IPv4 Hijacking For Idiots

Mon Jun 5 17:09:37 UTC 2017

On Mon, Jun 5, 2017 at 12:28 PM, Mel Beckman <mel at beckman.org> wrote:

> Chris,
>
> I didn’t research Ron’s specific example. I was speaking in generalities.
> I’m assuming any BGP hijacker already has two or more DIA connections. It
> only costs $100 to add BGP peering to that setup. Yes, they will need an
> ASN. I was only
>

most times i've seen isp DIA links bgp was 'free' or had been..

> talking about the cost of adding an upstream BGP session.
>

ok. so either free or some up-charge by the isp.

>
>  -mel
>
>
> On Jun 5, 2017, at 9:03 AM, Christopher Morrow <morrowc.lists at gmail.com>
> wrote:
>
>
>
> On Mon, Jun 5, 2017 at 7:05 AM, Mel Beckman <mel at beckman.org> wrote:
>
>> One way is for the hijacker to simply peer with himself. The hijacker has
>> an existing peering arrangement with, say, AT&T. He then tells AT&T that he
>> will be transit for ASxxxx advertising XYZ routes, by dint of a cheerfully
>> forged LOA. Once filters have been updated, the hijacker advertises the
>> space to himself, and then from thence to AT&T.
>>
>
> that doesn't seem to be what's happening in ron's example though...
>
> it looks, to me, like the example ron has is more a case of:
>   1) register contacts for lost asn (AS34991)
>   2) setup equipment/etc at an IX (bulgaria-ix it seems, at least) with
> another shill/lost-child asn (AS206776)
>   3) start doing the bgps with the IX fabric's route-server
>   4) profit (or something)
>
> so here the IXP operator (balkans ix actually?)
>   http://lg.bix.bg/?query=summary&addr=&router=rs1.bix.bg+%28IPv4%29
>   (search for 206776 -> http://lg.bix.bg/?query=
> bgp&addr=neighbors+193.169.198.191&router=rs1.bix.bg+(IPv4))
>
> should probably look more than just side-eyes at their customer...
>
>
>>
>> It's no great trick getting peering set up. Just fill out a ten-question
>> BGP app and pay a one-time fee of maybe $100, and you're done.
>>
>
> err, you'll have to better explain this I think.
>
> Are you saying: "get an ASN from RIR that costs 100USD" (might, probably
> does)
>
> this doesn't get you a peering/transit contract though...
>
> -chris
>
>
>>
>>  -mel beckman
>>
>> > On Jun 5, 2017, at 3:56 AM, Ronald F. Guilmette <rfg at tristatelogic.com>
>> wrote:
>> >
>> >
>> > The more I know, the less I understand.
>> >
>> > Maybe some of you kind folks can help.
>> >
>> > Please explain for me the following scenario, and how this all actually
>> > works in practice.
>> >
>> > Let's say that you're a malevolent Bad Actor and all you want to do is
>> > to get hold of some ASN that nobody is watching too closely, and then
>> > use that to announce some routes to some IPv4 space that nobody is
>> > watching too closely, so that you can then parcel out that IP space
>> > to your snowshoe spammer pals... at least until somebody gets wise.
>> >
>> > OK, so you pull down a copy of, say, the RIPE WHOIS database, and you
>> > programatically walk your way through it, looking for contact email
>> > addresses on ASN records where the domain of the contact email address
>> > has become unregistered.  Say for example the one for AS34991.  So
>> > then you re-register that contact domain, fresh, and then you start
>> > telling all of your friends and enemies that you -are- AS34991.
>> >
>> > That part seems simple enough, and indeed, I've seen -this- part of the
>> > movie several times before.  However once you have stepped into the
>> > identity of the former owners of the ASN, if you then want to actually
>> > proceed to -announce- some routes, and actually ave those routes make
>> > it out onto the Internet generally, then you still have to -peer- with
>> > somebody, right?
>> >
>> > So, I guess then, if you're clever, you look and see who the ASN you've
>> > just successfully hijacked has historically peered with, and then you
>> > somehow arrange to send route announcements to those guys, right?
>> > (I'm talking about AS206776 and    AS57344 here, BTW.)
>> >
>> > But see, this is where I get lost.  I mean how do you push your route
>> > announcements to these guys?  (I don't actually know that much about
>> > how BGP actually works in practice, so please bear with me.)  How do
>> > you know what IP address to send your announcements to?  And if you are
>> > going to push your route announcements out to, say, the specific routers
>> > that are run by AS206776 and AS57344, i.e. the ones that will send your
>> > desired route announcements out to the rest of the Internet... well..
>> > how do you find out the IP addresses of those routers on those other
>> > networks?  Do you call up the NOCs at those other networks and do a bit
>> > of social engineering on them to find out the IP addresses you need to
>> > send to?  And can you just send BGP messages to the routers on those
>> > other networks without -any- authentication or anything and have those
>> > routers just blindly accept them -and- relay them on to the whole rest
>> > of the Internet??
>> >
>> > I've read article after article after article bemoanging the fact that
>> > "BGP isn't secure", but now I'm starting to wonder just how massively
>> > and unbelieveably unsecure it actually is.  I mean would these routers
>> > being run by AS206776 and AS57344 just blindly accept -any- route
>> > announcements sent to them from literally -any- IP address?  (That seems
>> > positively looney tunes to me!  I mean things can't really be THAT
>> > colossally and unbelievably stupid, can they?)
>> >
>> > Thanks in advance for any enlightenment.
>> >
>> >
>> > Regards,
>> > rfg
>> >
>> >
>> > P.S.  It would appear to be the case that since some time in April of
>> this
>> > year the "Bulgarian" network, AS34991, had evinced a rather sudden and
>> > pronounced affinity for various portion of the IPv4 address space
>> nominally
>> > associated with the nation of Columbia, including at least five /24
>> blocks
>> > within 168.176.0.0/16 which, from where I am sitting, would appear to
>> belong
>> > to the National University of Columbia.
>> >
>> > Oh well.  They apparently haven't been missing those five gaping holes
>> in
>> > their /16 since the time the more specifics started showing up in April.
>> >
>> > And anyway, so far it looks like the new owners of AS34991 haven't
>> actually
>> > sub-leased any of those /24s to any spammers yet.  Only the
>> 190.90.88.0/24
>> > block seems to be filled, wall-to-all, with snowshoe spammers so far.
>> >
>> >
>>
>
>
>