[renesys] The New Threat: Targeted Internet Traffic Misdirection
Interesting study of what seems to be real BGP shunts: http://www.renesys.com/2013/11/mitm-internet-hijacking/
someone has already parsed out all route announcements from ris/routeviews for the 2 specific incidents in question in the article? and posted the contents somewhere for review? I didn't see Renesys do that :( So, they've got some unsupported conclusions that are tough to get behind absent that data. On Tue, Nov 19, 2013 at 6:35 PM, Stephane Bortzmeyer <bortzmeyer@nic.fr> wrote:
Interesting study of what seems to be real BGP shunts:
On Wed, Nov 20, 2013 at 01:54:00PM -0500, Christopher Morrow <morrowc.lists@gmail.com> wrote a message of 11 lines which said:
someone has already parsed out all route announcements from ris/routeviews for the 2 specific incidents in question in the article? and posted the contents somewhere for review? I didn't see Renesys do that :(
Indeed. But the data is public. Let's use RouteViews. Renesys gave us the exact time (0736 UTC) and the origin AS. From the time, let's find the relevant RouteViews file, whose URL is made of date and time: ftp://archive.routeviews.org/route-views.linx/bgpdata/2013.07/UPDATES/updates.20130731.0730.bz2 Download, bunzip2, bgpdump to translate the MRT to text, then Control-S in emacs to find announces by AS 48685. And here it is: TIME: 07/31/13 07:36:46 TYPE: BGP4MP/MESSAGE/Update FROM: 195.66.236.35 AS6067 TO: 195.66.237.222 AS6447 ORIGIN: IGP ASPATH: 6067 6677 48685 NEXT_HOP: 195.66.236.35 ANNOUNCE 64.81.96.0/24 64.81.97.0/24 64.81.101.0/24 64.81.103.0/24 64.81.110.0/24 64.81.112.0/24 64.81.113.0/24 64.81.115.0/24 64.81.116.0/24 64.81.122.0/24 64.81.125.0/24 64.81.127.0/24 64.81.161.0/24 64.81.162.0/24 64.81.163.0/24 64.81.164.0/24 64.81.166.0/24 64.81.167.0/24 64.81.169.0/24 64.81.170.0/24 64.81.171.0/24 64.81.172.0/24 64.81.177.0/24 64.81.192.0/19 64.81.199.0/24 64.81.203.0/24 64.81.204.0/24 64.81.205.0/24 64.81.208.0/24 64.81.209.0/24 64.81.212.0/24 64.81.214.0/24 64.105.6.0/23 64.105.14.0/23 64.105.20.0/23 64.105.24.0/21 64.105.32.0/21 64.105.52.0/23 64.105.54.0/23 64.105.56.0/23 64.105.58.0/23 64.105.60.0/23 64.105.62.0/23 64.105.66.0/23 64.105.70.0/23 64.105.72.0/21 64.105.82.0/23 64.105.88.0/21 64.105.114.0/23 64.105.128.0/21 64.105.144.0/21 64.105.160.0/23 64.105.162.0/23 64.105.176.0/23 64.105.180.0/22 64.105.192.0/23 64.105.194.0/23 64.105.202.0/23 64.105.210.0/23 64.105.212.0/23 64.105.218.0/23 64.105.220.0/23 64.105.226.0/23 64.105.230.0/23 64.105.240.0/23 64.105.242.0/23 64.105.244.0/22 64.105.252.0/23 66.92.20.0/24 66.92.22.0/24 66.92.46.0/24 66.92.52.0/22 66.92.64.0/19 66.92.99.0/24 66.92.100.0/24 66.92.106.0/24 66.92.144.0/24 66.92.145.0/24 66.92.147.0/24 66.92.149.0/24 66.92.152.0/24 66.92.159.0/24 66.92.160.0/24 66.92.161.0/24 66.92.162.0/24 66.92.176.0/23 66.92.213.0/24 66.92.215.0/24 66.92.224.0/20 66.92.240.0/23 66.92.241.0/24 66.93.24.0/24 66.93.25.0/24 66.93.38.0/24 66.93.39.0/24 66.93.40.0/24 66.93.49.0/24 66.93.56.0/24 66.93.59.0/24 66.93.62.0/24 66.93.74.0/24 66.93.81.0/24 66.93.82.0/24 66.93.83.0/24 66.93.84.0/23 66.93.88.0/22 66.93.99.0/24 66.93.100.0/24 66.93.103.0/24 66.93.106.0/24 66.93.107.0/24 66.93.115.0/24 66.93.168.0/23 66.93.174.0/24 66.93.176.0/23 66.93.214.0/24 