On Mon, Jun 5, 2017 at 7:05 AM, Mel Beckman <mel@beckman.org> wrote:
One way is for the hijacker to simply peer with himself. The hijacker has an existing peering arrangement with, say, AT&T. He then tells AT&T that he will be transit for ASxxxx advertising XYZ routes, by dint of a cheerfully forged LOA. Once filters have been updated, the hijacker advertises the space to himself, and then from thence to AT&T.
that doesn't seem to be what's happening in ron's example though... it looks, to me, like the example ron has is more a case of: 1) register contacts for lost asn (AS34991) 2) setup equipment/etc at an IX (bulgaria-ix it seems, at least) with another shill/lost-child asn (AS206776) 3) start doing the bgps with the IX fabric's route-server 4) profit (or something) so here the IXP operator (balkans ix actually?) http://lg.bix.bg/?query=summary&addr=&router=rs1.bix.bg+%28IPv4%29 (search for 206776 -> http://lg.bix.bg/?query=bgp&addr=neighbors+193.169.198.191&router=rs1.bix.bg+(IPv4) ) should probably look more than just side-eyes at their customer...
It's no great trick getting peering set up. Just fill out a ten-question BGP app and pay a one-time fee of maybe $100, and you're done.
err, you'll have to better explain this I think. Are you saying: "get an ASN from RIR that costs 100USD" (might, probably does) this doesn't get you a peering/transit contract though... -chris
-mel beckman
On Jun 5, 2017, at 3:56 AM, Ronald F. Guilmette <rfg@tristatelogic.com> wrote:
The more I know, the less I understand.
Maybe some of you kind folks can help.
Please explain for me the following scenario, and how this all actually works in practice.
Let's say that you're a malevolent Bad Actor and all you want to do is to get hold of some ASN that nobody is watching too closely, and then use that to announce some routes to some IPv4 space that nobody is watching too closely, so that you can then parcel out that IP space to your snowshoe spammer pals... at least until somebody gets wise.
OK, so you pull down a copy of, say, the RIPE WHOIS database, and you programatically walk your way through it, looking for contact email addresses on ASN records where the domain of the contact email address has become unregistered. Say for example the one for AS34991. So then you re-register that contact domain, fresh, and then you start telling all of your friends and enemies that you -are- AS34991.
That part seems simple enough, and indeed, I've seen -this- part of the movie several times before. However once you have stepped into the identity of the former owners of the ASN, if you then want to actually proceed to -announce- some routes, and actually ave those routes make it out onto the Internet generally, then you still have to -peer- with somebody, right?
So, I guess then, if you're clever, you look and see who the ASN you've just successfully hijacked has historically peered with, and then you somehow arrange to send route announcements to those guys, right? (I'm talking about AS206776 and AS57344 here, BTW.)
But see, this is where I get lost. I mean how do you push your route announcements to these guys? (I don't actually know that much about how BGP actually works in practice, so please bear with me.) How do you know what IP address to send your announcements to? And if you are going to push your route announcements out to, say, the specific routers that are run by AS206776 and AS57344, i.e. the ones that will send your desired route announcements out to the rest of the Internet... well.. how do you find out the IP addresses of those routers on those other networks? Do you call up the NOCs at those other networks and do a bit of social engineering on them to find out the IP addresses you need to send to? And can you just send BGP messages to the routers on those other networks without -any- authentication or anything and have those routers just blindly accept them -and- relay them on to the whole rest of the Internet??
I've read article after article after article bemoanging the fact that "BGP isn't secure", but now I'm starting to wonder just how massively and unbelieveably unsecure it actually is. I mean would these routers being run by AS206776 and AS57344 just blindly accept -any- route announcements sent to them from literally -any- IP address? (That seems positively looney tunes to me! I mean things can't really be THAT colossally and unbelievably stupid, can they?)
Thanks in advance for any enlightenment.
Regards, rfg
P.S. It would appear to be the case that since some time in April of this year the "Bulgarian" network, AS34991, had evinced a rather sudden and pronounced affinity for various portion of the IPv4 address space nominally associated with the nation of Columbia, including at least five /24 blocks within 168.176.0.0/16 which, from where I am sitting, would appear to belong to the National University of Columbia.
Oh well. They apparently haven't been missing those five gaping holes in their /16 since the time the more specifics started showing up in April.
And anyway, so far it looks like the new owners of AS34991 haven't actually sub-leased any of those /24s to any spammers yet. Only the 190.90.88.0/24 block seems to be filled, wall-to-all, with snowshoe spammers so far.