IPv4 Hijacking For Idiots
mel at beckman.org
Mon Jun 5 11:05:21 CST 2017
One way is for the hijacker to simply peer with himself. The hijacker has an existing peering arrangement with, say, AT&T. He then tells AT&T that he will be transit for ASxxxx advertising XYZ routes, by dint of a cheerfully forged LOA. Once filters have been updated, the hijacker advertises the space to himself, and then from thence to AT&T.
It's no great trick getting peering set up. Just fill out a ten-question BGP app and pay a one-time fee of maybe $100, and you're done.
> On Jun 5, 2017, at 3:56 AM, Ronald F. Guilmette <rfg at tristatelogic.com> wrote:
> The more I know, the less I understand.
> Maybe some of you kind folks can help.
> Please explain for me the following scenario, and how this all actually
> works in practice.
> Let's say that you're a malevolent Bad Actor and all you want to do is
> to get hold of some ASN that nobody is watching too closely, and then
> use that to announce some routes to some IPv4 space that nobody is
> watching too closely, so that you can then parcel out that IP space
> to your snowshoe spammer pals... at least until somebody gets wise.
> OK, so you pull down a copy of, say, the RIPE WHOIS database, and you
> programatically walk your way through it, looking for contact email
> addresses on ASN records where the domain of the contact email address
> has become unregistered. Say for example the one for AS34991. So
> then you re-register that contact domain, fresh, and then you start
> telling all of your friends and enemies that you -are- AS34991.
> That part seems simple enough, and indeed, I've seen -this- part of the
> movie several times before. However once you have stepped into the
> identity of the former owners of the ASN, if you then want to actually
> proceed to -announce- some routes, and actually ave those routes make
> it out onto the Internet generally, then you still have to -peer- with
> somebody, right?
> So, I guess then, if you're clever, you look and see who the ASN you've
> just successfully hijacked has historically peered with, and then you
> somehow arrange to send route announcements to those guys, right?
> (I'm talking about AS206776 and AS57344 here, BTW.)
> But see, this is where I get lost. I mean how do you push your route
> announcements to these guys? (I don't actually know that much about
> how BGP actually works in practice, so please bear with me.) How do
> you know what IP address to send your announcements to? And if you are
> going to push your route announcements out to, say, the specific routers
> that are run by AS206776 and AS57344, i.e. the ones that will send your
> desired route announcements out to the rest of the Internet... well..
> how do you find out the IP addresses of those routers on those other
> networks? Do you call up the NOCs at those other networks and do a bit
> of social engineering on them to find out the IP addresses you need to
> send to? And can you just send BGP messages to the routers on those
> other networks without -any- authentication or anything and have those
> routers just blindly accept them -and- relay them on to the whole rest
> of the Internet??
> I've read article after article after article bemoanging the fact that
> "BGP isn't secure", but now I'm starting to wonder just how massively
> and unbelieveably unsecure it actually is. I mean would these routers
> being run by AS206776 and AS57344 just blindly accept -any- route
> announcements sent to them from literally -any- IP address? (That seems
> positively looney tunes to me! I mean things can't really be THAT
> colossally and unbelievably stupid, can they?)
> Thanks in advance for any enlightenment.
> P.S. It would appear to be the case that since some time in April of this
> year the "Bulgarian" network, AS34991, had evinced a rather sudden and
> pronounced affinity for various portion of the IPv4 address space nominally
> associated with the nation of Columbia, including at least five /24 blocks
> within 126.96.36.199/16 which, from where I am sitting, would appear to belong
> to the National University of Columbia.
> Oh well. They apparently haven't been missing those five gaping holes in
> their /16 since the time the more specifics started showing up in April.
> And anyway, so far it looks like the new owners of AS34991 haven't actually
> sub-leased any of those /24s to any spammers yet. Only the 188.8.131.52/24
> block seems to be filled, wall-to-all, with snowshoe spammers so far.
More information about the NANOG