66.93.216.0/24 66.93.216.0/21 66.93.224.0/24 66.93.224.0/22 66.93.228.0/24 66.93.232.0/22 66.93.240.0/24 66.93.241.0/24 66.93.242.0/24 66.93.243.0/24 66.93.244.0/24 66.93.246.0/24 66.93.248.0/24 66.93.251.0/24 66.93.252.0/23 66.134.2.0/23 66.134.18.0/23 66.134.36.0/23 66.134.38.0/23 66.134.40.0/21 66.134.48.0/21 66.134.58.0/23 66.134.60.0/23 66.134.64.0/21 66.134.76.0/23 66.134.78.0/23 66.134.98.0/23 66.134.106.0/23 66.134.116.0/23 66.134.118.0/23 66.134.136.0/21 66.134.150.0/23 66.134.152.0/21 66.134.168.0/21 66.134.176.0/23 66.134.178.0/23 66.134.182.0/23 66.134.184.0/21 66.134.208.0/21 66.134.216.0/23 66.134.220.0/23 66.134.224.0/21 66.134.232.0/21 66.134.240.0/21 66.166.10.0/23 66.166.46.0/23 66.166.64.0/21 66.166.94.0/23 66.166.112.0/23 66.166.114.0/23 66.166.136.0/23 66.166.138.0/23 66.166.144.0/21 66.166.160.0/23 66.166.162.0/23 66.166.176.0/23 66.166.180.0/23 66.166.184.0/23 66.166.200.0/21 66.166.216.0/21 66.166.244.0/23 66.166.246.0/23 66.166.248.0/23 66.166.254.0/23 66.167.0.0/21 66.167.10.0/23 66.167.26.0/23 66.167.32.0/21 66.167.50.0/23 66.167.60.0/23 66.167.62.0/23 66.167.64.0/21 66.167.72.0/21 66.167.80.0/21 66.167.96.0/21 66.167.104.0/21 66.167.118.0/23 66.167.136.0/22 66.167.152.0/21 66.167.170.0/23 66.167.176.0/21 66.167.196.0/23 66.167.208.0/23 66.167.216.0/21 66.167.224.0/21 66.167.252.0/23 66.167.254.0/23 66.253.10.0/24 66.253.20.0/24 66.253.21.0/24 66.253.22.0/24 66.253.28.0/22 66.253.40.0/22 66.253.44.0/24 66.253.45.0/24 66.253.46.0/24 66.253.47.0/24 66.253.52.0/22 66.253.56.0/24 66.253.81.0/24 66.253.82.0/24 66.253.83.0/24 66.253.84.0/24 66.253.92.0/24 66.253.93.0/24 66.253.118.0/24 67.100.0.0/23 67.100.4.0/23 67.100.48.0/21 67.100.56.0/21 67.100.72.0/21 67.100.80.0/21 67.100.96.0/21 67.100.104.0/21 67.100.112.0/21 67.100.124.0/22 67.100.128.0/23 67.100.136.0/23 67.100.138.0/23 67.100.144.0/21 67.100.168.0/21 67.100.184.0/21 67.100.192.0/21 67.100.220.0/23 67.101.14.0/23 67.101.16.0/21 67.101.72.0/21 67.101.92.0/23 67.101.94.0/23 67.101.124.0/22 67.101.128.0/21 67.101.140.0/23 67.101.142.0/23 67.101.152.0/21 67.101.176.0/21 67.101.192.0/21 67.101.200.0/21 67.101.224.0/23 67.101.230.0/23 67.101.240.0/21 67.101.248.0/21 67.102.0.0/21 67.102.8.0/23 67.102.32.0/21 67.102.40.0/21 67.102.48.0/21 67.102.60.0/23 67.102.96.0/21 67.102.112.0/21 67.102.120.0/23 67.102.124.0/23 67.102.144.0/21 67.102.152.0/21 67.102.166.0/23 67.102.168.0/21 67.102.176.0/21 67.102.200.0/21 67.102.234.0/23 67.102.240.0/21 67.102.248.0/21 67.103.0.0/21 67.103.8.0/21 67.103.24.0/21 67.103.64.0/21 67.103.102.0/23 67.103.110.0/23 67.103.112.0/21 67.103.160.0/23 67.103.162.0/23 67.103.192.0/21 67.103.200.0/23 67.103.202.0/23 67.103.226.0/23 67.103.250.0/23 67.103.252.0/23 67.103.254.0/23 68.164.24.0/21 68.164.32.0/21 68.164.44.0/23 68.164.78.0/23 68.164.80.0/20 68.164.96.0/21 68.164.126.0/23 68.164.160.0/21 68.164.192.0/21 68.164.208.0/23 These addresses have no relationship with Iceland so we can say it's a hijacking. But do note there is no AS prepending in the announce (the trick described by Kapela & PIlosov to create a clean return path). Finding the other announces in RouteViews is left as an exercice (hint: use a RouteViews collector close from the announce, here in England, because the hijacking announce did not propagate everywhere).
