Beruflich Dokumente
Kultur Dokumente
1/53
Attack Requirements
no authentication between a miner and its bitcoin pool
traffic redirection using BGP prefixes hijacks
2/53
BGP 101
4/53
4/53
4/53
4/53
5/53
3215
6939
4725
5/53
AS42
6/53
AS42
2.0.0.0/16
6/53
AS42
2.0.0.0/16
6/53
AS42
2.0.0.0/16
AS transit
Internet
6/53
7/53
8/53
AS4713
OCN
NTT Communications Corporation
JP
AY1361JP
TT10660JP
TT15086JP
apnic-ftp@nic.ad.jp 19960911
apnic-ftp@nic.ad.jp 20091113
JPNIC
8/53
9/53
AS43515
Internet
AS4713
61.28.192.0/24
208.117.252.0/22
AS3215
2.0.0.0/16
10/53
AS43515
208.117.252.0/22
208.117.252.0/22
Internet
61.28.192.0/24
2.0.0.0/16
AS4713
61.28.192.0/24
AS3215
2.0.0.0/16
10/53
AS43515
208.117.252.0/22
208.117.252.0/22
Internet
61.28.192.0/24
2.0.0.0/16
AS4713
61.28.192.0/24
AS3215
2.0.0.0/16
10/53
AS1
AS2
AS3
Internet
11/53
BGP
192.0.2.0/24 AS1
AS1
AS2
AS3
Internet
192.0.2.0/24
11/53
BGP
BGP
192.0.2.0/24 AS1
AS1
192.0.2.0/24
AS2
AS3
Internet
192.0.2.0/24
11/53
BGP
192.0.2.0/24 AS1
192.0.2.0/24 AS1 AS3
AS1
AS2
AS4
Internet
AS3
11/53
BGP
192.0.2.0/24 AS1
192.0.2.0/24 AS1 AS3
AS1
AS2
BGP
192.0.2.0/24 AS1 AS2
AS4
Internet
192.0.2.0/24
AS3
11/53
AS4
AS1
AS2
Internet
AS3
11/53
AS4
192.0.0.0/16
AS1
AS2
Internet
192.0.2.0/24
AS3
11/53
AS4
BGP
192.0.0.0/16
AS1
AS2
Internet
192.0.2.0/24
AS3
11/53
AS4
BGP
192.0.0.0/16
AS1
AS2
192.0.2.0/24
192.0.2.42
Internet
AS3
11/53
Hijacks 101
BGP
AS3
AS0
AS1
AS2
13/53
BGP
192.0.2.0/23
AS0
AS1
AS3
192.0.2.0/23
AS2
13/53
BGP
192.0.2.0/23
AS0
AS1
AS3
192.0.2.0/23
AS2
13/53
Active Countermeasure
Use BGP rule #3 !
BGP
192.0.2.0/23 AS1 AS0
192.0.2.0/23 AS3
AS3
192.0.2.0/23
192.0.2.0/23
AS0
AS1
AS2
14/53
Active Countermeasure
Use BGP rule #3 !
BGP
192.0.2.0/23
192.0.2.0/23
192.0.2.0/23
192.0.2.0/24
192.0.3.0/24
AS1 AS0
AS3
AS1 AS0
AS1 AS0
AS1
AS0
AS3
192.0.2.0/23
AS2
192.0.2.0/24
192.0.3.0/24
14/53
Active Countermeasure
Use BGP rule #3 !
BGP
192.0.2.0/23
192.0.2.0/23
192.0.2.0/23
192.0.2.0/24
192.0.3.0/24
AS1 AS0
AS3
AS1 AS0
AS1 AS0
AS1
AS0
AS3
192.0.2.0/23
AS2
192.0.2.0/24
192.0.3.0/24
14/53
Active Countermeasure
Use BGP rule #3 !
BGP
192.0.2.0/23
192.0.2.0/23
192.0.2.0/23
192.0.2.0/24
192.0.3.0/24
AS1 AS0
AS3
AS1 AS0
AS1 AS0
AS1
AS0
AS3
192.0.2.0/23
AS2
192.0.2.0/24
192.0.3.0/24
14/53
15/53
15/53
Passive Countermeasure
Strict filter on an interconnection
BGP
AS3
AS0
AS1
AS2
16/53
Passive Countermeasure
Strict filter on an interconnection
BGP
192.0.2.0/23 64501 64500
AS3
192.0.2.0/23
192.0.2.0/23
AS0
AS1
AS2
16/53
Passive Countermeasure
Automate filter maintenance
A route object:
is declared by the AS in charge of an IP prefix
tells who can announce the prefix with BGP
the operator, its DDoS mitigation provider, its clients,
185.50.64.0/22
Observatory IPv4 prefix.
