ip hijacking - securing internet routing
DESCRIPTION
Presentation given by Marco Hogewoning at: LEA Meeting, London. 19 March 2012TRANSCRIPT
![Page 1: IP Hijacking - Securing Internet Routing](https://reader033.vdocuments.mx/reader033/viewer/2022052823/55511f4fb4c905b1138b524e/html5/thumbnails/1.jpg)
Marco Hogewoning
RIPE NCC IPv4 Pool
1
APNIC20%
ARIN30%
LACNIC4%
AfriNIC2%
Legacy15%Other IANA
14%
RIPE NCC15%
Monday, March 19, 2012
![Page 2: IP Hijacking - Securing Internet Routing](https://reader033.vdocuments.mx/reader033/viewer/2022052823/55511f4fb4c905b1138b524e/html5/thumbnails/2.jpg)
IP HijackingSecuring Internet Routing
Marco HogewoningTraining Services
Monday, March 19, 2012
![Page 3: IP Hijacking - Securing Internet Routing](https://reader033.vdocuments.mx/reader033/viewer/2022052823/55511f4fb4c905b1138b524e/html5/thumbnails/3.jpg)
Never attribute to malice that which is adequately explained by stupidity.
-- Robert J Hanlon
Monday, March 19, 2012
![Page 4: IP Hijacking - Securing Internet Routing](https://reader033.vdocuments.mx/reader033/viewer/2022052823/55511f4fb4c905b1138b524e/html5/thumbnails/4.jpg)
Marco Hogewoning
Why Would You Hijack?
• Sending spam or malware unnoticed
• Intercept traffic to a specific host
• Sell the resources
4
Monday, March 19, 2012
![Page 5: IP Hijacking - Securing Internet Routing](https://reader033.vdocuments.mx/reader033/viewer/2022052823/55511f4fb4c905b1138b524e/html5/thumbnails/5.jpg)
Marco Hogewoning
Two Targets for Hijacking
• The Internet routing table– Influence how traffic flows by manipulating BGP
• The Internet registry– Possibly manipulating BGP filters
– Hide or change ownership details
5
Monday, March 19, 2012
![Page 6: IP Hijacking - Securing Internet Routing](https://reader033.vdocuments.mx/reader033/viewer/2022052823/55511f4fb4c905b1138b524e/html5/thumbnails/6.jpg)
Marco Hogewoning
Internet Routing
• Non hierarchical
• The internet registries only have limited control– It’s the operator who decides
– We can only offer some guidance
• Internet Routing Registry– Integrated in the RIPE Database
– Ties together a prefix and an ASN
• RPKI Certification– ROAs couple a prefix and an ASN
6
Monday, March 19, 2012
![Page 7: IP Hijacking - Securing Internet Routing](https://reader033.vdocuments.mx/reader033/viewer/2022052823/55511f4fb4c905b1138b524e/html5/thumbnails/7.jpg)
Marco Hogewoning
Decision Making in Routing
• Unless preferences dictate otherwise, a router will pick the shortest path
• A more specific route will always take preference
• Filtering usually only done at the edge of the Internet– Filtering in the core of the Internet is far too complex and costly to achieve
• Most filters are based on IP ranges– Input can come from the IRR
7
Monday, March 19, 2012
![Page 8: IP Hijacking - Securing Internet Routing](https://reader033.vdocuments.mx/reader033/viewer/2022052823/55511f4fb4c905b1138b524e/html5/thumbnails/8.jpg)
AS
AS
AS
3
AS
AS
AS 1AS
6AS
IX
IX
Monday, March 19, 2012
![Page 9: IP Hijacking - Securing Internet Routing](https://reader033.vdocuments.mx/reader033/viewer/2022052823/55511f4fb4c905b1138b524e/html5/thumbnails/9.jpg)
AS
AS
AS
3
AS
AS
AS 1AS
6AS
IX
IX
“I have 193.0.0.0/19!”
