01-07-2005 12:28 PM - edited 03-02-2019 08:57 PM
Sorry if this seems a bit of a script kiddie title and the question is direct as a first post but I have a few questions that I'd like a little help starting understanding with my limited knowledge of BGP and interdomain global routing. Thanks in advance for any positive responses and linkage ;)
WHat I am interested in is the propogation of a bogon route and the IP block to be reached from anywhere in the world (so not just poisoning an upstream or local routing table) is the following reasonable:
1/ You would need to locate an AS's BGP peer group
2/ You could only propogate a route to an IP block that that AS was authoritative for.
3/ Were you to propogate the route it would be relatively trivial once discovered to trace the endpoint.
Because of this is it a more reasonable method of hijacking an IP block to use the following method
1/ Find a IP block that has been subnetted and part of which is not in use.
2/ Register that block as being in your AS then propogate the routes (Rogue ISP activity) such as done here http://www.completewhois.com/hijacked/hijackers.htm
What I am interested in understanding the theory of is how an individual could locate their ISP's BGP routers and what requirements there would be for inserting a fake route (I believe it can only be for an IP block in the ISP's AS and that
BGP peers ignore updates with a TTL greater than 1.
As BGP uses both TCP and UDP on 179 it would be possible to craft a faked routing update to propogate the route using UDP impersonating another router in the BGP peering arrangement.
Would an alternative and perhaps preferable method of doing this be attempting to reset the BGP peering session?
I presume I've missed quite a few points that should be considered I'd also appreciate any thoughts others might have on areas I have missed.
01-07-2005 08:02 PM
Your questions are pretty confusing. Forgive me if my reply is not what you are looking for.
First, bogon route propagation and IP block reachability are synonymous (assuming you aren't talking about the differences between a bogon route being propagated by BGP vs. the IP block itself from being configured on a router and having hosts configured to assume various addresses from said IP block).
Now to answer your questions specifically, starting from top to bottom:
1/ I don't understand what you are asking. BGP peer-groups are configured on routers and they are designed to, among other things simplify large BGP configurations. Locating an AS' bgp peer group is.. well.. wrong.
2/ Again, your concept is wrong. A route and an IP block are synonymous in certain contexts, including this one. Let's assume for a second that the quesiton you wanted to ask was this: "You can only announce a route to another eBGP speaker if your company or organization is allowed to announce that route". The answer is yes, but unfortunately best common practices for BGP network design elude most network operators so these policies are not enforced most of the time. Under normal circumstances you wouldn't be able to announce a route you don't own.
3/ Yes. BGP is not a simple thing to configure so it's very difficult to hind things from it. Traceroute is your friend.
Your second set of questions...
1/ It's not so much finding a CIDR block than it is finding a CIDR block that isn't being announced.
2/ You can't just register a CIDR block. CIDR blocks are assigned to you from a variety of numbering authorities. ARIN, RIPE, APNIC, etc. If your upstream has a clue, they will cross reference your credentials with those in the ARIN, RIPE, APNIC, etc. databases to verify you are who you say you are. RIPE has a great system which makes it hard to hijack blocks. ARIN on the other hand.. well.. we won't go into that. The completewhois stuff is done manually, AFAIK. It's not some automatic thing that goes around sniffing hijacked netblocks.
Your third set of questions I'm not going to answer because I don't think it's appropriate to discuss ways of doing these types of things. That's just evil (and what you want to do won't work anyway, FYI).
01-08-2005 09:29 AM
Thanks for that jlixfeld it does help.
Rather than a true bogon range (one that is unassigned)
I meant a CIDR block that was allocated but was'nt being announced.
So you could announce a route to a CIDR block that was someone elses but that they were'nt anouncing. Is it likely that this would be due to misconfiguration on the part of the block owner or your upstream provider?
Under what circumstances would this be possible?
(I'd be delighted for vague answers or linkage on this).
"You can't just register a CIDR block. CIDR blocks are assigned to you from a variety of numbering authorities. ARIN, RIPE, APNIC, etc. If your upstream has a clue, they will cross reference your credentials with those in the ARIN, RIPE, APNIC, etc. databases to verify you are who you say you are. RIPE has a great system which makes it hard to hijack blocks. ARIN on the other hand.. well.. we won't go into that. "
So presumably it is likely the people who hijacked other IP blocks pretended that the legitimate owner sold / passed on the IP blocks to them?
"Your third set of questions I'm not going to answer because I don't think it's appropriate to discuss ways of doing these types of things. That's just evil (and what you want to do won't work anyway, FYI)."
Could you tell me why it would'nt work?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide