BGP HIJACKING OS3: Bram ter Borch & Jeroen Schutrup National Cyber Security Center
BORDER GATEWAY PROTOCOL (BGP) • Internets main routing protocol • RFC 4271 - original from 1989 • Connects Autonomous Systems (AS) • BGP hijack
WHAT IS A BGP HIJACK • Prefix hijack • Subnet hijack • AS and prefix hijack 1) http://www.bgpmon.net/chinese-isp-hijacked-10-of-the-internet/ • AS and subnet hijack • Supernet hijack (introduced in our paper)
EXISTING SOLUTIONS Tooling Theoretical Web based • PHAS • Hu et al. • BGPMON (fingerprinting and • iSPY • DYN.com traceroute) • BGPmon.py • Zheng et al. (traceroute to monitored networks from reference point)
LIMITATIONS & CHALLENGES • Limited to online prefixes • Noise generation • Lacking Multiple Origin AS (MOAS) Support • Information disclosure
RESEARCH QUESTION How to create an early detection system for BGP hijacks for a fixed number of IP ranges and AS numbers using public resources?
PROPOSED MODEL (BHAS) BGP update Subnet check: Is the prefix within the update a subnet, equal to, or supernet of monitored prefix? • Requires full BGP feed Pass subnet No check Yes Announcement or Announcement Withdrawal Withdrawal Check announcing AS • Supports IPv4 and IPv6 Monitored prefixes Is it the official In Hijacked Get AS Path Yes Asnumber, AS announcer Database? path, AS path -1, No country code AS Yes No • Support MOAS Compare AS path Different Registered OK Check Ripestat Yes Update DB records change? Get AS-path -1 No Hijacked Networks • Support Multi-homing Compare AS- Hijack registration path -1 Clear hijack and alert Different OK Get GEOLOCATION Compare GEO with Different AS-path -1 old AS-path -1 OK In hijack Yes database? No Discard
INITIALIZATION BGP update Subnet check: Is the prefix within the update a subnet, equal to, or supernet of monitored prefix? Pass subnet No Discard check Yes Announcement Announcement Withdrawal or Withdrawal Monitored prefixes Asnumber, AS path, AS path -1, country code AS
SUBNET, PREFIX AND SUPERNET DETECTION Check announcing Monitored AS prefixes Asnumber, AS path, AS Is it the official path -1, Yes Get AS Path announcer country code AS Compare No OK AS path Check Registered Different Update DB Yes Ripestat change? records No Hijacked Networks In hijack Yes Clear hijack database? Hijack registration No and alert Discard
AS HIJACK DETECTION Get AS-path -1 Different Monitored prefixes Asnumber, AS path, AS path - Compare AS- 1, country path -1 code AS Different Get GEOLOCATION AS-path -1 Hijacked Hijack registration Networks and alert OK Compare GEO OK with announcing Clear hijack AS Different In hijack Yes Discard database? No
WITHDRAWAL Withdrawal Monitored prefixes Asnumber, AS In Hijacked path, AS path - Database? 1, country No code AS Yes Update DB Hijacked Networks Hijack registration Clear hijack and alert
PROOF OF CONCEPT Build within 2 days ExaBGP Python application Multithreaded Postgres database 1) https://prince2pm.files.wordpress.com/ Peewee ORM
ARCHITECTURE
