IP hijacking
Encyclopedia
IP hijacking is the illegitimate take over of groups of IP addresses by corrupting Internet
routing tables.
The Internet is a global network in enabling any connected host, identified by its unique IP address
, to talk to any other, anywhere in the world. This is achieved by passing data from one router to another, repeatedly moving each packet closer to its destination, until it is safely delivered. To do this, each router must be regularly supplied with up-to-date routing table
s. At the global level, individual IP addresses are grouped together into prefixes. These prefixes will be originated, or owned, by an autonomous system
(AS) and the routing tables between ASes are maintained using the Border Gateway Protocol (BGP).
A group of networks that operate under a single external routing policy is known as an autonomous system. For example Sprint, MCI and AT&T each are an AS. Each AS has its own unique AS identifier number. BGP is the standard routing protocol used to exchange information about IP routing between autonomous systems.
Each AS uses BGP to advertise prefixes that it can deliver traffic to. For example if the network prefix 192.0.2.0/24 is inside AS 64496, then that AS will advertise to its provider(s) and/or peer(s) that it can deliver any traffic destined for 192.0.2.0/24.
IP hijacking can occur on purpose or by accident in one of several ways:
Common to these ways is their disruption of the normal routing of the network: packets end up being forwarded towards the wrong part of the network and then either enter an endless loop (and discarded), or are found at the mercy of the offending AS.
Typically ISPs filter BGP traffic, allowing BGP advertisements from their downstream networks to contain only valid IP space. However, a history of hijacking incidents shows this is not always the case.
IP hijacking is sometimes used by malicious users to obtain IP addresses for use with spamming or a distributed denial-of-service
(DDoS) attack.
involves intrusion into an ongoing BGP session, i.e., the attacker successfully masquerades as one of the peers in a BGP session, and requires the same information needed to accomplish the reset attack. The difference is that a session hijacking attack may be designed to achieve more than simply bringing down a session between BGP peers. For example, the objective may be to change routes used by the peer, in order to facilitate eavesdropping, black holing, or traffic analysis.
By default EBGP peers will attempt to add all routes received by another peer into the device's routing table and will then attempt to advertise nearly all of these routes to other EBGP peers. This can be a problem as multi-homed organizations can inadvertently advertise prefixes learned from one AS to another, causing the end customer to become the new, best-path to the prefixes in question. For example, a customer with a Cisco router peering with say AT&T and Verizon and using no filtering will automatically attempt to link the two major carriers, which could cause the providers to prefer sending some or all traffic through the customer (on perhaps a T1), instead of using high-speed dedicated links. This problem can further affect others that peer with these two providers and also cause those ASs to prefer the misconfigured link. In reality, this problem hardly ever occurs with large ISPs, as these ISPs tend to restrict what an end customer can advertise. However, any ISP not filtering customer advertisements can allow errant information to be advertised into the global routing table where it can affect even the large Tier-1 providers.
The concept of BGP hijacking revolves around locating an ISP that is not filtering advertisements (intentionally or otherwise) or locating an ISP whose internal or ISP-to-ISP BGP session is susceptible to a man-in-the-middle attack
. Once located, an attacker can potentially advertise any prefix they want, causing some or all traffic to be diverted from the real source towards the attacker. This can be done either to overload the ISP the attacker has infiltrated, or to perform a DoS or impersonation attack on the entity whose prefix is being advertised. It is not uncommon for an attacker to cause serious outages, up to and including a complete loss of connectivity. In early 2008, at least eight US Universities had their traffic diverted to Indonesia for about 90 minutes one morning in an attack kept mostly quiet by those involved. Also, in February 2008, a large portion of YouTube's address space was redirected to Pakistan when the PTA
decided to block access to the site from inside the country, but accidentally blackholed the route in the global BGP table.
While filtering and MD5/TTL protection is already available for most BGP implementations (thus preventing the source of most attacks), the problem stems from the concept that ISPs rarely ever filter advertisements from other ISPs, as there is no common or efficient way to determine the list of permissible prefixes each AS can originate. The penalty for allowing errant information to be advertised can range from simple filtering by other/larger ISPs to a complete shutdown of the BGP session by the neighboring ISP (causing the two ISPs to cease peering), and repeated problems often end in permanent termination of all peering agreements. It is also noteworthy that even causing a major provider to block or shutdown a smaller, problematic provider, the global BGP table will often reconfigure and reroute the traffic through other available routes until all peers take action, or until the errant ISP fixes the problem at the source.
