bgp hijacking
play

BGP HIJACKING OS3: Bram ter Borch & Jeroen Schutrup National - PowerPoint PPT Presentation

Nov 05, 2022 •118 likes •422 views

BGP HIJACKING OS3: Bram ter Borch & Jeroen Schutrup National Cyber Security Center BORDER GATEWAY PROTOCOL (BGP) Internets main routing protocol RFC 4271 - original from 1989 Connects Autonomous Systems (AS) BGP hijack WHAT

  1. BGP HIJACKING OS3: Bram ter Borch & Jeroen Schutrup National Cyber Security Center

  2. BORDER GATEWAY PROTOCOL (BGP) • Internets main routing protocol • RFC 4271 - original from 1989 • Connects Autonomous Systems (AS) • BGP hijack

  3. WHAT IS A BGP HIJACK • Prefix hijack • Subnet hijack • AS and prefix hijack 1) http://www.bgpmon.net/chinese-isp-hijacked-10-of-the-internet/ • AS and subnet hijack • Supernet hijack (introduced in our paper)

  4. EXISTING SOLUTIONS Tooling Theoretical Web based • PHAS • Hu et al. 
 • BGPMON (fingerprinting and • iSPY • DYN.com traceroute) • BGPmon.py • Zheng et al. 
 (traceroute to monitored networks from reference point)

  5. LIMITATIONS & CHALLENGES • Limited to online prefixes • Noise generation • Lacking Multiple Origin AS (MOAS) Support • Information disclosure

  6. RESEARCH QUESTION How to create an early detection system for BGP hijacks for a fixed number of IP ranges and AS numbers using public resources?

  7. PROPOSED MODEL (BHAS) BGP update Subnet check: Is the prefix within the update a subnet, equal to, or supernet of monitored prefix? • Requires full BGP feed Pass subnet No check Yes Announcement or Announcement Withdrawal Withdrawal Check announcing AS • Supports IPv4 and IPv6 Monitored prefixes Is it the official In Hijacked Get AS Path Yes Asnumber, AS announcer Database? path, AS path -1, No country code AS Yes No • Support MOAS Compare AS path Different Registered OK Check Ripestat Yes Update DB records change? Get AS-path -1 No Hijacked Networks • Support Multi-homing Compare AS- Hijack registration path -1 Clear hijack and alert Different OK Get GEOLOCATION Compare GEO with Different AS-path -1 old AS-path -1 OK In hijack Yes database? No Discard

  8. INITIALIZATION BGP update Subnet check: Is the prefix within the update a subnet, equal to, or supernet of monitored prefix? Pass subnet No Discard check Yes Announcement Announcement Withdrawal or Withdrawal Monitored prefixes Asnumber, AS path, AS path -1, country code AS

  9. SUBNET, PREFIX AND SUPERNET DETECTION Check announcing Monitored AS prefixes Asnumber, AS path, AS Is it the official path -1, Yes Get AS Path announcer country code AS Compare No OK AS path Check Registered Different Update DB Yes Ripestat change? records No Hijacked Networks In hijack Yes Clear hijack database? Hijack registration No and alert Discard

  10. AS HIJACK DETECTION Get AS-path -1 Different Monitored prefixes Asnumber, AS path, AS path - Compare AS- 1, country path -1 code AS Different Get GEOLOCATION AS-path -1 Hijacked Hijack registration Networks and alert OK Compare GEO OK with announcing Clear hijack AS Different In hijack Yes Discard database? No

  11. WITHDRAWAL Withdrawal Monitored prefixes Asnumber, AS In Hijacked path, AS path - Database? 1, country No code AS Yes Update DB Hijacked Networks Hijack registration Clear hijack and alert

  12. PROOF OF CONCEPT Build within 2 days ExaBGP Python application Multithreaded Postgres database 1) https://prince2pm.files.wordpress.com/ Peewee ORM

