BGP HIJACKING OS3: Bram ter Borch & Jeroen Schutrup National - - PowerPoint PPT Presentation

bgp hijacking
SMART_READER_LITE
LIVE PREVIEW

BGP HIJACKING OS3: Bram ter Borch & Jeroen Schutrup National - - PowerPoint PPT Presentation

Nov 05, 2022 118 likes •428 views

BGP HIJACKING OS3: Bram ter Borch & Jeroen Schutrup National Cyber Security Center BORDER GATEWAY PROTOCOL (BGP) Internets main routing protocol RFC 4271 - original from 1989 Connects Autonomous Systems (AS) BGP hijack WHAT

slide-1
SLIDE 1

BGP HIJACKING

OS3: Bram ter Borch & Jeroen Schutrup

National Cyber Security Center

slide-2
SLIDE 2

BORDER GATEWAY PROTOCOL (BGP)

  • Internets main routing protocol
  • RFC 4271 - original from 1989
  • Connects Autonomous Systems (AS)
  • BGP hijack
slide-3
SLIDE 3

WHAT IS A BGP HIJACK

  • Prefix hijack
  • Subnet hijack
  • AS and prefix hijack
  • AS and subnet hijack
  • Supernet hijack (introduced in our paper)

1) http://www.bgpmon.net/chinese-isp-hijacked-10-of-the-internet/

slide-4
SLIDE 4

EXISTING SOLUTIONS

Tooling

  • PHAS
  • iSPY
  • BGPmon.py

Web based

  • BGPMON
  • DYN.com

Theoretical

  • Hu et al. 


(fingerprinting and traceroute)

  • Zheng et al. 


(traceroute to monitored networks from reference point)

slide-5
SLIDE 5

LIMITATIONS & CHALLENGES

  • Limited to online prefixes
  • Noise generation
  • Lacking Multiple Origin AS (MOAS) Support
  • Information disclosure
slide-6
SLIDE 6

RESEARCH QUESTION

How to create an early detection system for BGP hijacks for a fixed number of IP ranges and AS numbers using public resources?

slide-7
SLIDE 7

PROPOSED MODEL (BHAS)

  • Requires full BGP feed
  • Supports IPv4 and IPv6
  • Support MOAS
  • Support Multi-homing
Get AS Path BGP update Get GEOLOCATION AS-path -1 Hijack registration and alert Discard Compare AS path Check announcing AS Is it the official announcer No Yes Different Compare GEO with
  • ld AS-path -1
Different Get AS-path -1 Compare AS- path -1 Different Announcement Announcement or Withdrawal Monitored prefixes Asnumber, AS path, AS path -1, country code AS Withdrawal OK Check Ripestat records No Registered change? OK Yes Update DB Hijacked Networks In Hijacked Database? No Clear hijack Yes In hijack database? OK No Yes Subnet check: Is the prefix within the update a subnet, equal to, or supernet of monitored prefix? Pass subnet check No Yes
slide-8
SLIDE 8

INITIALIZATION

BGP update Discard Announcement Announcement

  • r Withdrawal

Monitored prefixes Asnumber, AS path, AS path -1, country code AS Subnet check: Is the prefix within the update a subnet, equal to, or supernet of monitored prefix? Pass subnet check No Yes Withdrawal

slide-9
SLIDE 9

SUBNET, PREFIX AND SUPERNET DETECTION

Get AS Path Hijack registration and alert Discard Compare AS path Check announcing AS Is it the official announcer No Yes Different Monitored prefixes Asnumber, AS path, AS path -1, country code AS OK Check Ripestat records No Registered change? Yes Update DB Hijacked Networks Clear hijack In hijack database? No Yes

slide-10
SLIDE 10

AS HIJACK DETECTION

Get GEOLOCATION AS-path -1 Hijack registration and alert Discard Different Compare GEO with announcing AS Different Get AS-path -1 Compare AS- path -1 Different Monitored prefixes Asnumber, AS path, AS path - 1, country code AS OK Hijacked Networks Clear hijack In hijack database? OK No Yes

slide-11
SLIDE 11

WITHDRAWAL

Hijack registration and alert Monitored prefixes Asnumber, AS path, AS path - 1, country code AS Withdrawal Update DB Hijacked Networks In Hijacked Database? No Clear hijack Yes

slide-12
SLIDE 12

PROOF OF CONCEPT

Build within 2 days ExaBGP Python application Multithreaded Postgres database Peewee ORM

1) https://prince2pm.files.wordpress.com/

slide-13
SLIDE 13

ARCHITECTURE

slide-14
SLIDE 14

TEST CASES

  • All five types of hijacks
  • Virtualized environment
  • IRR records

Router A2 Router A3 Router A4 Router A5 Router B1 Router B2 Router B3 Router B4 Router B5 Router A1 Router A101

