Presentation is loading. Please wait.

Presentation is loading. Please wait.

BCNET Conference April 29, 2009 Andree Toonk BGPmon.net Prefix hijacking! Do you know who's routing your network? Andree Toonk

Published byJeffery Dennis Modified over 9 years ago

Similar presentations

Presentation on theme: "BCNET Conference April 29, 2009 Andree Toonk BGPmon.net Prefix hijacking! Do you know who's routing your network? Andree Toonk"— Presentation transcript:

1 BCNET Conference April 29, 2009 Andree Toonk andree@bgpmon.net BGPmon.net Prefix hijacking! Do you know who's routing your network? Andree Toonk Andree@bgpmon.net

2 BCNET Conference April 29, 2009 Andree Toonk andree@bgpmon.net Where will we go today 1.The Internet & BGP 101 2.Example hijacks 3.Methods to detect hijacks 4.Demo 5.Questions This session contains technical content

3 BCNET Conference April 29, 2009 Andree Toonk andree@bgpmon.net Why Should You Care? Because others can intercept your traffic without you noticing it. Because your traffic can be altered, dropped, stored, etc Because if your Internet connection is essential for your business It will cost you money!

4 BCNET Conference April 29, 2009 Andree Toonk andree@bgpmon.net The Internet & BGP 101 AS1 AS4 AS2 AS6 AS7 AS5 AS3 AS8 Collection of Networks called Autonomous Systems AS identified by a number Together make up the Internet

5 BCNET Conference April 29, 2009 Andree Toonk andree@bgpmon.net The Internet & BGP 101 AS2 AS5 AS3 192.0.2.0/24 AS3 is a collection of prefixes AS3 has 1 upstream ISP: (AS5) AS3 and AS2 are direct peers Hi, AS3, Just sent all your traffic to me and I make sure it will get to its destination

6 BCNET Conference April 29, 2009 Andree Toonk andree@bgpmon.net The Internet & BGP 101 AS1 AS4 AS2 AS6 AS7 AS5 AS3 AS8 How to get from AS6 to AS3? Shortage path: 4 5 3 AS path: 4 5 3 Several longer alternative paths

7 BCNET Conference April 29, 2009 Andree Toonk andree@bgpmon.net The Internet & BGP 101 2 3 6 4 7 I’m AS3 and my prefixes are: 10.0.0.0/8 11.11.0.0/16 I’m AS2 and my prefixes are: 10.10.10.0/24 12.12.0.0/16 Remember more specific always wins. If you want to reach 10.10.10.10 10.10.10.0/24 is chosen over 10.0.0.0/8 I’m AS6, my BGP table: My BGP table: *> 10.0.0.0/8: 4 3 *> 10.10.10.0/24: 4 2 *> 11.11.0.0/16: 4 3 *> 12.12.0.0/16: 4 2

8 BCNET Conference April 29, 2009 Andree Toonk andree@bgpmon.net The Internet & BGP 101 Each AS talks BGP to its neighbors (peers) Each AS announces its prefixes to his peers Upstream ISP’s re-announce that to its peers AS path is used for loop prevention and to see how it’s routed Today in global routing table: ~290.000 prefixes ~ 32.000 ASns

9 BCNET Conference April 29, 2009 Andree Toonk andree@bgpmon.net What’s the problem? Inter domain routing is based on trust Anyone can start announcing someone else prefix and start attracting traffic for that network Well known example is the YouTube.com Hijack, Feb. 2008

10 BCNET Conference April 29, 2009 Andree Toonk andree@bgpmon.net What’s the problem? AS100AS200 AS300 I can reach 10.10.0.0/16 Very secure Online banking server 10.10.10.10 Bob

11 BCNET Conference April 29, 2009 Andree Toonk andree@bgpmon.net What’s the problem? AS100AS200 AS300 I can reach 10.10.0.0/16 I can reach 10.10.10.0/24 Very secure Online banking server 10.10.10.10 FAKE Very secure Online banking server 10.10.10.10 Bob