  13. ARCHITECTURE

  14. TEST CASES AS:286 RID:192.168.1.12 SN:78.40.64.0/24 AS:10026 Router RID:192.168.1.13 AS:2914 SN:66.216.41.0/24 RID:192.168.1.11 A2 SN:42.99.128.0/17 SN:61.200.80.0/20 • All five types of hijacks Router Router A3 A1 AS:4589 AS:16559 • Virtualized environment RID:192.168.1.14 RID:192.168.2.15 SN:81.188.0.0/16 SN:66.63.0.0/18 Router Router B5 A4 AS:58511 AS:6939 • IRR records RID:192.168.1.15 RID:192.168.2.14 SN:103.17.220.0/24 SN:74.82.42.0/24 Router Router A5 B4 Router Router AS:3257 AS:2603 B1 B3 RID:192.168.2.11 RID:192.168.2.13 SN:213.254.192.0/18 SN:193.11.3.0/24 Router B2 AS:1103 RID:192.168.2.12 SN:145.2.0.0/15 AS:65101 RID:192.168.1.101 SN:NVT Router A101

  15. TEST ENVIRONMENT AS:10026 AS:2914 AS:286 AS:4589 AS:58511 RID:192.168.1.13 RID:192.168.1.11 RID:192.168.1.12 RID:192.168.1.14 RID:192.168.1.15 SN:66.216.41.0/24 SN:61.200.80.0/20 SN:78.40.64.0/24 SN:81.188.0.0/16 SN:103.17.220.0/24 SN:42.99.128.0/17 Router Router Router Router Router A4 A2 A5 A3 A1 Router B4 Router Router Router B1 B2 Router B5 B3 AS:1103 AS:2603 AS:6939 AS:16559 AS:3257 RID:192.168.2.12 RID:192.168.2.13 RID:192.168.2.14 RID:192.168.2.15 RID:192.168.2.11 SN:145.2.0.0/15 SN:193.11.3.0/24 SN:74.82.42.0/24 SN:66.63.0.0/18 SN:213.254.192.0/18 Router AS:65101 A101 RID:192.168.1.101 SN:NVT

  16. RESULTS - ANALYSIS - CONCLUSION

  17. RESULTS TEST ENVIRONMENT • All types of BGP hijacks are reported • Prevents data disclosure to third parties

  18. IRR RECORDS “As it turns out 46% of all the prefixes in the routing table today have a valid route object.” BGPmon.net (2009) “Russia is way ahead of the others with 88.4% coverage” research.dyn.com (2009)

  19. RESULTS - IRR RECORDS IPv4 IPv6 70,0 52,5 % of Dutch prefixes 35,0 17,5 0,0 0 1 2 3 4 5+ # of IRR records

  20. RESULTS - UPDATES Amount of Updates per hour 700000 525000 Amount of Updates 350000 175000 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 Runtime in hours Updates IPv4 announcements IPv6 announcements

  21. RESULTS - WITHDRAWALS 10000 7500 # of withdrawals 5000 2500 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 Runtime in hours IPv4 withdrawals IPv6 withdrawals

  22. RESULTS - INTERESTING WITHDRAWALS 8 6 # of withdrawals 4 2 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 Runtime in hours Interesting IPv4 withdrawals interesting IPv6 withdrawals

  23. RESULTS - HIJACKS 600 450 Number of hijacks 300 150 0 Type 1 Type 2 Type 3 Type 4 Type 5 Hijack types Total hijacks Withdrawn hijacks

  24. ANALYSIS Dutch IRR registration coverage better than expected Algorithm works Architecture scales More IPv6 withdrawals 9 hijacks every hour

  25. LIMITATIONS Future work Model limitations • Connect to live BGP feed • Number of BGP feeds for further analysis • IRR registration • Correlate to real BGP • Upstream AS geolocation hijacks • Compare to other solutions

  26. CONCLUSIONS • The proposed model is tested successfully

  27. 
 CONCLUSIONS • The proposed model is tested successfully • IPv4 IRR registration coverage is 98% for Dutch ASes • IPv6 IRR registration coverage is 96% for Dutch ASes 


  28. CONCLUSIONS • The proposed model is tested successfully • IPv4 IRR registration coverage is 98% for Dutch ASes • IPv6 IRR registration coverage is 96% for Dutch ASes • Lower number of MOAS networks for IPv6

