Bgpmon net
This presentation is the property of its rightful owner.
Sponsored Links
1 / 32

BGPmon PowerPoint PPT Presentation


  • 120 Views
  • Uploaded on
  • Presentation posted in: General

BGPmon.net. Prefix hijacking! Do you know who's routing your network? Andree Toonk [email protected] Where will we go today. The Internet & BGP 101 Example hijacks Methods to detect hijacks Demo Questions. This session contains technical content. Why Should You Care?.

Download Presentation

BGPmon

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript


Bgpmon net

BGPmon.net

Prefix hijacking!

Do you know who's routing your network?

Andree Toonk

[email protected]


Where will we go today

Where will we go today

  • The Internet & BGP 101

  • Example hijacks

  • Methods to detect hijacks

  • Demo

  • Questions

This session contains technical content


Why should you care

Why Should You Care?

  • Because others can intercept your traffic without you noticing it.

  • Because your traffic can be altered, dropped, stored, etc

  • Because if your Internet connection is essential for your business

  • It will cost you money!


The internet bgp 101

The Internet & BGP 101

AS1

AS2

AS3

  • Collection of Networks called Autonomous Systems

  • AS identified by a number

  • Together make up the Internet

AS5

AS4

AS7

AS6

AS8


The internet bgp 1011

The Internet & BGP 101

AS2

AS3

192.0.2.0/24

Hi, AS3, Just sent all your traffic to me and I make sure it will get to its destination

AS5

  • AS3 is a collection of prefixes

  • AS3 has 1 upstream ISP: (AS5)

  • AS3 and AS2 are direct peers


The internet bgp 1012

The Internet & BGP 101

AS1

AS2

AS3

  • How to get from AS6 to AS3?

  • Shortage path: 4 5 3

  • AS path: 4 5 3

  • Several longer alternative paths

AS5

AS4

AS7

AS6

AS8


The internet bgp 1013

The Internet & BGP 101

I’m AS2 and my prefixes are:10.10.10.0/24

12.12.0.0/16

I’m AS3 and my prefixes are: 10.0.0.0/8

11.11.0.0/16

2

3

4

6

7

Remember more specific always wins. If you want to reach 10.10.10.10

10.10.10.0/24 is chosen over 10.0.0.0/8

I’m AS6, my BGP table:

My BGP table:

*> 10.0.0.0/8: 4 3

*> 10.10.10.0/24: 4 2*> 11.11.0.0/16: 4 3

*> 12.12.0.0/16: 4 2


The internet bgp 1014

The Internet & BGP 101

  • Each AS talks BGP to its neighbors (peers)

  • Each AS announces its prefixes to his peers

  • Upstream ISP’s re-announce that to its peers

  • AS path is used for loop prevention and to see how it’s routed

  • Today in global routing table:

  • ~290.000 prefixes

  • ~ 32.000 ASns


What s the problem

What’s the problem?

Inter domain routing is based on trust

Anyone can start announcing someone else prefix and start attracting traffic for that network

Well known example is the YouTube.com Hijack, Feb. 2008


What s the problem1

What’s the problem?

Very secure Online banking server

10.10.10.10

AS100

AS200

I can reach

10.10.0.0/16

AS300

Bob


What s the problem2

What’s the problem?

Very secure Online banking server

10.10.10.10

FAKE Very secure Online banking server10.10.10.10

AS100

AS200

I can reach

10.10.0.0/16

I can reach

10.10.10.0/24

AS300

Bob


Youtube com hijack

YouTube.com Hijack

~$ host www.youtube.com

www.youtube.com is an alias for youtube.l.google.com.

youtube.l.google.com has address 208.65.153.25

Stable situation:

Hijack by Pakistan Telecom:February 24 2008 > Pakistan’s government orders Pakistan Telecom to block YouTube.com. They accidentally ‘leak’ this to the rest of the Internet.

Result:YouTube traffic is now routed to Pakistan. YouTube.com unreachable, millions of unhappy users and lost revenue


What s the problem3

What’s the problem?

  • Hijacks really happen

    • Mostly accidental

  • Would you know what to do if this happens to you?

  • Or would you even be able to tell this is happening?


Detecting hijacks

Detecting Hijacks

Number of tools to help you detect hijacks

  • Commercial products

  • Free community services

  • BGPmon.net

    • Free Service for the community

    • Allows you to monitor your prefixes for ‘interesting’ events and hijacks.


