BGP

From route hijacking to RPKI

How vulnerable is the Internet?
BSides Denver 2016

Mike Benjamin
@mikebdotorg

me:

Security guy at Level 3

Former network architect
Colorado resident
This is my personal research

BGP Concepts

Autonomous System
AS Path
Origin AS
Prefix / Route / Block
Prefix Length

Autonomous Sytem Numbers

The ASN is used for:
Loop Prevention
Route Selection
Traic Engineering
Policy / Filtering
Troubleshooting
AS100 receives 2.0.0.0/8:
AS Path: 200
AS Path: 300 200

AS Path Example from the Route Views Project

BGP Hijacks
BGP announcements for equal or more specific prefixes
Owner AS100 announces 1.0.0.0/8
AS600 hijacks 1.0.0.0/8 (equal)
... or 1.2.3.0/24 (more specific)

Announced by someone who is not the owner

Equal announcements will follow BGP route selection
More specific prefixes will be installed and preferred

Scoped BGP Hijacking Example for MITM

Why do Hijacks Happen?

Poor Hygiene
Redistribution Mistakes
BGP<->IGP<->BGP
Static->BGP

What Stops Hijacks?

Prefix Filtering
AS Path Filtering

Typos

Max Prefix Limits

Malice

Hopes and Dreams?

DDoS Mitigation

Origin Validation Options

Method

Coverage

Adequate Trust

RPKI

6.7% [1]

Yes

IRR

72.8%
(62.3% correct)

Not really

Squatting

99.6%

No

[1] https://rpki-monitor.antd.nist.gov/

Creating a Baseline for Hijack Detection

Read one RIB per day at random and record all AS Paths
Summarize each RIB entry to just origin AS and uplinks
Removing private ASNs and AS Prepends

Baseline owner and uplinks for 10 entries in last 15 days

Detecting Hijacks
Check for hijacks and record first match from:
Route matched owner
Route and new origin AS match IRR record
New origin was an uplink in baseline data
New origin is a downlink of baseline owner
Remainder are assumed to be a real hijack

Results
2011-09-16 through 2016-09-15
Route From Owner
99.57%
Possible Hijack
0.43%

Detector Match

% Match

IRR

33%

Uplink

11%

Downlink

14%

Unknown

42%

Final Numbers
Year

UniqueHijacks
PerDay

2011

235

2012

261

2013

302

2014

404

2015

507

2016

418

Future Baseline Comparison:

Another 49% reduction in
hijacks
Final list is 0.09% of all
route changes

Top Single Day Hijacks by Prefix Volume

Prefix Volume

Origin AS

Date

# AS Paths

58,123

AS31474

2011-10-21

35

31,674

AS7514

2015-07-17

25,610

AS9498

2015-11-06

23,206

AS9498

2015-11-07

977

22,574

AS8359

2016-06-30

8,089

AS4761

2014-04-02

5,049

AS7018

2013-03-20

4,602

AS29649

2013-07-31

190

4,292

AS201701 2015-10-11

4,072

AS18403

2016-09-14

[1]

[2]

1758

813

[3]

75

[4]

2222

[1] http://www.bgpmon.net/large-scale-bgp-hijack-out-of-india/ [2] http://www.bgpmon.net/hijack-event-today-by-indosat/

[3] http://research.dyn.com/2015/10/global-impacts-of-recent-leaks/ [4] https://bgpstream.com/event/56207

