BGP Series Part 3: Detecting Hijacks and Leaks Young Xu, Product Marketing Analyst

2

•  May 5th 2016 •  Intro to Autonomous Systems, the BGP protocol and

how routes are advertised and learned

BGP Webinar Series

•  June 16th 2016 •  How to visualize, diagnose and set alerts to

detect BGP hijacks and leaks

How BGP Works

Detecting Hijacks & Leaks

•  May 24th 2016 •  Explore data from routing change events and learn

how to detect BGP changes with alerts

Monitoring Route Changes

Optimizing AS Paths

•  July 28th 2016 •  Tips and tricks for using routing data to improve how

traffic flows into or out of your network

3

About ThousandEyes ThousandEyes delivers visibility into every network your organization relies on.

Founded by network experts; strong

investor backing

Relied on for "critical operations by leading enterprises

Recognized as "an innovative "

new approach

27 Fortune 500

5 top 5 SaaS Companies 4 top 6 US Banks

4

•  BGP wasn’t designed with security built into it –  Advertisements are generally trusted among ISPs

•  The Internet is vulnerable to propagating incorrect routes –  Route leak: Propagation of illegitimate route advertisements,

usually by mistake, leading to incorrect or suboptimal routing –  Route hijack: Malicious equivalent to a route leak

•  More prone to propagation when leaked path is preferred –  A more specific prefix is advertised –  Advertised path is shorter than current path

BGP: Built on Trust

5

AS 200759 Innofield

Route Propagation

AS 16509 Amazon

AS 30844 Econet

AS 6939 Hurricane Electric

Border Router

Amazon advertises routes among BGP peers to

upstream ISPs

Amazon advertises prefix 54.239.16.0/20

Econet receives route advertisements to

Amazon via Hurricane Electric

Traffic Path AS 65021

Private

6

AS 65021 Private

AS 200759 Innofield

AWS Route Leak, April 2016

AS 16509 Amazon

AS 30844 Econet

AS 6939 Hurricane Electric

Traffic Path

Innofield leaks routes for more specific /21 prefixes, directing traffic to private

AS 65021

Hurricane Electric accepts routes and now directs Amazon-

destined traffic to Innofield

7

•  Leaks result from human error or misconfigurations –  Improper route filtering, mismanaged routing policies •  Misuse of NO-EXPORT community •  Misconfigured route optimizers

•  Route hijacks are intentional and malicious –  Deny service (e.g. targeted attack, censorship) –  Inspect traffic (see man-in-the-middle attacks) •  Traffic interception and impersonation •  Corporate or state espionage •  Steal cryptocurrency

–  IP squatting and spamming

Why Leaks and Hijacks Happen

8

Alerting for Leaks and Hijacks

Alert Rule Parameter

Origin ASN not in: Your own or hosting provider’s ASN

Next Hop ASN not in: Upstream ISPs’ ASNs

Covered Prefix Exists

Covered Prefix not in Your expected sub-prefixes

9

•  Monitor BGP to quickly detect routing events •  Contact upstream ISPs to reject the illegitimate routes •  Announce routes preferable to the leaked route

– More specific prefix (when leaked prefix is bigger than /24) –  Shorter AS path (remove any path prepending)

•  Last resort: Change destination prefixes using DNS –  Feasible if you can shift traffic to other data centers or a CDN –  Can take time depending on TTL of DNS records

•  RPKI: Publish Route Origin Authorizations (ROAs) in RIR

Mitigating Route Leaks Affecting Your Prefixes

10

•  Route filtering (based on prefix, AS path, community) –  Bogon filtering –  Enforce commercial relationships •  Block advertisements for peer paths from customers •  “Peerlocking”: Don’t allow intermediate networks between peers

–  BGP Maximum-Prefix: Max number of prefixes from a peer

•  Security standards: RPKI, RPSL, BGPSEC •  Prevent hijacks by blocking illegitimate advertisements

–  TCP MD5: Uses secret key to compute hash over TCP header – GTSM: Peer sets TTL to max of 255 (attacker >1 hop away can’t

impersonate)

Preventing Propagation of Bad Routes

11

Demo

12

1. Covered Prefix to Spotify Leaked by Enzu

Visible for almost 3 hours

Leaked by Enzu (AS18978)

Spotify (AS43650) Propagated at

LAIX (AS40633)

Seen by 4 monitors

New, more specific /23 route leaked

13

Impacted Traffic on the Network Layer

Traces terminating in edge of Vocus

network with LAIX

LAIX

14

2. AxcelX Leak: Normal Routes

Amazon.com

NTT

Level 3

Hurricane Electric

ReTN.net

15

Amazon Routes Leaked by AxcelX

New routes through Hibernia

(AS 5580), AxcelX (AS 33083)

New Amazon AS

No longer routed through expected

ISPs

16

Caused Performance Impacts

100% loss in AxcelX

99% loss in Hibernia

17

3. Indosat Hijack of Akamai: Normal Routes

Akamai prefix

Akamai AS

Comcast upstream

18

Multiple Origins: Indosat Advertised Routes

Akamai prefix

Correct AS

Hijacking AS Locations with

completely hijacked routes

19

Only connected to Indosat

PCCW Had No Routes to PayPal

20

Caused All Traffic to Drop

Traffic transiting PCCW had no routes

See what you’re missing.

Watch the webinar:

https://www.thousandeyes.com/resources/detecting-hijacks-and-leaks-webinar