  29. CONCLUSIONS • The proposed model is tested successfully • IPv4 IRR registration coverage is 98% for Dutch ASes • IPv6 IRR registration coverage is 96% for Dutch ASes • Lower number of MOAS networks for IPv6 • Reported hijacks: 1460 out of 10.5 million updates

  30. QUESTIONS

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

.NET HIJACKING to DEFEND POWERSHELL AMANDA ROUSSEAU CanSecWest 2017 | .NET Hijacking to Defend

.NET HIJACKING to DEFEND POWERSHELL AMANDA ROUSSEAU CanSecWest 2017 | .NET Hijacking to Defend

1 .NET HIJACKING to DEFEND POWERSHELL AMANDA ROUSSEAU CanSecWest 2017 | .NET Hijacking to Defend PowerShell 2 MALWARE UNICORN Senior or Malware Researcher @ Endgame, Inc. Wo Works s as s a a Mal alware are Re Researc archer r at at

1.04k views • 47 slides
JSON hijacking For the modern web About me Im a researcher at PortSwigger I love

JSON hijacking For the modern web About me Im a researcher at PortSwigger I love

JSON hijacking For the modern web About me Im a researcher at PortSwigger I love hacking JavaScript let : let { let :[x=1]}=[alert(1)] I love breaking browsers @garethheyes History of JSON hijacking Array constructor attack

630 views • 44 slides
Demo: BGP Path Hijacking Vimal Stanford University August 18

Demo: BGP Path Hijacking Vimal Stanford University August 18

Demo: BGP Path Hijacking Vimal Stanford University August 18 th 2014 Goals of the Assignment Understand how BGP path hijacking aGacks might happen in

322 views • 11 slides
Control Hijacking Attacks C t lin Hri cu May 15, 2009 1 Substituting Prof. Backes 2

Control Hijacking Attacks C t lin Hri cu May 15, 2009 1 Substituting Prof. Backes 2

Practical Aspects of Security Prof. Michael Backes Control Hijacking Attacks C t lin Hri cu May 15, 2009 1 Substituting Prof. Backes 2 Control hijacking attacks Attackers goal: Take over target machine (e.g. web server)

921 views • 57 slides
Handcrafted Fraud and Extortion: Manual Account Hijacking in the Wild Elie Bursztein, Borbala

Handcrafted Fraud and Extortion: Manual Account Hijacking in the Wild Elie Bursztein, Borbala

Handcrafted Fraud and Extortion: Manual Account Hijacking in the Wild Elie Bursztein, Borbala Benko, Daniel Margolis, Tadek Pietraszek Andy Archer, Allan Aquino, Andreas Pitsillidis (UCSD), Stefan Savage (UCSD) Hijacking is a pervasive problem

318 views • 27 slides
Articulus Detecting IP Hijacking Through Server Fingerprinting Research Question How can we

Articulus Detecting IP Hijacking Through Server Fingerprinting Research Question How can we

Articulus Detecting IP Hijacking Through Server Fingerprinting Research Question How can we detect BGP IP hijacking by probing the at risk subnets to detect suspect change to hosts and subnets. 2 Intro Fingerprinting Avoiding

795 views • 31 slides
Inter-Domain Routing Security Inter-Domain Routing Security ~ ~BGP BGP Route Hijacking~ Route

Inter-Domain Routing Security Inter-Domain Routing Security ~ ~BGP BGP Route Hijacking~ Route

Inter-Domain Routing Security Inter-Domain Routing Security ~ ~BGP BGP Route Hijacking~ Route Hijacking~ Mar 1 2007 in APRICOT 2007 NTT Communications Corp. Taka Mizuguchi Tomoya Yoshida What s BGP Route Hijacking? s BGP Route

583 views • 40 slides
THE BLACK ART OF BINARY HIJACKING HIJACKING Agenda Agenda Agenda Agenda 2 2 Overview of