first, awesome, thanks... On Tue, Nov 26, 2013 at 4:09 PM, Stephane Bortzmeyer <bortzmeyer@nic.fr> wrote: <snip>
68.164.80.0/20 68.164.96.0/21 68.164.126.0/23 68.164.160.0/21 68.164.192.0/21 68.164.208.0/23
These addresses have no relationship with Iceland so we can say it's a hijacking. But do note there is no AS prepending in the announce (the trick described by Kapela & PIlosov to create a clean return path).
yea.. so this smells, to me, like a leak from a 'route optomization' box (netvmg or whatever they eventually became). These are all pretty small prefixes and there are covering routes for these as well: (for one: 68.164.24.0/21 - from the RV data) 18566 | 68.164.0.0/14 | MEGAPATH5-US - MegaPath Corporation 18566 | 68.164.24.0/21 | MEGAPATH5-US - MegaPath Corporation so... err... potentially: 1) route-optomization-box sends routes into iBGP with local origin-as 2) routes aren't properly managed (community/etc) from local ISP -> transits/peers 3) peers/transits didn't filter (some of them did apparently) 4) routes make it into the larger DFZ (or parts of the dfz at least, clearly) Traffic comes to 68.164.24.1 along a 'false path' in the dfz, in to the icelandic ISP and follows the iBGP learned path exiting (fortunately) out the isp that filtered... I'm sure you could construct lots of other pathological cases, but this seems plausible enough to me...
Finding the other announces in RouteViews is left as an exercice (hint: use a RouteViews collector close from the announce, here in England, because the hijacking announce did not propagate everywhere).
On Tue, Nov 26, 2013 at 4:31 PM, Christopher Morrow <morrowc.lists@gmail.com> wrote:
first, awesome, thanks...
On Tue, Nov 26, 2013 at 4:09 PM, Stephane Bortzmeyer <bortzmeyer@nic.fr> wrote: <snip>
68.164.80.0/20 68.164.96.0/21 68.164.126.0/23 68.164.160.0/21 68.164.192.0/21 68.164.208.0/23
These addresses have no relationship with Iceland so we can say it's a hijacking. But do note there is no AS prepending in the announce (the trick described by Kapela & PIlosov to create a clean return path).
yea.. so this smells, to me, like a leak from a 'route optomization' box (netvmg or whatever they eventually became). These are all pretty
So, I was thinking over dinner that there's a simpler explanation (that fails if this was a more full-table-ish leak) that the Icelandic provider could have done something like putting external-bgp data into their IGP then pulling back out to bgp ... which is a lot more like AS7007-like problems than netvmg-like problems. I would expect that ospf/isis would barf with ~400k paths though, so i'm still betting on netvmg-ish issues.
small prefixes and there are covering routes for these as well: (for one: 68.164.24.0/21 - from the RV data)
18566 | 68.164.0.0/14 | MEGAPATH5-US - MegaPath Corporation 18566 | 68.164.24.0/21 | MEGAPATH5-US - MegaPath Corporation
so... err... potentially: 1) route-optomization-box sends routes into iBGP with local origin-as 2) routes aren't properly managed (community/etc) from local ISP -> transits/peers 3) peers/transits didn't filter (some of them did apparently) 4) routes make it into the larger DFZ (or parts of the dfz at least, clearly)
Traffic comes to 68.164.24.1 along a 'false path' in the dfz, in to the icelandic ISP and follows the iBGP learned path exiting (fortunately) out the isp that filtered...
I'm sure you could construct lots of other pathological cases, but this seems plausible enough to me...
Finding the other announces in RouteViews is left as an exercice (hint: use a RouteViews collector close from the announce, here in England, because the hijacking announce did not propagate everywhere).
participants (2)
-
Christopher Morrow
-
Stephane Bortzmeyer