12 BCNET Conference April 29, 2009 Andree Toonk andree@bgpmon.net YouTube.com Hijack Stable situation: Hijack by Pakistan Telecom: February 24 2008 > Pakistan’s government orders Pakistan Telecom to block YouTube.com. They accidentally ‘leak’ this to the rest of the Internet. Result: YouTube traffic is now routed to Pakistan. YouTube.com unreachable, millions of unhappy users and lost revenue YouTubeAS36561208.65.152.0/22 Pakistan Telecom AS17557208.65.153.0/24 ~$ host www.youtube.com www.youtube.com is an alias for youtube.l.google.com. youtube.l.google.com has address 208.65.153.25

13 BCNET Conference April 29, 2009 Andree Toonk andree@bgpmon.net What’s the problem? Hijacks really happen –Mostly accidental Would you know what to do if this happens to you? Or would you even be able to tell this is happening?

14 BCNET Conference April 29, 2009 Andree Toonk andree@bgpmon.net Detecting Hijacks Number of tools to help you detect hijacks Commercial products Free community services BGPmon.net Free Service for the community Allows you to monitor your prefixes for ‘interesting’ events and hijacks.

15 BCNET Conference April 29, 2009 Andree Toonk andree@bgpmon.net Feature overview Feature rich: Alarm classifier IPv4 & IPv6 support 2 & 4 byte ASN support Fast notification time (~10min) Overview of historical alarms in web portal Regular expressions support Peer Threshold support IRR support Bogon detection And more… Monitor for hijacks, Accidental leaks & instability

16 BCNET Conference April 29, 2009 Andree Toonk andree@bgpmon.net Architecture BGP updates repository Parser / analyzer Presentation & Notification Classifier RIPE RIS project

17 BCNET Conference April 29, 2009 Andree Toonk andree@bgpmon.net Event Classifier Classifying event by type helps to determine the cause & impact Three main event types: 1.Monitor your own network for configuration errors. 2.Monitor stability of your prefixes. 3.Monitor for hijacks by others.

18 BCNET Conference April 29, 2009 Andree Toonk andree@bgpmon.net Your own announcements Detect configuration errors ASAP Stable situation: 142.231.0.0/16 Originated by AS271 Configuration change, causing you to leak: 142.231.0.0/17 Originated by AS271

19 BCNET Conference April 29, 2009 Andree Toonk andree@bgpmon.net Monitor Prefix stability Large number of withdraws for your prefix means reachability issues Possible cause could be problem with: your border router your upstream large IX somewhere …..

20 BCNET Conference April 29, 2009 Andree Toonk andree@bgpmon.net ASpath monitoring Flexible monitoring using regular expressions Useful for if you have many peers Useful when monitoring some specific traffic engineering situations. Example: $prefix may show behind ANY of my peers except $AS_Expensive Regular expression generator available

21 BCNET Conference April 29, 2009 Andree Toonk andree@bgpmon.net Detecting Hijacks Obvious hijacks Your prefix, but origin AS is not yours. YouTube hijack last year ==================================================================== Possible Prefix Hijack (Code: 10) ==================================================================== Your prefix: 208.65.152.0/22: Update time: 2008-02-24 18:48 (UTC) Detected by #peers: 44 Detected prefix: 208.65.153.0/24 Announced by: AS17557 (PKTELECOM-AS-AP Pakistan Telecom) Upstream AS: 3491 (PCCWGlobal-ASN) ASpath: 26943 23352 3491 17557 Mark as false alert: http://bgpmon.net/fp.php?aid=21659961

22 BCNET Conference April 29, 2009 Andree Toonk andree@bgpmon.net BGP MITM attacks Not so obvious hijacks As demonstrated at Defcon last summer (“Stealing the Internet”) Looks like: A more specific of your prefix. Looks like it’s originated by your AS Result: looks like a ‘regular’ leak by my AS