AS202214
ASOBS-MNT
RIPE # Filtered
17/53
BGP messages
19/53
AS2
BGP collector
AS3
AS6
192.168.0.0/16
AS666
192.168.0.0/24
20/53
Raw BGP
BGP parser
21/53
21/53
21/53
21/53
22/53
192.28.0.0/22
192.0.0.0/8
AS1
AS2 AS3
192.128.0.0/10
192.160.0.0/11
AS7
AS4 AS5
192.168.128.0/22
AS42
23/53
192.28.0.0/22
192.0.0.0/8
AS1
AS2 AS3
192.128.0.0/10
192.160.0.0/11
AS7
AS4 AS5
192.168.128.0/22
AS42
23/53
192.28.0.0/22
192.0.0.0/8
AS1
AS2 AS3
192.128.0.0/10
192.160.0.0/11
AS7
AS4 AS5
192.168.128.0/22
AS42
23/53
192.28.0.0/22
192.0.0.0/8
AS1
AS2 AS3
192.128.0.0/10
192.160.0.0/11
AS7
AS4 AS5
192.168.128.0/22
AS42
23/53
{}
Raw BGP
BGP parser
Emulate BGP
JSON
24/53
{}
Raw BGP
BGP parser
Emulate BGP
JSON
24/53
{}
Raw BGP
BGP parser
Emulate BGP
{}
JSON
Raw BGP
BGP parser
Emulate BGP
JSON
{}
Raw BGP
BGP parser
Emulate BGP
JSON
{}
Raw BGP
BGP parser
Emulate BGP
JSON
Conflicts detection
completes in one week with 120 cores on 5 servers
generates 130 GB per year
25/53
{}
Raw BGP
BGP parser
Emulate BGP
{}
JSON
Raw BGP
BGP parser
Emulate BGP
JSON
{}
Raw BGP
BGP parser
Emulate BGP
JSON
{}
Raw BGP
BGP parser
Emulate BGP
JSON
Conflict example
{ "timestamp":1409782437, "collector": "rrc07",
"announce": { "prefix": " 192.50.44.0/24 ", "asn": 666 ,
"as_path": "25152 6939 667 666"},
"conflict_with": {"prefix": " 192.50.44.0/24 ", "asn": 7500 }}
25/53
Disco?
automatic data distribution & replication
like HDFS
26/53
From
BIG DATA to
small data
26/53
27/53
192.50.44.0/24
Example prefix
AS666
AS666-MNT
27/53
192.50.44.0/24
Example prefix
AS666
AS666-MNT
27/53
27/53
AS15557
LDCOMNET
SFR
ORG-LA7-RIPE
LD699-RIPE
LDC76-RIPE
ASSIGNED
LDCOM-MNT
FMCF-MNT
LDCOM-MNT
RIPE
$ whois AS41272
aut-num:
as-name:
descr:
org:
admin-c:
tech-c:
status:
mnt-by:
AS41272
MOSELLE-TELE-AS
MOSELLE TELECOM
ORG-MT18-RIPE
LD699-RIPE
LDC76-RIPE
ASSIGNED
MOSELLE-TELE-MNT
mnt-routes:
source:
MOSELLE-TELE-MNT
RIPE
2% conflicts removed
54% conflicts removed
28/53
29/53
BGP
192.168.0.0/16 1000
192.0.2.0/24 1000 666
Internet
AS1000
AS666
29/53
BGP
192.168.0.0/16 1000
192.0.2.0/24 1000 666
Internet
AS1000
AS666
Client/Provider relation
5% conflicts removed
3% conflicts removed
ANSSI - Detecting BGP hijacks in 2014
29/53
Classifying conflicts
Percentage of conflicts
Summary
93
90 %
54
60 %
32
30 %
0%
Validated
Related
France
Connected
11
Abnormal
Japan
30/53
Computing durations
From conflicts to events
Time
Before aggregation
{ "timestamp": 20141111.0, "collector": "rrc99" ,
"type": "RELATION",
"announce": { "prefix": "1.6.28.0/24", "asn": 666 }
"conflict_with": {"prefix": "1.6.0.0/18", "asn": 1000 } }
{ "timestamp": 20141231.0, "collector": "rrc66" ,
type": "RELATION",
"announce": { "prefix": "1.6.28.0/24", "asn": 666 }
"conflict_with": {"prefix": "1.6.0.0/18", "asn": 1000 } }
ANSSI - Detecting BGP hijacks in 2014
31/53
Computing durations
From conflicts to events
Time
After aggregation
{ "conflict_with" : { "prefix" : "1.6.0.0/18", "asn" : 1000 },
"origin" :
{ "prefix" : "1.6.28.0/24", "asn" : 666 },
"begin": 20141111.0, "end" : 20141231.0,
"peers" : [ "rrc99", "rrc66" ],
"type" : "RELATION" }
74 084 events
73 902 events
ANSSI - Detecting BGP hijacks in 2014
31/53
Events Visualization
A French AS