Monday, March 19, 2012
![Page 10: IP Hijacking - Securing Internet Routing](https://reader033.vdocuments.mx/reader033/viewer/2022052823/55511f4fb4c905b1138b524e/html5/thumbnails/10.jpg)
AS
AS
AS
3
AS
AS
AS 1AS
6AS
IX
IX
“I have 193.0.0.0/19!”
“I know where 193.0.0.0/19 is”
Monday, March 19, 2012
![Page 11: IP Hijacking - Securing Internet Routing](https://reader033.vdocuments.mx/reader033/viewer/2022052823/55511f4fb4c905b1138b524e/html5/thumbnails/11.jpg)
AS
AS
AS
3
AS
AS
AS 1AS
6AS
IX
IX
“I have 193.0.0.0/19!”
“I know where 193.0.0.0/19 is”
Monday, March 19, 2012
![Page 12: IP Hijacking - Securing Internet Routing](https://reader033.vdocuments.mx/reader033/viewer/2022052823/55511f4fb4c905b1138b524e/html5/thumbnails/12.jpg)
AS
AS
AS
3
AS
AS
AS 1AS
6AS
IX
IX
“I have 193.0.0.0/19!”
“I know where 193.0.0.0/19 is”
“I know where 193.0.0.0/19 is”
Monday, March 19, 2012
![Page 13: IP Hijacking - Securing Internet Routing](https://reader033.vdocuments.mx/reader033/viewer/2022052823/55511f4fb4c905b1138b524e/html5/thumbnails/13.jpg)
AS
AS
AS
3
AS
AS
AS 1AS
6AS
IX
IX
“I have 193.0.0.0/19!”
“I know where 193.0.0.0/19 is”
“I know where 193.0.0.0/19 is”
“I know where 193.0.0.0/19 is”
Monday, March 19, 2012
![Page 14: IP Hijacking - Securing Internet Routing](https://reader033.vdocuments.mx/reader033/viewer/2022052823/55511f4fb4c905b1138b524e/html5/thumbnails/14.jpg)
AS
AS
AS
3
AS
AS
AS 1AS
6AS
IX
IX
“I have 193.0.0.0/19!”
Monday, March 19, 2012
![Page 15: IP Hijacking - Securing Internet Routing](https://reader033.vdocuments.mx/reader033/viewer/2022052823/55511f4fb4c905b1138b524e/html5/thumbnails/15.jpg)
AS
AS
AS
3
AS
AS
AS 1AS
6AS
IX
IX
“I have 193.0.0.0/19!”
Monday, March 19, 2012
![Page 16: IP Hijacking - Securing Internet Routing](https://reader033.vdocuments.mx/reader033/viewer/2022052823/55511f4fb4c905b1138b524e/html5/thumbnails/16.jpg)
AS
AS
AS
3
AS
AS
AS 1AS
6AS
IX
IX
“I have 193.0.0.0/19!”
Monday, March 19, 2012
![Page 17: IP Hijacking - Securing Internet Routing](https://reader033.vdocuments.mx/reader033/viewer/2022052823/55511f4fb4c905b1138b524e/html5/thumbnails/17.jpg)
AS
AS
AS
3
AS
AS
AS 1AS
6AS
IX
IX
“I have 193.0.0.0/19!”
“Haha, I have 193.0.3.0/24”
Monday, March 19, 2012
![Page 18: IP Hijacking - Securing Internet Routing](https://reader033.vdocuments.mx/reader033/viewer/2022052823/55511f4fb4c905b1138b524e/html5/thumbnails/18.jpg)
AS
AS
AS
3
AS
AS
AS 1AS
6AS
IX
IX
“I have 193.0.0.0/19!”
“Haha, I have 193.0.3.0/24”
Monday, March 19, 2012
![Page 19: IP Hijacking - Securing Internet Routing](https://reader033.vdocuments.mx/reader033/viewer/2022052823/55511f4fb4c905b1138b524e/html5/thumbnails/19.jpg)
AS
AS
AS
3
AS
AS
AS 1AS
6AS
IX
IX
“I have 193.0.0.0/19!”