Feature overview

Feature overview

  • Feature rich:

  • Alarm classifier

  • IPv4 & IPv6 support

  • 2 & 4 byte ASN support

  • Fast notification time (~10min)

  • Overview of historical alarms in web portal

  • Regular expressions support

  • Peer Threshold support

  • IRR support

  • Bogon detection

  • And more…

Monitor for hijacks,

Accidental leaks & instability


Architecture

Architecture

Parser / analyzer

BGP updates repository

RIPE RIS project

Classifier

Presentation &

Notification


Event classifier

Event Classifier

Classifying event by type helps to determine the cause & impact

Three main event types:

  • Monitor your own network for configuration errors.

  • Monitor stability of your prefixes.

  • Monitor for hijacks by others.


Your own announcements

Your own announcements

Detect configuration errors ASAP

Stable situation:

142.231.0.0/16 Originated by AS271

Configuration change, causing you to leak:

142.231.0.0/17 Originated by AS271


Monitor prefix stability

Monitor Prefix stability

Large number of withdraws for your prefix means reachability issues

Possible cause could be problem with:

your border router

your upstream

large IX somewhere

…..


Aspath monitoring

ASpath monitoring

Flexible monitoring using regular expressions

  • Useful for if you have many peers

  • Useful when monitoring some specific traffic engineering situations.

    Example: $prefix may show behind

    ANY of my peers except $AS_Expensive

  • Regular expression generator available


Detecting hijacks1

Detecting Hijacks

Obvious hijacks

  • Your prefix, but origin AS is not yours.

  • YouTube hijack last year

    ====================================================================

    Possible Prefix Hijack (Code: 10)

    ====================================================================

    Your prefix: 208.65.152.0/22:

    Update time: 2008-02-24 18:48 (UTC)

    Detected by #peers: 44

    Detected prefix: 208.65.153.0/24

    Announced by: AS17557 (PKTELECOM-AS-AP Pakistan Telecom)

    Upstream AS: 3491 (PCCWGlobal-ASN)

    ASpath: 26943 23352 3491 17557

    Mark as false alert: http://bgpmon.net/fp.php?aid=21659961


Bgp mitm attacks

BGP MITM attacks

Not so obvious hijacks

  • As demonstrated at Defcon last summer (“Stealing the Internet”)

    Looks like:

  • A more specific of your prefix.

  • Looks like it’s originated by your AS

  • Result: looks like a ‘regular’ leak by my AS


Bgp mitm attacks1

BGP MITM attacks

AS900

attacker

Before AS700 sees: *> 192.0.2.0/22: 200 100

AS300

AS500

AS700

bob

AS400

AS200

AS100

Victim

192.0.2.0/22


Bgp mitm attacks2

BGP MITM attacks

I have a route to 192.0.2.0/24 via 500 400 100

AS900

attacker

I will sent data for 192.0.2.0/24 to attacker

AS300

AS500

AS700

bob

AS400

AS200

Attack scenario AS700 sees:*> 192.0.2.0/22: 200 100 *> 192.0.2.0/24: 300 900 500 400 100

AS900 is now able to intercept traffic towards AS100

AS100

Victim

192.0.2.0/22


Bgp mitm attacks3

BGP MITM attacks

How can we detect an attack like this?

  • New More Specific Route

  • New AS path

  • ASpath not “valley free”

  • BGPmon.net will detect this


Bgp mitm attacks4

BGP MITM attacks

====================================================================

Possible BGP MITM attack (Code: 21)

====================================================================

Your prefix: 24.120.56.0/22:

Update time: 2008-08-10 19:33 (UTC)

Detected by #peers: 16

Detected prefix: 24.120.56.0/24

Announced by: AS20195 (SPARKLV-1 - Sparkplug Las Vegas, Inc.)

Upstream AS: 23005 (SWITCH-COMMUNICATIONS)

ASpath: 24875 6461 3561 26627 4436 22822 23005 20195

Mark as false alert: http://bgpmon.net/fp.php?aid=19263621


My prefixes

My Prefixes


My updates

My Updates


Customize

Customize


What if

What if….

  • What if this happened to your network…

    • First step is detection!

    • Start announcing more specifics

    • Contact origin AS and his upstream(s)


Wrap up

Wrap up

  • The inter-domain routing system (BGP) is insecure

  • No way to verify of someone is speaking the truth

  • ‘Hijacks’ and prefix leaks happen frequently

  • Free tools available for monitoring and detection

  • BGPmon.net free feature rich service

  • Great tool for network administrators


Questions

Questions?

[email protected]

Try the demo @

http://BGPmon.net

Thanks BCNET & University of British Columbia for your support!


  • Login