THE BLACK ART OF BINARY HIJACKING HIJACKING Agenda Agenda Agenda Agenda 2 2 Overview of

Principal Consultant Nick Harbour nick.harbour@mandiant.com ick.harbour@mandiant.com @ THE BLACK ART OF BINARY HIJACKING HIJACKING Agenda Agenda Agenda Agenda 2 2 Overview of Persistence Techniques Overview of Persistence

153 views • 14 slides
A Study of Prefix Hijacking and Interception in the internet Hitesh Ballani, Paul Francis,

A Study of Prefix Hijacking and Interception in the internet Hitesh Ballani, Paul Francis,

A Study of Prefix Hijacking and Interception in the internet Hitesh Ballani, Paul Francis, Xinyang Zhang Presented by: Tony Z.C Huang, Adapted from slides by Hitesh Ballani Prefix Hijacking/ Interception Internet AS CIA AS U Owning

873 views • 38 slides
Single Event Upset Hardening Single Event Upset Hardening by 'hijacking' the multi-VT by

Single Event Upset Hardening Single Event Upset Hardening by 'hijacking' the multi-VT by

Single Event Upset Hardening Single Event Upset Hardening by 'hijacking' the multi-VT by 'hijacking' the multi-VT flow during synthesis flow during synthesis Roland Weigand February 04, 2013 Design Automation Conference User Track European

394 views • 17 slides
ARTEMIS: Neutralizing BGP Hijacking within a Minute Alberto Dainotti alberto@caida.org

ARTEMIS: Neutralizing BGP Hijacking within a Minute Alberto Dainotti alberto@caida.org

ARTEMIS: Neutralizing BGP Hijacking within a Minute Alberto Dainotti alberto@caida.org Center for Applied Internet Data Analysis University of California, San Diego Joint work with: Pavlos Sermpezis, Vasileios Kotronis, Petros

375 views • 23 slides
Content Distribution Networks explicit transparent (hijacking connections) Outline

Content Distribution Networks explicit transparent (hijacking connections) Outline

Design Space Caching Content Distribution Networks explicit transparent (hijacking connections) Outline Replication Implementation Techniques server farms Hashing Schemes Redirection Strategies geographically

237 views • 6 slides
An Intelligent System for Preventing SSL Stripping-based Session Hijacking Attacks Mainuddin

An Intelligent System for Preventing SSL Stripping-based Session Hijacking Attacks Mainuddin

An Intelligent System for Preventing SSL Stripping-based Session Hijacking Attacks Mainuddin Ahmad Jonas, Md. Shohrab Hossain, Risul Islam, Husnu S. Narman , Mohammed Atiquzzaman Outlines Motivation Problem Contributions Results

1.03k views • 25 slides
Control-Flow Hijacking: Are We Making Progress? Mathias Payer, Purdue University

Control-Flow Hijacking: Are We Making Progress? Mathias Payer, Purdue University

Control-Flow Hijacking: Are We Making Progress? Mathias Payer, Purdue University http://hexhive.github.io 1 Bugs are everywhere? https://en.wikipedia.org/wiki/Pwn2Own 2 Trends in Memory Errors* * Victor van der Veen,

517 views • 39 slides
Biology and Politics: Is Rhetoric Hijacking Science? Marianne J. Legato, M.D. Professor Emerita

Biology and Politics: Is Rhetoric Hijacking Science? Marianne J. Legato, M.D. Professor Emerita

Biology and Politics: Is Rhetoric Hijacking Science? Marianne J. Legato, M.D. Professor Emerita of Clinical Medicine Columbia University College of Physicians & Surgeons Politically Correct: Men and women are identical except for their

204 views • 6 slides
ARTEMIS : Neutralizing BGP Hijacking within a Minute Pavlos Sermpezis INSPIRE group (Prof.

ARTEMIS : Neutralizing BGP Hijacking within a Minute Pavlos Sermpezis INSPIRE group (Prof.

