BGP Hijacking

Filip Knezevic · ‎01-28-2018

Hello BGP experts.

I'm investigating the process of BGP hijacking and I have some doubts.

Since messing with BGP leaves visible footprints on the Internet, it's obviously hard for BGP hijacking to go unnoticed.

I was reading about a famous Bitcoin case of BGP hijacking. Reportedly around 80000 dollars were stolen from bitcoin miners who were tricked to send mining data to the hacker's server instead of the real one.

Apparently, the prefixes where the bitcoin servers were located were announced with shorter prefixes, making the traffic flow there, by the longest prefix match.

In the article on BGPmon, it is mentioned that the attackers used AS range prepending in attempt to hide the origin AS. It's obvious that it was not really succecfull since it is known that the attacker's AS belongs to the Canadian ISP.

So, my main question is - is it theoretically possible for the attacker to somehow remove his origin AS from the BGP updates? That is obviously braking the purpose of BGP, but of course the attackers do not care.

Also, I have searched for a particular prefix belonging to an USA company on Ripe stat. Ripe stat should have around 10 years of historical BGP data. However, I cant find that the prefix was announced in the time when one of the ip addresses was present on the Internet.

Is it possible that Ripe's data is not 100 percent accurate and this prefix was indeed announced by a rogue person at same time? And was it possible for the attacker to somehow hide that data from the Internet?

Any insights would be really helpful.

Philip D'Ath · ‎01-28-2018

The origin AS (unless their is specific policy) does not affect the forwarding decision. The AS path length does.

Filip Knezevic · ‎01-28-2018

Hi Phillip,

Thanks for answering.

But I'm asking something completely different. I've thoroughly explained it in my post. I'm asking about BGP hijacking, not the best path process.

I'm aware of the AS Path process. I'm not asking how BGP determins the best path.

Hijacking BGP is announcing more specific prefixes that belongs to somebody else, intentionally or not, making the traffic goes your way.

But that means the entire world will see origin AS and that somebody announced that AS in that particular AS.

So I'm asking if there is a technique to hide or masquarade the origin AS, because it would be much harder for authorities to locate the perpetrator if they don't even know from which AS the attack started.

Muhammad Uzair · ‎01-29-2018

Hi sir, yes it is possible as mostly ISPs does't do dynamic filtering of the ptefixes that they receive to check the origin AS against the route object in the registery database. If this check/filter is made mandatory then there will be no such incident on the internet.

Kindest regards

Uzzi

Kindest regards,
Uzair
CCENT, CCNA (R&S), CCNP (R&S).

Filip Knezevic · ‎01-29-2018

Looks like nobody is reading my questions. I ask one thing and get a response for a different thing :)

Im not talking about filtering prefixes. We know that huge ISPs dont filter when peering with other large ISPs and we know there is no defense mechanism against BGP hijacking except route filtering and global routing monitoring.

I've asked something completely different actually.

Muhammad Uzair · ‎01-29-2018

Yes it is pretty much possible but still foot print will be visible and can be traced back to the first ISP.

Kindest regards,

Uzzi

Kindest regards,
Uzair
CCENT, CCNA (R&S), CCNP (R&S).

Georg Pauwen · ‎01-29-2018

Hello,

as Uzzi mentioned, you could use an aggregate route for routes received from another AS and send that aggregate to a public eBGP peer, the aggregate would then appear to have originated from your own AS. That said, most if not all ISPs would immediately drop such an aggregate, so it is just a theoretical option. You would need access to an ISP router to achieve that sort of AS spoofing. As criminals/hackers are usually always at least one step ahead, it is always good to be vigilant...

Filip Knezevic · ‎01-29-2018

Correct me if I'm wrong, but wouldn't using aggregate routes actually advertise less specific prefixes (larger routes)?

As I understand with BGP hijacking the goal is to advertise more specific prefix to make the traffic goes that way.

And yes we assume the attacker has access to PE router with BGP peering (employee, ex employee etc.)

Georg Pauwen · ‎01-29-2018

The aggregates would only be there to hide an AS. If you have access to the PE router, you still need to block all the more specific routes, you are right about that.

That said, if a disgruntled ex-employee has access to the router and wants to do damage, he or she can.

In my own, personal opinion, and I have worked for different companies, once I decide to break into a customer's system, I can be sure to never get a job anywhere else. In addition, I will become a fugitive criminal...

Filip Knezevic · ‎01-29-2018

Thank you George.

Another thing - in RIPE historical data I found one prefix was advertised in 2008. But I have findings that an IP address from that range was used in 2012. But in RIPE historical data there is no info about the prefix in 2012. Are those Ripe stats accurate or there is a possibility they are not correct?