blackhat usa 2015: bgp stream presentation
TRANSCRIPT
![Page 1: Blackhat USA 2015: BGP Stream Presentation](https://reader031.vdocuments.site/reader031/viewer/2022030206/58ab88671a28ab3e738b62bb/html5/thumbnails/1.jpg)
1
Dan Hubbard & Andree Toonk Blackhat 2015
BGP Stream
![Page 2: Blackhat USA 2015: BGP Stream Presentation](https://reader031.vdocuments.site/reader031/viewer/2022030206/58ab88671a28ab3e738b62bb/html5/thumbnails/2.jpg)
2
BGP Overview
BGP Attack Examples
Announcing BGPStream
BGPStream dataviz client example
Other cool stuff
Things we may or may not present….
![Page 3: Blackhat USA 2015: BGP Stream Presentation](https://reader031.vdocuments.site/reader031/viewer/2022030206/58ab88671a28ab3e738b62bb/html5/thumbnails/3.jpg)
3
![Page 4: Blackhat USA 2015: BGP Stream Presentation](https://reader031.vdocuments.site/reader031/viewer/2022030206/58ab88671a28ab3e738b62bb/html5/thumbnails/4.jpg)
4
• Network of Networks, it’s a Graph!
• Each organizations on the Internet is called an Autonomous system.
• Each node represents an Autonomous system (AS).
• AS is identified by a number. • OpenDNS is 36692, Google is 15169.
• Each AS has one or more Prefixes. • 36692 has 56 (ipv4 and IPv6) network
prefixes.
• BGP is the glue that makes this work! Result is a topology map of the Internet
Internet 101 & BGP
![Page 5: Blackhat USA 2015: BGP Stream Presentation](https://reader031.vdocuments.site/reader031/viewer/2022030206/58ab88671a28ab3e738b62bb/html5/thumbnails/5.jpg)
5
[email protected]> show route protocol bgp www.facebook.com inet.0: 528878 destinations, 1095067 routes (528873 active, 3 holddown, 12 hidden) + = Active Route, - = Last Active, * = Both
179.60.193.0/24 *[BGP/170] 2w6d 21:16:18, MED 0, localpref 100 AS path: 32934 I > to 202.167.228.39 via ge-1/1/9.0 [BGP/170] 1w6d 02:04:04, localpref 100 AS path: 4637 1221 32934 I > to 210.176.38.1 via xe-0/0/0.0 [BGP/170] 4d 21:09:54, MED 0, localpref 100 AS path: 2914 38561 1221 32934 I > to 202.68.65.149 via xe-2/0/0.0
Example BGP troubleshooting How do I route to Facebook?
![Page 6: Blackhat USA 2015: BGP Stream Presentation](https://reader031.vdocuments.site/reader031/viewer/2022030206/58ab88671a28ab3e738b62bb/html5/thumbnails/6.jpg)
6
Recent High Profile BGP Incident Examples
BGP hijack used for spamming BGP hijack used for financial gain (bitcoin hijack)
BGP hijack by Hacking team
Large scale mulC day outages in Syria and Egypt
BGP hijack by Turkey to censor popular DNS resolvers
Many more accidental BGP hijacks
![Page 7: Blackhat USA 2015: BGP Stream Presentation](https://reader031.vdocuments.site/reader031/viewer/2022030206/58ab88671a28ab3e738b62bb/html5/thumbnails/7.jpg)
7
![Page 8: Blackhat USA 2015: BGP Stream Presentation](https://reader031.vdocuments.site/reader031/viewer/2022030206/58ab88671a28ab3e738b62bb/html5/thumbnails/8.jpg)
8
![Page 9: Blackhat USA 2015: BGP Stream Presentation](https://reader031.vdocuments.site/reader031/viewer/2022030206/58ab88671a28ab3e738b62bb/html5/thumbnails/9.jpg)
9
High level Architecture
BGP Stream analyzer
BGP data
Classifier Notification
Expected
Support for: IPv4 & IPv6 16 & 32bit AS numbers
Expected state: • Prefix / Origin AS • AS relaCons • Historical info • GEO info • Whois info • Etc.