TEST CASES AS:286 RID:192.168.1.12 SN:78.40.64.0/24 AS:10026 Router RID:192.168.1.13 AS:2914 SN:66.216.41.0/24 RID:192.168.1.11 A2 SN:42.99.128.0/17 SN:61.200.80.0/20 • All five types of hijacks Router Router A3 A1 AS:4589 AS:16559 • Virtualized environment RID:192.168.1.14 RID:192.168.2.15 SN:81.188.0.0/16 SN:66.63.0.0/18 Router Router B5 A4 AS:58511 AS:6939 • IRR records RID:192.168.1.15 RID:192.168.2.14 SN:103.17.220.0/24 SN:74.82.42.0/24 Router Router A5 B4 Router Router AS:3257 AS:2603 B1 B3 RID:192.168.2.11 RID:192.168.2.13 SN:213.254.192.0/18 SN:193.11.3.0/24 Router B2 AS:1103 RID:192.168.2.12 SN:145.2.0.0/15 AS:65101 RID:192.168.1.101 SN:NVT Router A101
TEST ENVIRONMENT AS:10026 AS:2914 AS:286 AS:4589 AS:58511 RID:192.168.1.13 RID:192.168.1.11 RID:192.168.1.12 RID:192.168.1.14 RID:192.168.1.15 SN:66.216.41.0/24 SN:61.200.80.0/20 SN:78.40.64.0/24 SN:81.188.0.0/16 SN:103.17.220.0/24 SN:42.99.128.0/17 Router Router Router Router Router A4 A2 A5 A3 A1 Router B4 Router Router Router B1 B2 Router B5 B3 AS:1103 AS:2603 AS:6939 AS:16559 AS:3257 RID:192.168.2.12 RID:192.168.2.13 RID:192.168.2.14 RID:192.168.2.15 RID:192.168.2.11 SN:145.2.0.0/15 SN:193.11.3.0/24 SN:74.82.42.0/24 SN:66.63.0.0/18 SN:213.254.192.0/18 Router AS:65101 A101 RID:192.168.1.101 SN:NVT
RESULTS - ANALYSIS - CONCLUSION
RESULTS TEST ENVIRONMENT • All types of BGP hijacks are reported • Prevents data disclosure to third parties
IRR RECORDS “As it turns out 46% of all the prefixes in the routing table today have a valid route object.” BGPmon.net (2009) “Russia is way ahead of the others with 88.4% coverage” research.dyn.com (2009)
RESULTS - IRR RECORDS IPv4 IPv6 70,0 52,5 % of Dutch prefixes 35,0 17,5 0,0 0 1 2 3 4 5+ # of IRR records
RESULTS - UPDATES Amount of Updates per hour 700000 525000 Amount of Updates 350000 175000 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 Runtime in hours Updates IPv4 announcements IPv6 announcements
RESULTS - WITHDRAWALS 10000 7500 # of withdrawals 5000 2500 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 Runtime in hours IPv4 withdrawals IPv6 withdrawals
RESULTS - INTERESTING WITHDRAWALS 8 6 # of withdrawals 4 2 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 Runtime in hours Interesting IPv4 withdrawals interesting IPv6 withdrawals
RESULTS - HIJACKS 600 450 Number of hijacks 300 150 0 Type 1 Type 2 Type 3 Type 4 Type 5 Hijack types Total hijacks Withdrawn hijacks
ANALYSIS Dutch IRR registration coverage better than expected Algorithm works Architecture scales More IPv6 withdrawals 9 hijacks every hour
LIMITATIONS Future work Model limitations • Connect to live BGP feed • Number of BGP feeds for further analysis • IRR registration • Correlate to real BGP • Upstream AS geolocation hijacks • Compare to other solutions
CONCLUSIONS • The proposed model is tested successfully
CONCLUSIONS • The proposed model is tested successfully • IPv4 IRR registration coverage is 98% for Dutch ASes • IPv6 IRR registration coverage is 96% for Dutch ASes
CONCLUSIONS • The proposed model is tested successfully • IPv4 IRR registration coverage is 98% for Dutch ASes • IPv6 IRR registration coverage is 96% for Dutch ASes • Lower number of MOAS networks for IPv6
CONCLUSIONS • The proposed model is tested successfully • IPv4 IRR registration coverage is 98% for Dutch ASes • IPv6 IRR registration coverage is 96% for Dutch ASes • Lower number of MOAS networks for IPv6 • Reported hijacks: 1460 out of 10.5 million updates
QUESTIONS
Recommend
More recommend