One useful offshoot of this concept is called BGP anycast
ing and is frequently used by root DNS servers to allow multiple servers to use the same IP address, providing redundancy and a layer of protection against DoS attacks without publishing hundreds of server IP addresses. The difference in this situation is that each point advertising a prefix actually has access to the real data (DNS in this case) and responds correctly to end user requests.
Internet
The Internet is a global system of interconnected computer networks that use the standard Internet protocol suite to serve billions of users worldwide...
routing tables.
The Internet is a global network in enabling any connected host, identified by its unique IP address
IP address
An Internet Protocol address is a numerical label assigned to each device participating in a computer network that uses the Internet Protocol for communication. An IP address serves two principal functions: host or network interface identification and location addressing...
, to talk to any other, anywhere in the world. This is achieved by passing data from one router to another, repeatedly moving each packet closer to its destination, until it is safely delivered. To do this, each router must be regularly supplied with up-to-date routing table
Routing table
In computer networking a routing table, or Routing Information Base , is a data table stored in a router or a networked computer that lists the routes to particular network destinations, and in some cases, metrics associated with those routes. The routing table contains information about the...
s. At the global level, individual IP addresses are grouped together into prefixes. These prefixes will be originated, or owned, by an autonomous system
Autonomous system (Internet)
Within the Internet, an Autonomous System is a collection of connected Internet Protocol routing prefixes under the control of one or more network operators that presents a common, clearly defined routing policy to the Internet....
(AS) and the routing tables between ASes are maintained using the Border Gateway Protocol (BGP).
A group of networks that operate under a single external routing policy is known as an autonomous system. For example Sprint, MCI and AT&T each are an AS. Each AS has its own unique AS identifier number. BGP is the standard routing protocol used to exchange information about IP routing between autonomous systems.
Each AS uses BGP to advertise prefixes that it can deliver traffic to. For example if the network prefix 192.0.2.0/24 is inside AS 64496, then that AS will advertise to its provider(s) and/or peer(s) that it can deliver any traffic destined for 192.0.2.0/24.
IP hijacking can occur on purpose or by accident in one of several ways:
- An AS announces that it originates a prefix that it does not actually originate.
- An AS announces a more specific prefix than what may be announced by the true originating AS.
- An AS announces that it can route traffic to the hijacked AS through a shorter route than is already available, regardless of whether or not the route actually exists.
Common to these ways is their disruption of the normal routing of the network: packets end up being forwarded towards the wrong part of the network and then either enter an endless loop (and discarded), or are found at the mercy of the offending AS.
Typically ISPs filter BGP traffic, allowing BGP advertisements from their downstream networks to contain only valid IP space. However, a history of hijacking incidents shows this is not always the case.
IP hijacking is sometimes used by malicious users to obtain IP addresses for use with spamming or a distributed denial-of-service
Denial-of-service attack
A denial-of-service attack or distributed denial-of-service attack is an attempt to make a computer resource unavailable to its intended users...
(DDoS) attack.
BGP hijacking and transit-AS problems
Like the TCP reset attack, session hijackingSession hijacking
In computer science, session hijacking is the exploitation of a valid computer session—sometimes also called a session key—to gain unauthorized access to information or services in a computer system. In particular, it is used to refer to the theft of a magic cookie used to authenticate a user to a...
involves intrusion into an ongoing BGP session, i.e., the attacker successfully masquerades as one of the peers in a BGP session, and requires the same information needed to accomplish the reset attack. The difference is that a session hijacking attack may be designed to achieve more than simply bringing down a session between BGP peers. For example, the objective may be to change routes used by the peer, in order to facilitate eavesdropping, black holing, or traffic analysis.
By default EBGP peers will attempt to add all routes received by another peer into the device's routing table and will then attempt to advertise nearly all of these routes to other EBGP peers. This can be a problem as multi-homed organizations can inadvertently advertise prefixes learned from one AS to another, causing the end customer to become the new, best-path to the prefixes in question. For example, a customer with a Cisco router peering with say AT&T and Verizon and using no filtering will automatically attempt to link the two major carriers, which could cause the providers to prefer sending some or all traffic through the customer (on perhaps a T1), instead of using high-speed dedicated links. This problem can further affect others that peer with these two providers and also cause those ASs to prefer the misconfigured link. In reality, this problem hardly ever occurs with large ISPs, as these ISPs tend to restrict what an end customer can advertise. However, any ISP not filtering customer advertisements can allow errant information to be advertised into the global routing table where it can affect even the large Tier-1 providers.