Top Repeat Oending ASes - Hijacking Yourself

% Days
Updated

Hijacking
AS

Top Hijacked ASes

Hijacker
Country

Hijacker
Name

99%

AS27064

7212706627065

United States

DoD

95%

AS27051

721

United States

DoD

91%

AS2905

166372149137594

South Africa

MTN

88%

AS647

721597627066

United States

DoD

87%

AS5976

72164727066

United States

DoD

87%

AS1452

72114895800

United States

DoD

85%

AS3475

7216475237

United States

DoD

84%

AS27066

721270645976

United States

DoD

83%

AS246

390391440

United States

DoD

80%

AS491

391440395

United States

DoD

Searching the Data

search for google.com (216.85.193.110)
216.58.192.0/20 was hijacked at 2016-04-22 17:09:48 UTC by AS200759 (FLOW Switzerland, CH)
search for twitter.com (199.59.148.82 199.59.149.198 199.59.150.7 199.59.148.10)
199.59.148.10/32 was hijacked at 2013-04-23 06:04:32 UTC by AS5416 (Internet Service[...], BH)
199.59.148.0/23 was hijacked at 2016-04-22 17:09:48 UTC by AS200759 (FLOW Switzerland, CH)
199.59.148.82/32 was hijacked at 2016-06-30 11:10:12 UTC by AS8359 (MTS , RU)
199.59.149.198/32 was hijacked at 2016-06-30 11:10:12 UTC by AS8359 (MTS , RU)
199.59.150.7/32 was hijacked at 2016-06-30 11:10:12 UTC by AS8359 (MTS , RU)
199.59.148.10/32 was hijacked at 2016-06-30 11:10:12 UTC by AS8359 (MTS , RU)
search for www.securitybsides.com (208.96.18.238 208.96.18.237)
208.96.18.238/32 was hijacked at 2016-06-30 11:10:12 UTC by AS8359 (MTS , RU)
208.96.18.237/32 was hijacked at 2016-06-30 11:10:12 UTC by AS8359 (MTS , RU)
search for 82.118.233.144 [vDOS]
82.118.232.0/22 was hijacked at 2014-08-06 10:57:28 UTC by AS5580 (HIBERNIA , NL)
82.118.233.0/24 was hijacked at 2016-04-01 10:54:36 UTC by AS50360 (TAMATIYA-AS , BG)
82.118.233.0/24 was hijacked at 2016-09-07 07:13:26 UTC by AS203959 (BACKCONNECT-AS , NL)

Some Good News

search for github.com (192.30.253.112)
No hijacks found for github.com
search for reddit.com (151.101.1.140 151.101.65.140 151.101.129.140 151.101.193.140)
No hijacks found for reddit.com
search for dropbox.com (108.160.172.238 108.160.172.206)
No hijacks found for dropbox.com
search for protonmail.com (185.70.40.182)
No hijacks found for protonmail.com
search for stackoverflow.com (151.101.193.69 151.101.1.69 151.101.65.69 151.101.129.69)
No hijacks found for stackoverflow.com

But... None of this Matters

You can't trust
any of it

AS Paths can be
fabricated

A simple change to "aspath" based on prefix "p" in

quagga/bgpd/bgp_packet.c - bgp_packet_attribute()

Fixing the Problem - Start with Origin Validation

Resource Public Key Infrastructure (RPKI) - RFC6480
Provides cryptographic proof of ownership
RIRs provide the root trust
Uses X.509 certificates for sub-allocations
Final owner signs a Route Origin Authorization (ROA)
ROA contains the prefix length permitted and origin AS

Fixing the Problem - Moving to Path Validation

BGPsec - dra -ietf-sidr-bgpsec-protocol-18
Provides cryptographic proof of announcement path
Signs announcements AS-by-AS through the network
Still in dra with IETF (sidr working group)
May require replacement of some routers for success

Bogons
IP space which is reserved or not allocated
Includes RFC1918 space
Current allocations can be found at:
p.(afrinic|apnic|arin|lacnic|ripe).net/pub/stats/
Comparing updates to this data finds bogon routes
0.08% of all updates were bogons during the five years

Top Repeated Bogons

% Days
Updated

Prefix

Type

Origin
AS

Origin Name

88%

172.102.0.0/22

Unallocated
Space

AS4812

China Telecom

84%

202.94.1.0/24

Unallocated
Space

AS4808

China Unicom

84%

192.124.252.0/22

Unallocated
Space

AS680

German NREN

84%

198.163.214.0/24

Unallocated
Space

AS21804

(Canada) Access
Communications

81%

192.188.208.0/20

Unallocated
Space

AS721

US Department of
Defense

81%

192.154.64.0/19

Unallocated
Space

AS81

North Carolina REN

So... What Should People Do?

Block bogons
http://www.team-cymru.org/bogon-reference.html

Watch your routes

http://www.routeviews.org

Adopt RPKI
https://www.nist.gov/programs-projects/robust-inter-domain-routing

Push BGPSec
https://datatracker.ietf.org/wg/sidr/

Encrypt your traic

Tools Used
bgpdump - https://bitbucket.org/ripencc/bgpdump/wiki/
py-radix - https://github.com/mjschultz/py-radix/
ipaddr-py - https://github.com/google/ipaddr-py
netaddr - https://pypi.python.org/pypi/netaddr
mongoDB - https://www.mongodb.com/community
PyMongo - https://api.mongodb.com/python/current/
reveal.js - http://lab.hakim.se/reveal-js/#/
Questions? Comments?@mikebdotorg