Detecting Hijacks and Leaks
-
Upload
thousandeyes -
Category
Technology
-
view
134 -
download
0
Transcript of Detecting Hijacks and Leaks
![Page 1: Detecting Hijacks and Leaks](https://reader031.fdocuments.us/reader031/viewer/2022021813/58ab76351a28abb54e8b64b1/html5/thumbnails/1.jpg)
BGP Series Part 3: Detecting Hijacks and Leaks Young Xu, Product Marketing Analyst
![Page 2: Detecting Hijacks and Leaks](https://reader031.fdocuments.us/reader031/viewer/2022021813/58ab76351a28abb54e8b64b1/html5/thumbnails/2.jpg)
2
• May 5th 2016 • Intro to Autonomous Systems, the BGP protocol and
how routes are advertised and learned
BGP Webinar Series
• June 16th 2016 • How to visualize, diagnose and set alerts to
detect BGP hijacks and leaks
How BGP Works
Detecting Hijacks & Leaks
• May 24th 2016 • Explore data from routing change events and learn
how to detect BGP changes with alerts
Monitoring Route Changes
Optimizing AS Paths
• July 28th 2016 • Tips and tricks for using routing data to improve how
traffic flows into or out of your network
![Page 3: Detecting Hijacks and Leaks](https://reader031.fdocuments.us/reader031/viewer/2022021813/58ab76351a28abb54e8b64b1/html5/thumbnails/3.jpg)
3
About ThousandEyes ThousandEyes delivers visibility into every network your organization relies on.
Founded by network experts; strong
investor backing
Relied on for "critical operations by leading enterprises
Recognized as "an innovative "
new approach
27 Fortune 500
5 top 5 SaaS Companies 4 top 6 US Banks
![Page 4: Detecting Hijacks and Leaks](https://reader031.fdocuments.us/reader031/viewer/2022021813/58ab76351a28abb54e8b64b1/html5/thumbnails/4.jpg)
4
• BGP wasn’t designed with security built into it – Advertisements are generally trusted among ISPs
• The Internet is vulnerable to propagating incorrect routes – Route leak: Propagation of illegitimate route advertisements,
usually by mistake, leading to incorrect or suboptimal routing – Route hijack: Malicious equivalent to a route leak
• More prone to propagation when leaked path is preferred – A more specific prefix is advertised – Advertised path is shorter than current path
BGP: Built on Trust
![Page 5: Detecting Hijacks and Leaks](https://reader031.fdocuments.us/reader031/viewer/2022021813/58ab76351a28abb54e8b64b1/html5/thumbnails/5.jpg)
5
AS 200759 Innofield
Route Propagation
AS 16509 Amazon
AS 30844 Econet
AS 6939 Hurricane Electric
Border Router
Amazon advertises routes among BGP peers to
upstream ISPs
Amazon advertises prefix 54.239.16.0/20
Econet receives route advertisements to
Amazon via Hurricane Electric
Traffic Path AS 65021
Private
![Page 6: Detecting Hijacks and Leaks](https://reader031.fdocuments.us/reader031/viewer/2022021813/58ab76351a28abb54e8b64b1/html5/thumbnails/6.jpg)
6
AS 65021 Private
AS 200759 Innofield
AWS Route Leak, April 2016
AS 16509 Amazon
AS 30844 Econet
AS 6939 Hurricane Electric
Traffic Path
Innofield leaks routes for more specific /21 prefixes, directing traffic to private
AS 65021
Hurricane Electric accepts routes and now directs Amazon-
destined traffic to Innofield
![Page 7: Detecting Hijacks and Leaks](https://reader031.fdocuments.us/reader031/viewer/2022021813/58ab76351a28abb54e8b64b1/html5/thumbnails/7.jpg)
7
• Leaks result from human error or misconfigurations – Improper route filtering, mismanaged routing policies • Misuse of NO-EXPORT community • Misconfigured route optimizers
• Route hijacks are intentional and malicious – Deny service (e.g. targeted attack, censorship) – Inspect traffic (see man-in-the-middle attacks) • Traffic interception and impersonation • Corporate or state espionage • Steal cryptocurrency
– IP squatting and spamming
Why Leaks and Hijacks Happen
![Page 8: Detecting Hijacks and Leaks](https://reader031.fdocuments.us/reader031/viewer/2022021813/58ab76351a28abb54e8b64b1/html5/thumbnails/8.jpg)
8
Alerting for Leaks and Hijacks
Alert Rule Parameter
Origin ASN not in: Your own or hosting provider’s ASN
Next Hop ASN not in: Upstream ISPs’ ASNs
Covered Prefix Exists
Covered Prefix not in Your expected sub-prefixes