23 BCNET Conference April 29, 2009 Andree Toonk andree@bgpmon.net BGP MITM attacks AS500 AS900 attacker AS100 Victim 192.0.2.0/22 AS400 AS300 AS200 AS700 bob Before AS700 sees: *> 192.0.2.0/22: 200 100

24 BCNET Conference April 29, 2009 Andree Toonk andree@bgpmon.net BGP MITM attacks AS500 AS900 attacker AS100 Victim 192.0.2.0/22 AS400 AS300 AS200 AS700 bob Attack scenario AS700 sees: *> 192.0.2.0/22: 200 100 *> 192.0.2.0/24: 300 900 500 400 100 AS900 is now able to intercept traffic towards AS100 I have a route to 192.0.2.0/24 via 500 400 100 I will sent data for 192.0.2.0/24 to attacker

25 BCNET Conference April 29, 2009 Andree Toonk andree@bgpmon.net BGP MITM attacks How can we detect an attack like this? New More Specific Route New AS path ASpath not “valley free” BGPmon.net will detect this

26 BCNET Conference April 29, 2009 Andree Toonk andree@bgpmon.net BGP MITM attacks ==================================================================== Possible BGP MITM attack (Code: 21) ==================================================================== Your prefix: 24.120.56.0/22: Update time: 2008-08-10 19:33 (UTC) Detected by #peers: 16 Detected prefix: 24.120.56.0/24 Announced by: AS20195 (SPARKLV-1 - Sparkplug Las Vegas, Inc.) Upstream AS: 23005 (SWITCH-COMMUNICATIONS) ASpath: 24875 6461 3561 26627 4436 22822 23005 20195 Mark as false alert: http://bgpmon.net/fp.php?aid=19263621

27 BCNET Conference April 29, 2009 Andree Toonk andree@bgpmon.net My Prefixes

28 BCNET Conference April 29, 2009 Andree Toonk andree@bgpmon.net My Updates

29 BCNET Conference April 29, 2009 Andree Toonk andree@bgpmon.net Customize

30 BCNET Conference April 29, 2009 Andree Toonk andree@bgpmon.net What if…. What if this happened to your network… –First step is detection ! –Start announcing more specifics –Contact origin AS and his upstream(s)

31 BCNET Conference April 29, 2009 Andree Toonk andree@bgpmon.net Wrap up The inter-domain routing system (BGP) is insecure No way to verify of someone is speaking the truth ‘Hijacks’ and prefix leaks happen frequently Free tools available for monitoring and detection BGPmon.net free feature rich service Great tool for network administrators

32 BCNET Conference April 29, 2009 Andree Toonk andree@bgpmon.net Questions? Andree@bgpmon.net Try the demo @ http://BGPmon.net Thanks BCNET & University of British Columbia for your support!

Download ppt "BCNET Conference April 29, 2009 Andree Toonk BGPmon.net Prefix hijacking! Do you know who's routing your network? Andree Toonk"

Similar presentations

Network Monitoring System In CSTNET Long Chun China Science & Technology Network.

Network Monitoring System In CSTNET Long Chun China Science & Technology Network.
A Quick and Dirty Guide to BGP attacks Or “How to 0wn the Backbone in your Spare Time”

A Quick and Dirty Guide to BGP attacks Or “How to 0wn the Backbone in your Spare Time”
CS540/TE630 Computer Network Architecture Spring 2009 Tu/Th 10:30am-Noon Sue Moon.

CS540/TE630 Computer Network Architecture Spring 2009 Tu/Th 10:30am-Noon Sue Moon.
© J. Liebeherr, All rights reserved 1 Border Gateway Protocol This lecture is largely based on a BGP tutorial by T. Griffin from AT&T Research.

© J. Liebeherr, All rights reserved 1 Border Gateway Protocol This lecture is largely based on a BGP tutorial by T. Griffin from AT&T Research.
Fundamentals of Computer Networks ECE 478/578 Lecture #18: Policy-Based Routing Instructor: Loukas Lazos Dept of Electrical and Computer Engineering University.