10/28/2014
2014
February
localhost:2807/timeslots/AS3215
March
April
May
June
July
August
September
October
No
32/53
Events Visualization
A Japanese AS
10/28/2014
2014
localhost:2807/timeslots/AS2706
February
March
April
May
June
July
August
September
October
32/53
Simple rules
remove events that change categories
remove events if ASes belongs to the same country
remove events longer than 6 months
remove associated events
33/53
34/53
typos in AS numbers
2208 and 208
35/53
Closing Remarks
36/53
38/53
Alerts
BGP messages
Hijacks
Measurements
ANSSI - Detecting BGP hijacks in 2014
39/53
Detection Requirements
https://github.com/spotify/luigi
Fetching Tasks
Internet registries
raw BGP data
40/53
Detection Requirements
https://github.com/spotify/luigi
{}
Fetching Tasks
Processing Tasks
Internet registries
40/53
41/53
<
<
<
<
41/53
<
<
<
<
42/53
<
<
<
<
$ whois 2a04:8000::/29
inet6num:
2a04:8000::/29
netname:
UA-UAHOSTING
descr:
Hosting Ukraine
country:
UA
org:
ORG-HUL6-RIPE
42/53
<
<
<
<
$ whois 2a04:8000::/29
inet6num:
2a04:8000::/29
netname:
UA-UAHOSTING
descr:
Hosting Ukraine
country:
UA
org:
ORG-HUL6-RIPE
42/53
<
<
<
<
$ whois 2a04:8000::/29
inet6num:
2a04:8000::/29
netname:
UA-UAHOSTING
descr:
Hosting Ukraine
country:
UA
org:
ORG-HUL6-RIPE
42/53
<
<
<
<
$ whois 2a04:8000::/29
inet6num:
2a04:8000::/29
netname:
UA-UAHOSTING
descr:
Hosting Ukraine
country:
UA
org:
ORG-HUL6-RIPE
42/53
Analysis Result
2a04:8000::/29 belongs to the Ukrainian operator
43/53
Analysis Result
2a04:8000::/29 belongs to the Ukrainian operator
2a04: 0 800::/29 belongs to the French operator
French operator made a mistake in its BGP configuration
43/53
Analysis Result
2a04:8000::/29 belongs to the Ukrainian operator
2a04: 0 800::/29 belongs to the French operator
French operator made a mistake in its BGP configuration
It was a false positive, the route6 object was created a few days
later by the Ukrainian operator.
43/53
44/53
https://stat.ripe.net/AS198596
45/53
<
<
<
<
46/53
<
<
<
<
Definition
infected ASes accepted the hijacking BGP update
traffic to the hijacked prefix go to the hijackers network
46/53
<
<
<
<
Definition
infected ASes accepted the hijacking BGP update
traffic to the hijacked prefix go to the hijackers network
How do we launch active measurements from these ASes?
46/53
47/53
48/53
49/53
Hijacks
20 %
15 %
10 %
5%
0%
2
10
12
14
Num of probes
ANSSI - Detecting BGP hijacks in 2014
49/53
Traceroute Example
<
<
<
<
50/53
Traceroute Example
<
<
<
<
50/53
Traceroute Example
<
<
<
<
Traceroute to
185.73.204.1
50/53
Traceroute Example
<
<
<
<
Traceroute to
185.73.204.1
50/53
Traceroute Example
<
<
<
<
1.
2.
3.
4.
5.
10.10.10.1
82.118.96.1
188.124.228.1
95.215.3.78
* * *
50/53
Traceroute Example
<
<
<
<
Closing Remarks
traceroute stops at AS44050 (PIN-AS)
AS131788 and AS198596 are most certainly placeholders
AS44050 (PIN-AS) is already known for previous hijacks
51/53
Conclusion
wide scale BGP hijacks automatic detection
only a few really hijacks per year regarding France and Japan
early detection and reporting
on-going work to identify traffic redirection
52/53
Questions?
Related publication
BGP configuration best practices (English & French)
53/53