IPv4 Hijacking For Idiots
Ronald F. Guilmette
rfg at tristatelogic.com
Mon Jun 5 10:56:14 CST 2017
The more I know, the less I understand.
Maybe some of you kind folks can help.
Please explain for me the following scenario, and how this all actually
works in practice.
Let's say that you're a malevolent Bad Actor and all you want to do is
to get hold of some ASN that nobody is watching too closely, and then
use that to announce some routes to some IPv4 space that nobody is
watching too closely, so that you can then parcel out that IP space
to your snowshoe spammer pals... at least until somebody gets wise.
OK, so you pull down a copy of, say, the RIPE WHOIS database, and you
programatically walk your way through it, looking for contact email
addresses on ASN records where the domain of the contact email address
has become unregistered. Say for example the one for AS34991. So
then you re-register that contact domain, fresh, and then you start
telling all of your friends and enemies that you -are- AS34991.
That part seems simple enough, and indeed, I've seen -this- part of the
movie several times before. However once you have stepped into the
identity of the former owners of the ASN, if you then want to actually
proceed to -announce- some routes, and actually ave those routes make
it out onto the Internet generally, then you still have to -peer- with
So, I guess then, if you're clever, you look and see who the ASN you've
just successfully hijacked has historically peered with, and then you
somehow arrange to send route announcements to those guys, right?
(I'm talking about AS206776 and AS57344 here, BTW.)
But see, this is where I get lost. I mean how do you push your route
announcements to these guys? (I don't actually know that much about
how BGP actually works in practice, so please bear with me.) How do
you know what IP address to send your announcements to? And if you are
going to push your route announcements out to, say, the specific routers
that are run by AS206776 and AS57344, i.e. the ones that will send your
desired route announcements out to the rest of the Internet... well..
how do you find out the IP addresses of those routers on those other
networks? Do you call up the NOCs at those other networks and do a bit
of social engineering on them to find out the IP addresses you need to
send to? And can you just send BGP messages to the routers on those
other networks without -any- authentication or anything and have those
routers just blindly accept them -and- relay them on to the whole rest
of the Internet??
I've read article after article after article bemoanging the fact that
"BGP isn't secure", but now I'm starting to wonder just how massively
and unbelieveably unsecure it actually is. I mean would these routers
being run by AS206776 and AS57344 just blindly accept -any- route
announcements sent to them from literally -any- IP address? (That seems
positively looney tunes to me! I mean things can't really be THAT
colossally and unbelievably stupid, can they?)
Thanks in advance for any enlightenment.
P.S. It would appear to be the case that since some time in April of this
year the "Bulgarian" network, AS34991, had evinced a rather sudden and
pronounced affinity for various portion of the IPv4 address space nominally
associated with the nation of Columbia, including at least five /24 blocks
within 220.127.116.11/16 which, from where I am sitting, would appear to belong
to the National University of Columbia.
Oh well. They apparently haven't been missing those five gaping holes in
their /16 since the time the more specifics started showing up in April.
And anyway, so far it looks like the new owners of AS34991 haven't actually
sub-leased any of those /24s to any spammers yet. Only the 18.104.22.168/24
block seems to be filled, wall-to-all, with snowshoe spammers so far.
More information about the NANOG