BCNET Conference April 29, 2009 Andree Toonk BGPmon.net Prefix hijacking! Do you know who's routing your network? Andree Toonk

BCNET Conference April 29, 2009 Andree Toonk Where will we go today 1.The Internet & BGP Example hijacks 3.Methods to detect hijacks 4.Demo 5.Questions This session contains technical content

BCNET Conference April 29, 2009 Andree Toonk Why Should You Care? Because others can intercept your traffic without you noticing it. Because your traffic can be altered, dropped, stored, etc Because if your Internet connection is essential for your business It will cost you money!

BCNET Conference April 29, 2009 Andree Toonk The Internet & BGP 101 AS1 AS4 AS2 AS6 AS7 AS5 AS3 AS8 Collection of Networks called Autonomous Systems AS identified by a number Together make up the Internet

BCNET Conference April 29, 2009 Andree Toonk The Internet & BGP 101 AS2 AS5 AS /24 AS3 is a collection of prefixes AS3 has 1 upstream ISP: (AS5) AS3 and AS2 are direct peers Hi, AS3, Just sent all your traffic to me and I make sure it will get to its destination

BCNET Conference April 29, 2009 Andree Toonk The Internet & BGP 101 AS1 AS4 AS2 AS6 AS7 AS5 AS3 AS8 How to get from AS6 to AS3? Shortage path: AS path: Several longer alternative paths

BCNET Conference April 29, 2009 Andree Toonk The Internet & BGP I’m AS3 and my prefixes are: / /16 I’m AS2 and my prefixes are: / /16 Remember more specific always wins. If you want to reach /24 is chosen over /8 I’m AS6, my BGP table: My BGP table: *> /8: 4 3 *> /24: 4 2 *> /16: 4 3 *> /16: 4 2

BCNET Conference April 29, 2009 Andree Toonk The Internet & BGP 101 Each AS talks BGP to its neighbors (peers) Each AS announces its prefixes to his peers Upstream ISP’s re-announce that to its peers AS path is used for loop prevention and to see how it’s routed Today in global routing table: ~ prefixes ~ ASns

BCNET Conference April 29, 2009 Andree Toonk What’s the problem? Inter domain routing is based on trust Anyone can start announcing someone else prefix and start attracting traffic for that network Well known example is the YouTube.com Hijack, Feb. 2008

BCNET Conference April 29, 2009 Andree Toonk What’s the problem? AS100AS200 AS300 I can reach /16 Very secure Online banking server Bob

BCNET Conference April 29, 2009 Andree Toonk What’s the problem? AS100AS200 AS300 I can reach /16 I can reach /24 Very secure Online banking server FAKE Very secure Online banking server Bob

BCNET Conference April 29, 2009 Andree Toonk YouTube.com Hijack Stable situation: Hijack by Pakistan Telecom: February > Pakistan’s government orders Pakistan Telecom to block YouTube.com. They accidentally ‘leak’ this to the rest of the Internet. Result: YouTube traffic is now routed to Pakistan. YouTube.com unreachable, millions of unhappy users and lost revenue YouTubeAS /22 Pakistan Telecom AS /24 ~$ host is an alias for youtube.l.google.com. youtube.l.google.com has address

BCNET Conference April 29, 2009 Andree Toonk What’s the problem? Hijacks really happen –Mostly accidental Would you know what to do if this happens to you? Or would you even be able to tell this is happening?

BCNET Conference April 29, 2009 Andree Toonk Detecting Hijacks Number of tools to help you detect hijacks Commercial products Free community services BGPmon.net Free Service for the community Allows you to monitor your prefixes for ‘interesting’ events and hijacks.