Observed BGP data from hundreds of BGP peers globally
![Page 10: Blackhat USA 2015: BGP Stream Presentation](https://reader031.vdocuments.site/reader031/viewer/2022030206/58ab88671a28ab3e738b62bb/html5/thumbnails/10.jpg)
10
BGP Stream Classifier
BGP data
• Expected Origin AS vs. Detected origin AS
• Existing Business relationship? • Does Detected AS announce other Expected AS prefixes in BGP • Is there an existing peering relationship • Did Detected AS recently announce Expected AS prefixes • Exclude well relations and ASNs (i.e. DoD Asns, special Anycast prefixes).
• Whois information • Valid RPLS route object in RIR / IRR databases? • Allocation data • Name collision in name, description, emails
• Geo Info • Do Expected and Detected operate in same country • For US, same state • Detected by number of BGPmon peers
![Page 11: Blackhat USA 2015: BGP Stream Presentation](https://reader031.vdocuments.site/reader031/viewer/2022030206/58ab88671a28ab3e738b62bb/html5/thumbnails/11.jpg)
11
BGPStream Data Visualization Client
![Page 12: Blackhat USA 2015: BGP Stream Presentation](https://reader031.vdocuments.site/reader031/viewer/2022030206/58ab88671a28ab3e738b62bb/html5/thumbnails/12.jpg)
12
![Page 13: Blackhat USA 2015: BGP Stream Presentation](https://reader031.vdocuments.site/reader031/viewer/2022030206/58ab88671a28ab3e738b62bb/html5/thumbnails/13.jpg)
13
$blackhat there is more..
RUN BGP DNS
![Page 14: Blackhat USA 2015: BGP Stream Presentation](https://reader031.vdocuments.site/reader031/viewer/2022030206/58ab88671a28ab3e738b62bb/html5/thumbnails/14.jpg)
14
Requests Per Day
80B Countries 160+
Daily Active Users
65M Enterprise Customers
10K
Our Perspective Diverse Set of Data & Global Internet Visibility
![Page 15: Blackhat USA 2015: BGP Stream Presentation](https://reader031.vdocuments.site/reader031/viewer/2022030206/58ab88671a28ab3e738b62bb/html5/thumbnails/15.jpg)
15
![Page 16: Blackhat USA 2015: BGP Stream Presentation](https://reader031.vdocuments.site/reader031/viewer/2022030206/58ab88671a28ab3e738b62bb/html5/thumbnails/16.jpg)
16
Malaysia Airlines DNS Hijack January 25, 2015
![Page 17: Blackhat USA 2015: BGP Stream Presentation](https://reader031.vdocuments.site/reader031/viewer/2022030206/58ab88671a28ab3e738b62bb/html5/thumbnails/17.jpg)
17
MALICIOUS ASN/IP IDENTIFIED Owned by Lizard Squad who hacked PS3 and Xbox Networks in December 2014
![Page 18: Blackhat USA 2015: BGP Stream Presentation](https://reader031.vdocuments.site/reader031/viewer/2022030206/58ab88671a28ab3e738b62bb/html5/thumbnails/18.jpg)
18
![Page 19: Blackhat USA 2015: BGP Stream Presentation](https://reader031.vdocuments.site/reader031/viewer/2022030206/58ab88671a28ab3e738b62bb/html5/thumbnails/19.jpg)
19
POPVOTE.HK 750 Million DNS requests 1 hour
![Page 20: Blackhat USA 2015: BGP Stream Presentation](https://reader031.vdocuments.site/reader031/viewer/2022030206/58ab88671a28ab3e738b62bb/html5/thumbnails/20.jpg)
20
![Page 21: Blackhat USA 2015: BGP Stream Presentation](https://reader031.vdocuments.site/reader031/viewer/2022030206/58ab88671a28ab3e738b62bb/html5/thumbnails/21.jpg)
21
![Page 22: Blackhat USA 2015: BGP Stream Presentation](https://reader031.vdocuments.site/reader031/viewer/2022030206/58ab88671a28ab3e738b62bb/html5/thumbnails/22.jpg)
22
The Future….
More Tuning and Training Integrate DNSStream into BGPStream portal Build a community of BGP and DNS watchers
![Page 23: Blackhat USA 2015: BGP Stream Presentation](https://reader031.vdocuments.site/reader031/viewer/2022030206/58ab88671a28ab3e738b62bb/html5/thumbnails/23.jpg)
23
@bgpstream @dnsstream