“Haha, I have 193.0.3.0/24”
Monday, March 19, 2012
![Page 20: IP Hijacking - Securing Internet Routing](https://reader033.vdocuments.mx/reader033/viewer/2022052823/55511f4fb4c905b1138b524e/html5/thumbnails/20.jpg)
Hijacking in Practice
Monday, March 19, 2012
![Page 21: IP Hijacking - Securing Internet Routing](https://reader033.vdocuments.mx/reader033/viewer/2022052823/55511f4fb4c905b1138b524e/html5/thumbnails/21.jpg)
Marco Hogewoning
Hijacking in Order to Spam
• Probably the easiest to do– You don’t need 100% coverage
– Probably temporary anyway
– You don’t care about identity or ownership
• Find some space that is not in use– Registry can “guide” you to them
• Find an upstream that does not filter– Or trusts what you tell them
10
Monday, March 19, 2012
![Page 22: IP Hijacking - Securing Internet Routing](https://reader033.vdocuments.mx/reader033/viewer/2022052823/55511f4fb4c905b1138b524e/html5/thumbnails/22.jpg)
Marco Hogewoning
In Practical Terms
• Look for older registrations or even better, look for something that is not registered at all
• Maybe find an unused ASN to hide behind
• Announce it on the Internet and do your thing
• Role of the registries is very limited– We advise people to filter
– Try to reclaim unannounced space
11
Monday, March 19, 2012
![Page 23: IP Hijacking - Securing Internet Routing](https://reader033.vdocuments.mx/reader033/viewer/2022052823/55511f4fb4c905b1138b524e/html5/thumbnails/23.jpg)
Marco Hogewoning
Hijacking to Intercept
• You are targeting space that is in use– The owner is much more likely to find out
– You need to create a shorter or better AS path
• Using a more specific creates a better path– Announce only the part you are interested in
• Make sure you don’t create a blackhole
• RIPE NCC provides tools that can spot these
12
Monday, March 19, 2012
![Page 24: IP Hijacking - Securing Internet Routing](https://reader033.vdocuments.mx/reader033/viewer/2022052823/55511f4fb4c905b1138b524e/html5/thumbnails/24.jpg)
Marco Hogewoning
Injecting a Rogue Route
13
AS
AS
Target
AS
AS AS
AS
AS
victim AS AS
Monday, March 19, 2012
![Page 25: IP Hijacking - Securing Internet Routing](https://reader033.vdocuments.mx/reader033/viewer/2022052823/55511f4fb4c905b1138b524e/html5/thumbnails/25.jpg)
Marco Hogewoning
Injecting a Rogue Route
13
AS
AS
Target
AS
AS AS
AS
AS
victim AS AS
Inject
Monday, March 19, 2012
![Page 26: IP Hijacking - Securing Internet Routing](https://reader033.vdocuments.mx/reader033/viewer/2022052823/55511f4fb4c905b1138b524e/html5/thumbnails/26.jpg)
Marco Hogewoning
Injecting a Rogue Route
13
AS
AS
Target
AS
AS AS
AS
AS
victim AS AS
Inject
fake
Monday, March 19, 2012
![Page 27: IP Hijacking - Securing Internet Routing](https://reader033.vdocuments.mx/reader033/viewer/2022052823/55511f4fb4c905b1138b524e/html5/thumbnails/27.jpg)
Marco Hogewoning
Injecting a Rogue Route
13
AS
AS
Target
AS
AS AS
AS
AS
victim AS AS
Inject
fake AS
Monday, March 19, 2012
![Page 28: IP Hijacking - Securing Internet Routing](https://reader033.vdocuments.mx/reader033/viewer/2022052823/55511f4fb4c905b1138b524e/html5/thumbnails/28.jpg)
Marco Hogewoning
Hijacking With the Intention to Sell
• No need to fiddle with routing
• Unregistered (legacy) space is probably the easiest to target
• Registered space requires you to alter the RIPE Database
• Amount of detail needed probably depends on who is buying it
14
Monday, March 19, 2012