ARTEMIS : Neutralizing BGP Hijacking within a Minute Pavlos Sermpezis INSPIRE group (Prof. Xenofontas Dimitropoulos) FORTH, Greece ERC Networking Symposium, SIGCOMM 2018 The ERC history of ARTEMIS ERC NetVolution project 2014

200 views • 17 slides
Your Goals, Your Savings Introduction of TCG Fee-Only Investment Advisory Firm

Your Goals, Your Savings Introduction of TCG Fee-Only Investment Advisory Firm

Financial Wellness: Your Goals, Your Savings Introduction of TCG Fee-Only Investment Advisory Firm Fiduciary Commitment to Clients Privately held Administration & Benefits Provider We deliver long-term investment and

1.06k views • 53 slides
Minimum Flows and Levels and Reservations Team (MFLRT) February 27, 2019 Meeting

Minimum Flows and Levels and Reservations Team (MFLRT) February 27, 2019 Meeting

1 Minimum Flows and Levels and Reservations Team (MFLRT) February 27, 2019 Meeting (Teleconference) Doug Leeper CFWI MFLRT Lead MFLs Program Lead, SWFWMD 2 MFLRT-Requested Model Simulations 2/22 GAT Meeting: Reviewed MFLRT-requested

212 views • 5 slides
Electronic submissions New specifications experiences and challenges Emma Richards Assistant

Electronic submissions New specifications experiences and challenges Emma Richards Assistant

Electronic submissions New specifications experiences and challenges Emma Richards Assistant Director Business Systems Review and Reporting Section Prescription Medicines Authorisation Branch, TGA ARCS Conference 2018 21 August 2018

321 views • 28 slides
BREXIT: THE STATE OF PLAY PANEL MEMBERS Sam Lowe Simon McMenemy Alessandro Galtieri Stephen

BREXIT: THE STATE OF PLAY PANEL MEMBERS Sam Lowe Simon McMenemy Alessandro Galtieri Stephen

BREXIT: THE STATE OF PLAY PANEL MEMBERS Sam Lowe Simon McMenemy Alessandro Galtieri Stephen Hurley Senior Research Managing Vice President Head of Brexit Fellow, Partner, London and Deputy Planning & Policy, Centre for Ogletree

997 views • 50 slides
Substance Use Disorder Reform Amelia Fink, LADC, LPCC | Behavioral Health Division 6/3/2019

Substance Use Disorder Reform Amelia Fink, LADC, LPCC | Behavioral Health Division 6/3/2019

Substance Use Disorder Reform Amelia Fink, LADC, LPCC | Behavioral Health Division 6/3/2019 Minnesota Department of Human Services | mn.gov/dhs 1 Objectives 1. Gain an understanding of current and future services and access to services for

483 views • 15 slides
Benefits and Pitfalls from a Record Keeper Perspective W. Frank Porter, QPA, QKA Assistant Vice

Benefits and Pitfalls from a Record Keeper Perspective W. Frank Porter, QPA, QKA Assistant Vice

QACA Automatic Enrollment: Benefits and Pitfalls from a Record Keeper Perspective W. Frank Porter, QPA, QKA Assistant Vice President Empower Institutional f.porter@retirementpartner.com 1 Automatic Enrollment Types of Automatic

1.25k views • 66 slides
V CHRISTIANA CARE HEALTH SYSTEM VALUE INSTITUTE Christiana Care Team Kimberly D. Williams,

V CHRISTIANA CARE HEALTH SYSTEM VALUE INSTITUTE Christiana Care Team Kimberly D. Williams,

Implementation of an Opioid Withdrawal Clinical Pathway on an Inpatient Medical Service Kimberly D. Williams, MPH Christiana Care Health System, Value Institute 10 th Annual Conference on the Science of Dissemination & Implementation in

322 views • 18 slides
Professional Development Webinar (Term 2, 2016) WORKING MEMORY What you need to know PC users:

Professional Development Webinar (Term 2, 2016) WORKING MEMORY What you need to know PC users:

Professional Development Webinar (Term 2, 2016) WORKING MEMORY What you need to know PC users: Your control panel PC users: Click to see & download handouts PC users: Click to ask a question Professional Development Webinar (Term 2,

423 views • 28 slides

More recommend