AS:286 RID:192.168.1.12 SN:78.40.64.0/24 AS:10026 RID:192.168.1.13 SN:66.216.41.0/24 SN:42.99.128.0/17 AS:4589 RID:192.168.1.14 SN:81.188.0.0/16 AS:2914 RID:192.168.1.11 SN:61.200.80.0/20 AS:16559 RID:192.168.2.15 SN:66.63.0.0/18 AS:6939 RID:192.168.2.14 SN:74.82.42.0/24 AS:58511 RID:192.168.1.15 SN:103.17.220.0/24 AS:2603 RID:192.168.2.13 SN:193.11.3.0/24 AS:3257 RID:192.168.2.11 SN:213.254.192.0/18 AS:1103 RID:192.168.2.12 SN:145.2.0.0/15 AS:65101 RID:192.168.1.101 SN:NVT

slide-15
SLIDE 15

TEST ENVIRONMENT

Router A2 Router A3 Router A4 Router A5 Router B1 Router B2 Router B3 Router B4 Router B5 Router A1 Router A101 AS:286 RID:192.168.1.12 SN:78.40.64.0/24 AS:10026 RID:192.168.1.13 SN:66.216.41.0/24 SN:42.99.128.0/17 AS:4589 RID:192.168.1.14 SN:81.188.0.0/16 AS:2914 RID:192.168.1.11 SN:61.200.80.0/20 AS:16559 RID:192.168.2.15 SN:66.63.0.0/18 AS:6939 RID:192.168.2.14 SN:74.82.42.0/24 AS:58511 RID:192.168.1.15 SN:103.17.220.0/24 AS:2603 RID:192.168.2.13 SN:193.11.3.0/24 AS:3257 RID:192.168.2.11 SN:213.254.192.0/18 AS:1103 RID:192.168.2.12 SN:145.2.0.0/15 AS:65101 RID:192.168.1.101 SN:NVT

slide-16
SLIDE 16

RESULTS - ANALYSIS - CONCLUSION

slide-17
SLIDE 17

RESULTS TEST ENVIRONMENT

  • All types of BGP hijacks are reported
  • Prevents data disclosure to third parties
slide-18
SLIDE 18

IRR RECORDS

BGPmon.net (2009)

“As it turns out 46% of all the prefixes in the routing table today have a valid route object.”

research.dyn.com (2009)

“Russia is way ahead of the others with 88.4% coverage”

slide-19
SLIDE 19

RESULTS - IRR RECORDS

% of Dutch prefixes 0,0 17,5 35,0 52,5 70,0 # of IRR records 1 2 3 4 5+

IPv4 IPv6

slide-20
SLIDE 20

RESULTS - UPDATES

Amount of Updates per hour

Amount of Updates 175000 350000 525000 700000 Runtime in hours 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24

Updates IPv4 announcements IPv6 announcements

slide-21
SLIDE 21

RESULTS - WITHDRAWALS

# of withdrawals 2500 5000 7500 10000 Runtime in hours 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24

IPv4 withdrawals IPv6 withdrawals

slide-22
SLIDE 22

RESULTS - INTERESTING WITHDRAWALS

# of withdrawals 2 4 6 8 Runtime in hours 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24

Interesting IPv4 withdrawals interesting IPv6 withdrawals

slide-23
SLIDE 23

Number of hijacks 150 300 450 600 Hijack types Type 1 Type 2 Type 3 Type 4 Type 5

Total hijacks Withdrawn hijacks

RESULTS - HIJACKS

slide-24
SLIDE 24

ANALYSIS

Dutch IRR registration coverage better than expected Algorithm works Architecture scales More IPv6 withdrawals 9 hijacks every hour

slide-25
SLIDE 25

LIMITATIONS

Model limitations

  • Number of BGP feeds
  • IRR registration
  • Upstream AS geolocation

Future work

  • Connect to live BGP feed

for further analysis

  • Correlate to real BGP

hijacks

  • Compare to other

solutions

slide-26
SLIDE 26

CONCLUSIONS

  • The proposed model is tested successfully
slide-27
SLIDE 27

CONCLUSIONS

  • The proposed model is tested successfully
  • IPv4 IRR registration coverage is 98% for Dutch ASes
  • IPv6 IRR registration coverage is 96% for Dutch ASes


slide-28
SLIDE 28

CONCLUSIONS

  • The proposed model is tested successfully
  • IPv4 IRR registration coverage is 98% for Dutch ASes
  • IPv6 IRR registration coverage is 96% for Dutch ASes
  • Lower number of MOAS networks for IPv6
slide-29
SLIDE 29

CONCLUSIONS

  • The proposed model is tested successfully
  • IPv4 IRR registration coverage is 98% for Dutch ASes
  • IPv6 IRR registration coverage is 96% for Dutch ASes
  • Lower number of MOAS networks for IPv6
  • Reported hijacks: 1460 out of 10.5 million updates
slide-30
SLIDE 30

QUESTIONS