Upload
opendns
View
3.777
Download
0
Embed Size (px)
Citation preview
1
Dan Hubbard & Andree Toonk Blackhat 2015
BGP Stream
2
BGP Overview
BGP Attack Examples
Announcing BGPStream
BGPStream dataviz client example
Other cool stuff
Things we may or may not present….
3
4
• Network of Networks, it’s a Graph!
• Each organizations on the Internet is called an Autonomous system.
• Each node represents an Autonomous system (AS).
• AS is identified by a number. • OpenDNS is 36692, Google is 15169.
• Each AS has one or more Prefixes. • 36692 has 56 (ipv4 and IPv6) network
prefixes.
• BGP is the glue that makes this work! Result is a topology map of the Internet
Internet 101 & BGP
5
[email protected]> show route protocol bgp www.facebook.com inet.0: 528878 destinations, 1095067 routes (528873 active, 3 holddown, 12 hidden) + = Active Route, - = Last Active, * = Both
179.60.193.0/24 *[BGP/170] 2w6d 21:16:18, MED 0, localpref 100 AS path: 32934 I > to 202.167.228.39 via ge-1/1/9.0 [BGP/170] 1w6d 02:04:04, localpref 100 AS path: 4637 1221 32934 I > to 210.176.38.1 via xe-0/0/0.0 [BGP/170] 4d 21:09:54, MED 0, localpref 100 AS path: 2914 38561 1221 32934 I > to 202.68.65.149 via xe-2/0/0.0
Example BGP troubleshooting How do I route to Facebook?
6
Recent High Profile BGP Incident Examples
BGP hijack used for spamming BGP hijack used for financial gain (bitcoin hijack)
BGP hijack by Hacking team
Large scale mulC day outages in Syria and Egypt
BGP hijack by Turkey to censor popular DNS resolvers
Many more accidental BGP hijacks
7
8
9
High level Architecture
BGP Stream analyzer
BGP data
Classifier Notification
Expected
Support for: IPv4 & IPv6 16 & 32bit AS numbers
Expected state: • Prefix / Origin AS • AS relaCons • Historical info • GEO info • Whois info • Etc.
Observed BGP data from hundreds of BGP peers globally
10
BGP Stream Classifier
BGP data
• Expected Origin AS vs. Detected origin AS
• Existing Business relationship? • Does Detected AS announce other Expected AS prefixes in BGP • Is there an existing peering relationship • Did Detected AS recently announce Expected AS prefixes • Exclude well relations and ASNs (i.e. DoD Asns, special Anycast prefixes).
• Whois information • Valid RPLS route object in RIR / IRR databases? • Allocation data • Name collision in name, description, emails
• Geo Info • Do Expected and Detected operate in same country • For US, same state • Detected by number of BGPmon peers
11
BGPStream Data Visualization Client
12
13
$blackhat there is more..
RUN BGP DNS
14
Requests Per Day
80B Countries 160+
Daily Active Users
65M Enterprise Customers
10K
Our Perspective Diverse Set of Data & Global Internet Visibility
15
16
Malaysia Airlines DNS Hijack January 25, 2015
17
MALICIOUS ASN/IP IDENTIFIED Owned by Lizard Squad who hacked PS3 and Xbox Networks in December 2014
18
19
POPVOTE.HK 750 Million DNS requests 1 hour
20
21
22
The Future….
More Tuning and Training Integrate DNSStream into BGPStream portal Build a community of BGP and DNS watchers
23
@bgpstream @dnsstream