SLIDE 1
Blackholing the Internet: A Live Demo Adam Rapley me@adamrapley.com - - PowerPoint PPT Presentation
Blackholing the Internet: A Live Demo Adam Rapley me@adamrapley.com - - PowerPoint PPT Presentation
Blackholing the Internet: A Live Demo Adam Rapley me@adamrapley.com @admrply keybase.io/admrply Who am I? 3nd year Ethical Hacking student at Abertay. Does web things. Artist/Musician. Building and Breaking IoT. What is BGP
SLIDE 2
SLIDE 3
What is BGP
- Border Gateway Protocol
- Routing algorithm between ASs
- Advertise prefixes that you manage
- IP prefix
- AS-PATH
- Avoid loops - This is crucial for later in the talk
- Or, y’know… Don’t.
SLIDE 4
BGP Win Conditions
- For the same length prefix
- Shortest AS-PATH wins
- For different length prefixes
- The more specific prefix wins.
SLIDE 5
ISP Relationships
- BT tells Virgin about it’s customers and vice versa
- Version tells Sprint about it’s customers and vice versa.
- These are shared through BGP UPDATE messages.
- Updates from customers are passed to their upstream provider
- This is all trust based
- No PKI
- No validation
SLIDE 6
How do we get IP addresses?
- ICANN assigns IP blocks to RIRs
- RIPE in the EU
- ARIN in the US
- RIRs assign to ISPs
- These IP addresses are NOT assigned to ASNs
SLIDE 7
Implementation Errors
- Minimal filtering on the upstream edge router
- Rate limiting
- Only originating
- No local filtering on networks
- BGP Propagation
- Internal network
- As soon as you hit a “backbone AS”, job done.
SLIDE 8
Real World Examples
- AS 7007
- Spamming unassigned blocks
- YouTube Pakistan
- Hacking Team × Italian Police SpecOps Division
- Bitcoin Stealing
SLIDE 9
Demo Time!
SLIDE 10
Can we MITM this?
- Yes.
- Yes we can.
- Need to serve the real website!
- How do we stop our own next hop router from returning our own traffic
- AS-PATH ASN prefixing
SLIDE 11
Keeping the path open
AS 10 AS 20 AS 30 AS 50 AS 40 AS 500 AS 600 AS 700 AS 60
SLIDE 12
Keeping the path open
AS 10 AS 20 AS 30 AS 50 AS 40 AS 500 AS 600 AS 700 100.50.0.0/24 AS 60
SLIDE 13
Keeping the path open
AS 10 AS 20 AS 30 AS 50 AS 40 AS 500 AS 600 AS 700 100.50.0.0/24 AS 60
SLIDE 14
Keeping the path open
AS 10 AS 20 AS 30 AS 50 AS 40 AS 500 AS 600 AS 700 100.50.0.0/24 AS 60
SLIDE 15
Keeping the path open
AS 10 AS 20 AS 30 AS 50 AS 40 AS 500 AS 600 AS 700 100.50.0.0/24 AS 60
SLIDE 16
Keeping the path open
AS 10 AS 20 AS 30 AS 50 AS 40 AS 500 AS 600 AS 700 100.50.0.0/24 AS 60
SLIDE 17
Keeping the path open
AS 10 AS 20 AS 30 AS 50 AS 40 AS 500 AS 600 AS 700 100.50.0.0/24 AS 60
SLIDE 18
Keeping the path open
AS 10 AS 20 AS 30 AS 50 AS 40 AS 500 AS 600 AS 700 100.50.0.0/24 AS 60
SLIDE 19
Keeping the path open
AS 10 AS 20 AS 30 AS 50 AS 40 AS 500 AS 600 AS 700 100.50.0.0/24 AS 60
SLIDE 20
Keeping the path open
AS 10 AS 20 AS 30 AS 50 AS 40 AS 500 AS 600 AS 700 100.50.0.0/24 AS 60 100.50.0.0/25
(With AS 10 and AS 40 in AS-PATH
SLIDE 21
Keeping the path open
AS 10 AS 20 AS 30 AS 50 AS 40 AS 500 AS 600 AS 700 100.50.0.0/24 AS 60 100.50.0.0/25
(With AS 10 and AS 40 in AS-PATH
SLIDE 22
Keeping the path open
AS 10 AS 20 AS 30 AS 50 AS 40 AS 500 AS 600 AS 700 100.50.0.0/24 AS 60 100.50.0.0/25
(With AS 10 and AS 40 in AS-PATH
SLIDE 23
Keeping the path open
AS 10 AS 20 AS 30 AS 50 AS 40 AS 500 AS 600 AS 700 100.50.0.0/24 AS 60 100.50.0.0/25
(With AS 10 and AS 40 in AS-PATH
SLIDE 24
Keeping the path open
AS 10 AS 20 AS 30 AS 50 AS 40 AS 500 AS 600 AS 700 100.50.0.0/24 AS 60 100.50.0.0/25
(With AS 10 and AS 40 in AS-PATH
SLIDE 25
Keeping the path open
AS 10 AS 20 AS 30 AS 50 AS 40 AS 500 AS 600 AS 700 100.50.0.0/24 AS 60 100.50.0.0/25
(With AS 10 and AS 40 in AS-PATH
SLIDE 26
Hijacking the AS-PATH
- Prepend the AS-PATH with the correct route
- Right down to the originating AS
- set as-path prepend 10 40 600
- Set a static route towards the correct path
- set ip route <10>
SLIDE 27
Mitigations
- Know someone at the ISP
- Route Flapping
- Very ineffective
- Secure alternatives
- S-BGP
- psBGP
- soBGP
SLIDE 28
Mitigations for the Mitigations
- Uptake
- …
- IPv6.
SLIDE 29