BGP Hijacking: New Ways to Mass Surveillance
Licson Lee <admin@licson.net>
Understand these first
BGP - Border Gateway Protocol
- Exchange of routing information between routers
- Controls the flow of data packets
Mass Surveillance
- Surveillance to a (large) group of people
- Harms the freedom of privacy
Malicious modification of the flow of packet can lead to unexpected mass surveillance
BGP: Basics
BGP Basics - Route Announcement
The three networks (AS 1, 2 and 3) here wanted to communicate with each other. As a result, they tell each other how to route traffic to themselves. This is called a route announcement.
BGP Basics - Announcement (II)
Subnets with a smaller size will be preferred more than subnets of a larger size. Therefore for these two subnets (e.g. 10.0.0.0/8 and 10.0.0.0/24), the route for smaller one (e.g. /24) will be more likely selected by others.
BGP Basics - Best Path Selection
The routers choose their best path to each other by considering the AS path, that is the number of networks needed to cross before reaching the destination.
BGP Basics - Best Path Selection
There are several requirements for an AS path to be the best path. One of them (also the most important) is the path length. Some other factors include the routing preference and multiple exits discriminator (MED).
BGP Hijacking: Introduction
What if?
A hacker take control of AS 100 through some means and change the BGP configuration?
Redirecting Traffic
The hacker controls AS 100 and announce a new route 172.16.1.0/25 which should belong to AS 300.
Redirecting Traffic
AS 200 see the new route and starts to reroute traffic of 172.16.1.0/25 (a portion of 172.16.1.0/24 that is from AS 300) through AS 100.
Redirecting Traffic
AS 100 can now intercept traffic to 172.16.1.0/25 (a portion of network of AS 300) and even modify the data transmitted to targets located in AS 300.
It can do serious impact and you may not even realize!
In Real Life
The "hacker" can be government agents, data thieves and network engineers who misconfigured their routers.
It can be hard to distinguish between a misconfiguration from a hijack.
Limitations
Routers can reject new route announcements
- Not always able to hijack all possible traffic to a target
- Can lead to adverse effect if something went wrong
New systems are now capable of detecting these routes
- e.g. Dyn Internet Intelligence
Examples around the World
BGP Hijacking of AWE of UK
Ukrainian ISP, Vega, hijacked some IP space of the Atomic Weapons Establishment of UK, intercept traffic in between before returning to its final destination.
BGP Hijacking of AWE (cont.)
The hijacked network contains mail server and VPN gateway of the AWE which is responsible for atomic weapons research in UK.
BGP Hijacking of AWE (cont.)
Coincidentally, the hijacked IP contains mail servers of Royal Mail, a postage service company in UK.
Confidential emails can be leaked.
vDOS Hijacked by BackConnect
Internet security firm and DDoS mitigation provider BackConnect, hijacked Verdina Ltd. by announcing a subset of its IPs. Apparently, the IP space belongs to vDOS who provides stress testing services.
BackConnect's Hijacking Attempts
Usually, DDoS mitigation provider do BGP hijacking to redirect attack traffic to their scrubbing centres. BackConnect's short hijack duration makes this unlikely.
BackConnect's Hijacking Attempts
BackConnect even tries to hide its hijacking attempts through a long AS path. Its suspicious behaviour are uncommon for an internet security company and it may suggest they're mining data through such hijacks.
Iran Leaks Censorship
The Iranian state Telecom announced a set of IP (99.192.226.0/24) which contains numerous pornographic websites. The announcement leaked into the Internet and caused chaos.
Iran Leaks Censorship
The intent of the Iranian government is to block these websites nationally, however it gets out through Omantel and it becomes blocked internationally. This is the power of BGP hijacking.
Questions?
Thank You
Website: https://licson.net/
E-mail: admin@licson.net
GitHub: licson0729
BGP Hijacking: New Ways to Mass Surveillance
By Licson
BGP Hijacking: New Ways to Mass Surveillance
- 1,173