BCNET Conference April 29, 2009 Andree Toonk Feature overview Feature rich: Alarm classifier IPv4 & IPv6 support 2 & 4 byte ASN support Fast notification time (~10min) Overview of historical alarms in web portal Regular expressions support Peer Threshold support IRR support Bogon detection And more… Monitor for hijacks, Accidental leaks & instability

BCNET Conference April 29, 2009 Andree Toonk Architecture BGP updates repository Parser / analyzer Presentation & Notification Classifier RIPE RIS project

BCNET Conference April 29, 2009 Andree Toonk Event Classifier Classifying event by type helps to determine the cause & impact Three main event types: 1.Monitor your own network for configuration errors. 2.Monitor stability of your prefixes. 3.Monitor for hijacks by others.

BCNET Conference April 29, 2009 Andree Toonk Your own announcements Detect configuration errors ASAP Stable situation: /16 Originated by AS271 Configuration change, causing you to leak: /17 Originated by AS271

BCNET Conference April 29, 2009 Andree Toonk Monitor Prefix stability Large number of withdraws for your prefix means reachability issues Possible cause could be problem with: your border router your upstream large IX somewhere …..

BCNET Conference April 29, 2009 Andree Toonk ASpath monitoring Flexible monitoring using regular expressions Useful for if you have many peers Useful when monitoring some specific traffic engineering situations. Example: $prefix may show behind ANY of my peers except $AS_Expensive Regular expression generator available

BCNET Conference April 29, 2009 Andree Toonk Detecting Hijacks Obvious hijacks Your prefix, but origin AS is not yours. YouTube hijack last year ==================================================================== Possible Prefix Hijack (Code: 10) ==================================================================== Your prefix: /22: Update time: :48 (UTC) Detected by #peers: 44 Detected prefix: /24 Announced by: AS17557 (PKTELECOM-AS-AP Pakistan Telecom) Upstream AS: 3491 (PCCWGlobal-ASN) ASpath: Mark as false alert:

BCNET Conference April 29, 2009 Andree Toonk BGP MITM attacks Not so obvious hijacks As demonstrated at Defcon last summer (“Stealing the Internet”) Looks like: A more specific of your prefix. Looks like it’s originated by your AS Result: looks like a ‘regular’ leak by my AS

BCNET Conference April 29, 2009 Andree Toonk BGP MITM attacks AS500 AS900 attacker AS100 Victim /22 AS400 AS300 AS200 AS700 bob Before AS700 sees: *> /22:

BCNET Conference April 29, 2009 Andree Toonk BGP MITM attacks AS500 AS900 attacker AS100 Victim /22 AS400 AS300 AS200 AS700 bob Attack scenario AS700 sees: *> /22: *> /24: AS900 is now able to intercept traffic towards AS100 I have a route to /24 via I will sent data for /24 to attacker

BCNET Conference April 29, 2009 Andree Toonk BGP MITM attacks How can we detect an attack like this? New More Specific Route New AS path ASpath not “valley free” BGPmon.net will detect this

BCNET Conference April 29, 2009 Andree Toonk BGP MITM attacks ==================================================================== Possible BGP MITM attack (Code: 21) ==================================================================== Your prefix: /22: Update time: :33 (UTC) Detected by #peers: 16 Detected prefix: /24 Announced by: AS20195 (SPARKLV-1 - Sparkplug Las Vegas, Inc.) Upstream AS: (SWITCH-COMMUNICATIONS) ASpath: Mark as false alert:

BCNET Conference April 29, 2009 Andree Toonk My Prefixes

BCNET Conference April 29, 2009 Andree Toonk My Updates

BCNET Conference April 29, 2009 Andree Toonk Customize

BCNET Conference April 29, 2009 Andree Toonk What if…. What if this happened to your network… –First step is detection ! –Start announcing more specifics –Contact origin AS and his upstream(s)

BCNET Conference April 29, 2009 Andree Toonk Wrap up The inter-domain routing system (BGP) is insecure No way to verify of someone is speaking the truth ‘Hijacks’ and prefix leaks happen frequently Free tools available for monitoring and detection BGPmon.net free feature rich service Great tool for network administrators

BCNET Conference April 29, 2009 Andree Toonk Questions? Try the Thanks BCNET & University of British Columbia for your support!