By Andree Toonk | September 29, 2008
For the last 3 weeks I’ve been dedicating my spare time to my “new” project, BGPmon.net. BGPmon monitors BGP updates and if the update is different then a predefined filter it will generate an alarm.
It will help network administrators to monitor their prefixes. This work is inspired by some recent incidents. The first one happened in February, when YouTube.com was hijacked by Pakistan Telecom.
And a few weeks ago it was demonstrated at a security conference, Defcon, how you could use this kind of attack to setup a Men in The Middle Attack.
So how does this work? Well I’m going to assume you’re a techie and have some basic knowledge about Routing with BGP. In February Pakistan Telecom by accident started to announce a more specific route for the youtube prefix.
As a result, all traffic destined for youtube was directed to Pakistan Telecom. There it was Null routed, i.e. dropped and this caused youtube to become unreachable for several hours.
Last month a similar but slightly more elegant version if the above event was presented at Defcon. It was demonstrated that you could start an attack like the youtube hijack without dropping the packets. The result was a man in the middle attack.
The researchers showed that by announcing a more specific, all traffic was routed to their router/server. After analyzing this data for “Interesting” data it was then forwarded to the original destination. This was possible because the had prepended the
ASptah with the orignal Origin AS and upstream AS’s. Causing those AS’s not to accepts this more specific and as a result this path could be used as a path to the actual destination.
So what the researchers had demonstrated was a fairly elegant way to setup a man in the attack by using routing protocols, which affected the “whole” Internet. Although the concept isn’t new, it was shown that it could actually work in a simple demo.
These events made me wonder how often this was actually happening, and if it was happening to the networks I am responsible for. So what I did was take my old BGP weathermap project, modified some code and started to monitor
BGP updates for some of my networks as well as the networks for the top150 websites (according to alexa.com). I recorded everything from more specifics to OriginAS changes, Upstream AS changes as well as known AS path changes.
Although I saw some interesting changes, it was hard for me (not being the network admin for those websites) to judge if those path changes were legit or a possible hijack.
Then a few weeks ago their was an interesting discussion on the NANOG mailing list about prefix hijack systems. It was discussed what a good system should be able to do, which features, etc.
Reading the discussion I realized that most of these features were actually available in my version. Given the interest I decided to rewrite some of the code to make it accessible and usable for others as well.
I also added some extra features such as support for 4byte AS numbers and flexible email filtering
Because I was able to reuse a lot of code from my BGP weathermap project I decided to create a webinterface for my bogon monitoring project as well. This page shows you an overview of all BGP updates containing bogon IP prefixes.
I have always had a great interest in bogons and have done some project regarding this before. One of my main questions has always been, how often does this actually happen and what kind of traffic is this. I hope to be able to answer part of the first question with this new website.
A few weeks ago we (BCNET) hit a JUNOS bug, causing us to leak private AS numbers to the Internet. We were notified of this and tried to solve this ASAP. It was then that I decided that I wanted to discover leaks like this my self instead of having to rely on others. . So I added some more lines of code and private AS number detection was implemented as well! And I am actually shocked by the number of ASn’s that leak private AS’s, I’m currently seeing multiple updates containing private AS number per hour.
The system has already helped me discovering an other private AS leak and this time we were able to change the configuration on very short notice. Clearing the issue. Another feature is notification of BGP withdraw messages. Lot’s of withdraw messages are an indication of prefix instability. This feature will help you with determining the impact of certain incidents.
I decided to integrate my BGP weathermap project in this website as well. You’ll find some statistics regarding prefixes per country and which ASn’s are announcing the most prefixes. I also visualized the growth of the IPv4 and IPv6 table, taking into account AS numbers. As well as 2byte vs. 4byte AS numbers.
The result can be found on BGPmon.net! There’s also a demo account in which you can see how BGPmon.net captured the BGP MITM demo at Defcon and the Youtube hijack.
If you’re a network administrator, and want to try it? Please go ahead and create an account, it’s free