1

Dan Hubbard & Andree Toonk Blackhat 2015

BGP Stream

2

BGP Overview

BGP Attack Examples

Announcing BGPStream

BGPStream dataviz client example

Other cool stuff

Things we may or may not present….

3

4

•  Network of Networks, it’s a Graph!

•  Each organizations on the Internet is called an Autonomous system.

•  Each node represents an Autonomous system (AS).

•  AS is identified by a number. •  OpenDNS is 36692, Google is 15169.

•  Each AS has one or more Prefixes. •  36692 has 56 (ipv4 and IPv6) network

prefixes.

•  BGP is the glue that makes this work! Result is a topology map of the Internet

Internet 101 & BGP

5

andree@rtr1.syd> show route protocol bgp www.facebook.com inet.0: 528878 destinations, 1095067 routes (528873 active, 3 holddown, 12 hidden) + = Active Route, - = Last Active, * = Both

179.60.193.0/24 *[BGP/170] 2w6d 21:16:18, MED 0, localpref 100 AS path: 32934 I > to 202.167.228.39 via ge-1/1/9.0 [BGP/170] 1w6d 02:04:04, localpref 100 AS path: 4637 1221 32934 I > to 210.176.38.1 via xe-0/0/0.0 [BGP/170] 4d 21:09:54, MED 0, localpref 100 AS path: 2914 38561 1221 32934 I > to 202.68.65.149 via xe-2/0/0.0

Example BGP troubleshooting How  do  I  route  to  Facebook?  

6

Recent High Profile BGP Incident Examples

BGP  hijack  used  for  spamming   BGP  hijack  used  for  financial  gain  (bitcoin  hijack)  

BGP  hijack  by  Hacking  team  

Large  scale  mulC  day  outages  in  Syria  and  Egypt  

BGP  hijack  by  Turkey  to  censor  popular  DNS  resolvers  

Many  more  accidental  BGP  hijacks  

7

8

9

High level Architecture      

BGP  Stream  analyzer  

BGP  data  

Classifier Notification

Expected  

Support  for:  IPv4  &  IPv6  16  &  32bit  AS  numbers  

Expected  state:  •  Prefix  /  Origin  AS  •  AS  relaCons  •  Historical  info  •  GEO  info  •  Whois  info  •  Etc.  

Observed BGP data from hundreds of BGP peers globally

10

BGP Stream Classifier    

BGP  data  

•  Expected Origin AS vs. Detected origin AS

•  Existing Business relationship? •  Does Detected    AS  announce other Expected    AS  prefixes in BGP •  Is there an existing peering relationship •  Did Detected    AS  recently announce Expected    AS  prefixes •  Exclude well relations and ASNs (i.e. DoD Asns, special Anycast prefixes).

•  Whois information •  Valid RPLS route object in RIR / IRR databases? •  Allocation data •  Name collision in name, description, emails

•  Geo Info •  Do Expected    and Detected  operate in same country •  For US, same state •  Detected by number of BGPmon peers

11

BGPStream Data Visualization Client

12

13

$blackhat there is more..

RUN BGP DNS

14

Requests Per Day

80B Countries 160+

Daily Active Users

65M Enterprise Customers

10K

Our Perspective Diverse Set of Data & Global Internet Visibility

15

16

Malaysia Airlines DNS Hijack January 25, 2015

17

MALICIOUS ASN/IP IDENTIFIED Owned  by  Lizard  Squad  who  hacked  PS3  and  Xbox  Networks  in    December  2014  

18

19

POPVOTE.HK 750 Million DNS requests 1 hour

20

21

22

The Future….

More Tuning and Training Integrate DNSStream into BGPStream portal Build a community of BGP and DNS watchers

23

@bgpstream @dnsstream