The concept of BGP hijacking revolves around locating an ISP that is not filtering advertisements (intentionally or otherwise) or locating an ISP whose internal or ISP-to-ISP BGP session is susceptible to a man-in-the-middle attack
Man-in-the-middle attack
In cryptography, the man-in-the-middle attack , bucket-brigade attack, or sometimes Janus attack, is a form of active eavesdropping in which the attacker makes independent connections with the victims and relays messages between them, making them believe that they are talking directly to each other...
. Once located, an attacker can potentially advertise any prefix they want, causing some or all traffic to be diverted from the real source towards the attacker. This can be done either to overload the ISP the attacker has infiltrated, or to perform a DoS or impersonation attack on the entity whose prefix is being advertised. It is not uncommon for an attacker to cause serious outages, up to and including a complete loss of connectivity. In early 2008, at least eight US Universities had their traffic diverted to Indonesia for about 90 minutes one morning in an attack kept mostly quiet by those involved. Also, in February 2008, a large portion of YouTube's address space was redirected to Pakistan when the PTA
Pakistan Telecommunication Authority
Pakistan Telecommunication Authority is Pakistani government agency responsible for the establishment, operation and maintenance of telecommunications in Pakistan...
decided to block access to the site from inside the country, but accidentally blackholed the route in the global BGP table.
While filtering and MD5/TTL protection is already available for most BGP implementations (thus preventing the source of most attacks), the problem stems from the concept that ISPs rarely ever filter advertisements from other ISPs, as there is no common or efficient way to determine the list of permissible prefixes each AS can originate. The penalty for allowing errant information to be advertised can range from simple filtering by other/larger ISPs to a complete shutdown of the BGP session by the neighboring ISP (causing the two ISPs to cease peering), and repeated problems often end in permanent termination of all peering agreements. It is also noteworthy that even causing a major provider to block or shutdown a smaller, problematic provider, the global BGP table will often reconfigure and reroute the traffic through other available routes until all peers take action, or until the errant ISP fixes the problem at the source.
One useful offshoot of this concept is called BGP anycast
Anycast
Anycast is a network addressing and routing methodology in which datagrams from a single sender are routed to the topologically nearest node in a group of potential receivers all identified by the same destination address.-Addressing methodologies:...
ing and is frequently used by root DNS servers to allow multiple servers to use the same IP address, providing redundancy and a layer of protection against DoS attacks without publishing hundreds of server IP addresses. The difference in this situation is that each point advertising a prefix actually has access to the real data (DNS in this case) and responds correctly to end user requests.
Public incidents
- April 1997: The "AS 7007 incidentAS 7007 incidentThe AS 7007 incident was a major disruption of the Internet on April 25, 1997 that started with a router operated by autonomous system 7007 accidentally leaking a substantial part of its entire route table to the Internet, creating a routing black hole.Probably because of a bug in the...
" Earliest notable example? - December 24, 2004: TTNet in Turkey hijacks the Internet
- January 22, 2006: Con-Edison hijacks big chunk of the Internet
- February 24, 2008: Pakistan's attempt to block YouTubeYouTubeYouTube is a video-sharing website, created by three former PayPal employees in February 2005, on which users can upload, view and share videos....
access within their country takes down YouTube entirely. - April 8, 2010: Chinese ISP hijacks the Internet - China Telecom originated 37,000 prefixes not belonging to them in 15 minutes, causing massive outage of services globally.
See also
- Bogon filteringBogon filteringA bogon is a bogus IP address, and an informal name for an IP packet on the public Internet that claims to be from an area of the IP address space reserved, but not yet allocated or delegated by the Internet Assigned Numbers Authority or a delegated Regional Internet Registry...
- Border Gateway ProtocolBorder Gateway ProtocolThe Border Gateway Protocol is the protocol backing the core routing decisions on the Internet. It maintains a table of IP networks or 'prefixes' which designate network reachability among autonomous systems . It is described as a path vector protocol...
- Resource Public Key InfrastructureResource Public Key InfrastructureResource Public Key Infrastructure , also known as Resource Certification, is a specialized public key infrastructure framework designed to secure the Internet's routing infrastructure, specifically the Border Gateway Protocol . RPKI provides a way to connect Internet number resource information ...
External links
- BGPmon.net: A BGP specific monitoring system to detect prefix hijacks, route leakage and instability.
- Cyclops: A BGP network audit tool (prefix hijack, route leakage) by UCLA
- NetViews: A Real Time BGP Topology visualization and IP Hijacking Detection tool by University of Memphis.
- AS-CRED: A service of reputation-based trust management and real-time alert (prefix hijacking, unstable prefix announcement), for inter-domain routing by University of Pennsylvania.