![Page 29: IP Hijacking - Securing Internet Routing](https://reader033.vdocuments.mx/reader033/viewer/2022052823/55511f4fb4c905b1138b524e/html5/thumbnails/29.jpg)
Protection and Prevention
Monday, March 19, 2012
![Page 30: IP Hijacking - Securing Internet Routing](https://reader033.vdocuments.mx/reader033/viewer/2022052823/55511f4fb4c905b1138b524e/html5/thumbnails/30.jpg)
Marco Hogewoning
IPv4 Address Space Covered
16
Legacy15%
RIPE NCC15%
Monday, March 19, 2012
![Page 31: IP Hijacking - Securing Internet Routing](https://reader033.vdocuments.mx/reader033/viewer/2022052823/55511f4fb4c905b1138b524e/html5/thumbnails/31.jpg)
Marco Hogewoning
Internet Registry
• All assignments and allocations made by the RIPE NCC are protected by us
• Attempts to modify data are monitored and immediately acted upon
• Virtually impossible to steal registered space from the perspective of the Database
• Routing is not depending on registry information
17
Monday, March 19, 2012
![Page 32: IP Hijacking - Securing Internet Routing](https://reader033.vdocuments.mx/reader033/viewer/2022052823/55511f4fb4c905b1138b524e/html5/thumbnails/32.jpg)
Marco Hogewoning
RIPE Database
• Strong protection using MD5 hashed passwords or PGP public/private key pairs
• Only authenticated users can update or change information
• Creation of so called route objects verified by password of both the IP and ASN holders
• It is a public database!
18
Monday, March 19, 2012
![Page 33: IP Hijacking - Securing Internet Routing](https://reader033.vdocuments.mx/reader033/viewer/2022052823/55511f4fb4c905b1138b524e/html5/thumbnails/33.jpg)
Marco Hogewoning
Internet Routing Registry
• Combination of ASN and IP resources– “This space is announced by this AS”
• Can be used to setup and maintain filters– Used by a number of larger operators
– Only accept a route from a customer when properly registered
– Blocks the injection of false routing information
• Use of the IRR is voluntarily
19
Monday, March 19, 2012
![Page 34: IP Hijacking - Securing Internet Routing](https://reader033.vdocuments.mx/reader033/viewer/2022052823/55511f4fb4c905b1138b524e/html5/thumbnails/34.jpg)
Marco Hogewoning
Internet Routing Registry (2)
• Not all address space is covered
• Not everything in the IRR is accurate– Stale information can be a problem
– Manual overrides happen all the time
• It is a distributed system– 14 databases that mirror each other
– Verification and authentication methods vary between those databases
20
Monday, March 19, 2012
![Page 35: IP Hijacking - Securing Internet Routing](https://reader033.vdocuments.mx/reader033/viewer/2022052823/55511f4fb4c905b1138b524e/html5/thumbnails/35.jpg)
Marco Hogewoning
Routing Information Service
• We operate a number of route collectors– Thousands of networks feed us their view of the world
– Provides a global view of the Internet
• Information collected in a central database– Provides historic and real time information
– Information is publicly accessible
• Information can be used to monitor your space
• Can also be used to find unused address blocks
21
Monday, March 19, 2012
![Page 36: IP Hijacking - Securing Internet Routing](https://reader033.vdocuments.mx/reader033/viewer/2022052823/55511f4fb4c905b1138b524e/html5/thumbnails/36.jpg)
Marco Hogewoning
IS Alarms Service
• Tool to monitor the Internet routing table– Using RIS as a source
• Track changes in origin or transit AS for a given prefix
• If a rogue route is detected an alarm is raised to the operator either via email or syslog
