhappy users and lost revenue

  13. What’s the problem? • Hijacks really happen • Mostly accidental • Would you know what to do if this happens to you? • Or would you even be able to tell this is happening?

  14. Detecting Hijacks Number of tools to help you detect hijacks • Commercial products • Free community services • BGPmon.net • Free Service for the community • Allows you to monitor your prefixes for ‘interesting’ events and hijacks.

  15. Feature overview • Feature rich: • Alarm classifier • IPv4 & IPv6 support • 2 & 4 byte ASN support • Fast notification time (~10min) • Overview of historical alarms in web portal • Regular expressions support • Peer Threshold support • IRR support • Bogon detection • And more… Monitor for hijacks, Accidental leaks & instability

  16. Architecture Parser / analyzer BGP updates repository RIPE RIS project Classifier Presentation & Notification

  17. Event Classifier Classifying event by type helps to determine the cause & impact Three main event types: • Monitor your own network for configuration errors. • Monitor stability of your prefixes. • Monitor for hijacks by others.

  18. Your own announcements Detect configuration errors ASAP Stable situation: 142.231.0.0/16 Originated by AS271 Configuration change, causing you to leak: 142.231.0.0/17 Originated by AS271

  19. Monitor Prefix stability Large number of withdraws for your prefix means reachability issues Possible cause could be problem with: your border router your upstream large IX somewhere …..

  20. ASpath monitoring Flexible monitoring using regular expressions • Useful for if you have many peers • Useful when monitoring some specific traffic engineering situations. Example: $prefix may show behind ANY of my peers except $AS_Expensive • Regular expression generator available

  21. Detecting Hijacks Obvious hijacks • Your prefix, but origin AS is not yours. • YouTube hijack last year ==================================================================== Possible Prefix Hijack (Code: 10) ==================================================================== Your prefix: 208.65.152.0/22: Update time: 2008-02-24 18:48 (UTC) Detected by #peers: 44 Detected prefix: 208.65.153.0/24 Announced by: AS17557 (PKTELECOM-AS-AP Pakistan Telecom) Upstream AS: 3491 (PCCWGlobal-ASN) ASpath: 26943 23352 3491 17557 Mark as false alert: http://bgpmon.net/fp.php?aid=21659961

  22. BGP MITM attacks Not so obvious hijacks • As demonstrated at Defcon last summer (“Stealing the Internet”) Looks like: • A more specific of your prefix. • Looks like it’s originated by your AS • Result: looks like a ‘regular’ leak by my AS

  23. BGP MITM attacks AS900 attacker Before AS700 sees: *> 192.0.2.0/22: 200 100 AS300 AS500 AS700 bob AS400 AS200 AS100 Victim 192.0.2.0/22

  24. BGP MITM attacks I have a route to 192.0.2.0/24 via 500 400 100 AS900 attacker I will sent data for 192.0.2.0/24 to attacker AS300 AS500 AS700 bob AS400 AS200 Attack scenario AS700 sees:*> 192.0.2.0/22: 200 100 *> 192.0.2.0/24: 300 900 500 400 100 AS900 is now able to intercept traffic towards AS100 AS100 Victim 192.0.2.0/22

  25. BGP MITM attacks How can we detect an attack like this? • New More Specific Route • New AS path • ASpath not “valley free” • BGPmon.net will detect this

  26. BGP MITM attacks ==================================================================== Possible BGP MITM attack (Code: 21) ==================================================================== Your prefix: 24.120.56.0/22: Update time: 2008-08-10 19:33 (UTC) Detected by #peers: 16 Detected prefix: 24.120.56.0/24 Announced by: AS20195 (SPARKLV-1 - Sparkplug Las Vegas, Inc.) Upstream AS: 23005 (SWITCH-COMMUNICATIONS) ASpath: 24875 6461 3561 26627 4436 22822 23005 20195 Mark as false alert: http://bgpmon.net/fp.php?aid=19263621

  27. My Prefixes

  28. My Updates

  29. Customize

  30. What if…. • What if this happened to your network… • First step is detection! • Start announcing more specifics • Contact origin AS and his upstream(s)

  31. Wrap up • The inter-domain routing system (BGP) is insecure • No way to verify of someone is speaking the truth • ‘Hijacks’ and prefix leaks happen frequently • Free tools available for monitoring and detection • BGPmon.net free feature rich service • Great tool for network administrators

  32. Questions? Andree@bgpmon.net Try the demo @ http://BGPmon.net Thanks BCNET & University of British Columbia for your support!

More Related