Fundamentals of Computer Networks ECE 478/578 Lecture #18: Policy-Based Routing Instructor: Loukas Lazos Dept of Electrical and Computer Engineering University.
1 Interdomain Routing Protocols. 2 Autonomous Systems An autonomous system (AS) is a region of the Internet that is administered by a single entity and.

1 Interdomain Routing Protocols. 2 Autonomous Systems An autonomous system (AS) is a region of the Internet that is administered by a single entity and.
By Hitesh Ballani, Paul Francis, Xinyang Zhang Slides by Benson Luk for CS 217B.

By Hitesh Ballani, Paul Francis, Xinyang Zhang Slides by Benson Luk for CS 217B.
1 Measurement of Highly Active Prefixes in BGP Ricardo V. Oliveira, Rafit Izhak-Ratzin, Beichuan Zhang, Lixia Zhang GLOBECOM’05.

1 Measurement of Highly Active Prefixes in BGP Ricardo V. Oliveira, Rafit Izhak-Ratzin, Beichuan Zhang, Lixia Zhang GLOBECOM’05.
Interdomain Routing Security COS 461: Computer Networks Michael Schapira.

Interdomain Routing Security COS 461: Computer Networks Michael Schapira.
1 BGP Security -- Zhen Wu. 2 Schedule Tuesday –BGP Background – Detection of Invalid Routing Announcement in the Internet –Open Discussions Thursday.

1 BGP Security -- Zhen Wu. 2 Schedule Tuesday –BGP Background –" Detection of Invalid Routing Announcement in the Internet" –Open Discussions Thursday.
Interdomain Routing and The Border Gateway Protocol (BGP) Courtesy of Timothy G. Griffin Intel Research, Cambridge UK

Interdomain Routing and The Border Gateway Protocol (BGP) Courtesy of Timothy G. Griffin Intel Research, Cambridge UK
Analysis of BGP Routing Tables

Analysis of BGP Routing Tables
Feb 12, 2008CS573: Network Protocols and Standards1 Border Gateway Protocol (BGP) Network Protocols and Standards Winter 2007-2008.

Feb 12, 2008CS573: Network Protocols and Standards1 Border Gateway Protocol (BGP) Network Protocols and Standards Winter
© 2009 Cisco Systems, Inc. All rights reserved. ROUTE v1.0—6-1 Connecting an Enterprise Network to an ISP Network Considering the Advantages of Using BGP.

© 2009 Cisco Systems, Inc. All rights reserved. ROUTE v1.0—6-1 Connecting an Enterprise Network to an ISP Network Considering the Advantages of Using BGP.
Computer Networks Layering and Routing Dina Katabi

Computer Networks Layering and Routing Dina Katabi
APNIC eLearning: Intro to RPKI 10 December 2014 12:30 PM AEST Brisbane (UTC+10)

APNIC eLearning: Intro to RPKI 10 December :30 PM AEST Brisbane (UTC+10)
Scaling IXPs Scalable Infrastructure Workshop. Objectives  To explain scaling options within the IXP  To introduce the Internet Routing Registry at.

Scaling IXPs Scalable Infrastructure Workshop. Objectives  To explain scaling options within the IXP  To introduce the Internet Routing Registry at.
Impact of Prefix Hijacking on Payments of Providers Pradeep Bangera and Sergey Gorinsky Institute IMDEA Networks, Madrid, Spain Developing the Science.

Impact of Prefix Hijacking on Payments of Providers Pradeep Bangera and Sergey Gorinsky Institute IMDEA Networks, Madrid, Spain Developing the Science.
Real-Time BGP Data Access 1 Mikhail Strizhov Colorado State University.

Real-Time BGP Data Access 1 Mikhail Strizhov Colorado State University.
1 Interdomain Routing (BGP) By Behzad Akbari Fall 2008 These slides are based on the slides of Ion Stoica (UCB) and Shivkumar (RPI)

1 Interdomain Routing (BGP) By Behzad Akbari Fall 2008 These slides are based on the slides of Ion Stoica (UCB) and Shivkumar (RPI)

Similar presentations

Ads by Google