• Can catch a lot of errors and hijack attempts
22
Monday, March 19, 2012
![Page 37: IP Hijacking - Securing Internet Routing](https://reader033.vdocuments.mx/reader033/viewer/2022052823/55511f4fb4c905b1138b524e/html5/thumbnails/37.jpg)
Marco Hogewoning
Routing Registry Constancy Check
• Compares the IRR and RIS
• Highlights the mismatches in origin AS
• Operator can choose from two options:– Fix the IRR to match routing
– Fix the routing to match the IRR
• Does not prevent or correct any hijacking but improves data quality in the IRR
23
Monday, March 19, 2012
![Page 38: IP Hijacking - Securing Internet Routing](https://reader033.vdocuments.mx/reader033/viewer/2022052823/55511f4fb4c905b1138b524e/html5/thumbnails/38.jpg)
Marco Hogewoning
Certification
• The idea came from the routing community– Secure InterDomain Routing (SIDR) WG in IETF
• Route Origination Authorization (ROA)– Ties a specific prefix to an ASN
– “Improved” version of the route object
• Verified by the address holder– Registry is the trust anchor
– Allows for better control compared to IRR
24
Monday, March 19, 2012
![Page 39: IP Hijacking - Securing Internet Routing](https://reader033.vdocuments.mx/reader033/viewer/2022052823/55511f4fb4c905b1138b524e/html5/thumbnails/39.jpg)
Marco Hogewoning
Certification (2)
• More and easier integration with the routing layer– Compared to the IRR system using the database
• Should have less stale information– Turned out to still be error prone
• Use is entirely voluntarily– How to handle invalids is up to the operator
• Quality of the RPKI data will influence the speed of adoption amongst operators
25
Monday, March 19, 2012
![Page 40: IP Hijacking - Securing Internet Routing](https://reader033.vdocuments.mx/reader033/viewer/2022052823/55511f4fb4c905b1138b524e/html5/thumbnails/40.jpg)
Marco Hogewoning
Certification (3)
• Current guidelines are to alter preference:– Always prefer valid over invalid routes
• Right now can only verify the origin of the route– Catches a lot of mistakes
– “Path validation” added in the future
• Filtering only becomes an option when everybody uses the system correctly
26
Monday, March 19, 2012
![Page 41: IP Hijacking - Securing Internet Routing](https://reader033.vdocuments.mx/reader033/viewer/2022052823/55511f4fb4c905b1138b524e/html5/thumbnails/41.jpg)
Marco Hogewoning
Injecting a Rogue Route
27
AS
AS
Target
AS
AS AS
AS
AS
victim AS AS
InjectAS
X
Monday, March 19, 2012
![Page 42: IP Hijacking - Securing Internet Routing](https://reader033.vdocuments.mx/reader033/viewer/2022052823/55511f4fb4c905b1138b524e/html5/thumbnails/42.jpg)
Marco Hogewoning
Legacy Is the Easy Victim
28
APNIC20%
ARIN30%
LACNIC4%
AfriNIC2%
Legacy15%
Other IANA14%
RIPE NCC15%
Monday, March 19, 2012
![Page 43: IP Hijacking - Securing Internet Routing](https://reader033.vdocuments.mx/reader033/viewer/2022052823/55511f4fb4c905b1138b524e/html5/thumbnails/43.jpg)
Marco Hogewoning
Legacy Space
• The most likely target for any form of hijacking or other abuse:– Not covered by the registry or stale information
– Not covered by RPKI
– More likely to not be used on the Internet
• Project underway to bring these resources into the registry– Registration is free of charge
29
Monday, March 19, 2012
![Page 44: IP Hijacking - Securing Internet Routing](https://reader033.vdocuments.mx/reader033/viewer/2022052823/55511f4fb4c905b1138b524e/html5/thumbnails/44.jpg)
Questions?
Monday, March 19, 2012