![Page 9: Detecting Hijacks and Leaks](https://reader031.fdocuments.us/reader031/viewer/2022021813/58ab76351a28abb54e8b64b1/html5/thumbnails/9.jpg)
9
• Monitor BGP to quickly detect routing events • Contact upstream ISPs to reject the illegitimate routes • Announce routes preferable to the leaked route
– More specific prefix (when leaked prefix is bigger than /24) – Shorter AS path (remove any path prepending)
• Last resort: Change destination prefixes using DNS – Feasible if you can shift traffic to other data centers or a CDN – Can take time depending on TTL of DNS records
• RPKI: Publish Route Origin Authorizations (ROAs) in RIR
Mitigating Route Leaks Affecting Your Prefixes
![Page 10: Detecting Hijacks and Leaks](https://reader031.fdocuments.us/reader031/viewer/2022021813/58ab76351a28abb54e8b64b1/html5/thumbnails/10.jpg)
10
• Route filtering (based on prefix, AS path, community) – Bogon filtering – Enforce commercial relationships • Block advertisements for peer paths from customers • “Peerlocking”: Don’t allow intermediate networks between peers
– BGP Maximum-Prefix: Max number of prefixes from a peer
• Security standards: RPKI, RPSL, BGPSEC • Prevent hijacks by blocking illegitimate advertisements
– TCP MD5: Uses secret key to compute hash over TCP header – GTSM: Peer sets TTL to max of 255 (attacker >1 hop away can’t
impersonate)
Preventing Propagation of Bad Routes
![Page 11: Detecting Hijacks and Leaks](https://reader031.fdocuments.us/reader031/viewer/2022021813/58ab76351a28abb54e8b64b1/html5/thumbnails/11.jpg)
11
Demo
![Page 12: Detecting Hijacks and Leaks](https://reader031.fdocuments.us/reader031/viewer/2022021813/58ab76351a28abb54e8b64b1/html5/thumbnails/12.jpg)
12
1. Covered Prefix to Spotify Leaked by Enzu
Visible for almost 3 hours
Leaked by Enzu (AS18978)
Spotify (AS43650) Propagated at
LAIX (AS40633)
Seen by 4 monitors
New, more specific /23 route leaked
![Page 13: Detecting Hijacks and Leaks](https://reader031.fdocuments.us/reader031/viewer/2022021813/58ab76351a28abb54e8b64b1/html5/thumbnails/13.jpg)
13
Impacted Traffic on the Network Layer
Traces terminating in edge of Vocus
network with LAIX
LAIX
![Page 14: Detecting Hijacks and Leaks](https://reader031.fdocuments.us/reader031/viewer/2022021813/58ab76351a28abb54e8b64b1/html5/thumbnails/14.jpg)
14
2. AxcelX Leak: Normal Routes
Amazon.com
NTT
Level 3
Hurricane Electric
ReTN.net
![Page 15: Detecting Hijacks and Leaks](https://reader031.fdocuments.us/reader031/viewer/2022021813/58ab76351a28abb54e8b64b1/html5/thumbnails/15.jpg)
15
Amazon Routes Leaked by AxcelX
New routes through Hibernia
(AS 5580), AxcelX (AS 33083)
New Amazon AS
No longer routed through expected
ISPs
![Page 16: Detecting Hijacks and Leaks](https://reader031.fdocuments.us/reader031/viewer/2022021813/58ab76351a28abb54e8b64b1/html5/thumbnails/16.jpg)
16
Caused Performance Impacts
100% loss in AxcelX
99% loss in Hibernia
![Page 17: Detecting Hijacks and Leaks](https://reader031.fdocuments.us/reader031/viewer/2022021813/58ab76351a28abb54e8b64b1/html5/thumbnails/17.jpg)
17
3. Indosat Hijack of Akamai: Normal Routes
Akamai prefix
Akamai AS
Comcast upstream
![Page 18: Detecting Hijacks and Leaks](https://reader031.fdocuments.us/reader031/viewer/2022021813/58ab76351a28abb54e8b64b1/html5/thumbnails/18.jpg)
18
Multiple Origins: Indosat Advertised Routes
Akamai prefix
Correct AS
Hijacking AS Locations with
completely hijacked routes
![Page 19: Detecting Hijacks and Leaks](https://reader031.fdocuments.us/reader031/viewer/2022021813/58ab76351a28abb54e8b64b1/html5/thumbnails/19.jpg)
19
Only connected to Indosat
PCCW Had No Routes to PayPal
![Page 20: Detecting Hijacks and Leaks](https://reader031.fdocuments.us/reader031/viewer/2022021813/58ab76351a28abb54e8b64b1/html5/thumbnails/20.jpg)
20
Caused All Traffic to Drop
Traffic transiting PCCW had no routes
![Page 21: Detecting Hijacks and Leaks](https://reader031.fdocuments.us/reader031/viewer/2022021813/58ab76351a28abb54e8b64b1/html5/thumbnails/21.jpg)
See what you’re missing.
Watch the webinar:
https://www.thousandeyes.com/resources/detecting-hijacks-and-leaks-webinar