SlideShare une entreprise Scribd logo

IP Hijacking - Securing Internet Routing

RIPE NCC
RIPE NCC

Presentation given by Marco Hogewoning at: LEA Meeting, London. 19 March 2012

Technologie
1  sur  44
Télécharger pour lire hors ligne
RIPE NCC IPv4 Pool Legacy 15% Other IANA 14% AfriNIC 2% LACNIC 4% RIPE NCC 15% ARIN 30% APNIC 20% Marco Hogewoning 1 Monday, March 19, 2012
IP Hijacking Securing Internet Routing Marco Hogewoning Training Services Monday, March 19, 2012
Never attribute to malice that which is adequately explained by stupidity. -- Robert J Hanlon Monday, March 19, 2012
Why Would You Hijack? • Sending spam or malware unnoticed • Intercept traffic to a specific host • Sell the resources Marco Hogewoning 4 Monday, March 19, 2012
Two Targets for Hijacking • The Internet routing table – Influence how traffic flows by manipulating BGP • The Internet registry – Possibly manipulating BGP filters – Hide or change ownership details Marco Hogewoning 5 Monday, March 19, 2012
Internet Routing • Non hierarchical • The internet registries only have limited control – It’s the operator who decides – We can only offer some guidance • Internet Routing Registry – Integrated in the RIPE Database – Ties together a prefix and an ASN • RPKI Certification – ROAs couple a prefix and an ASN Marco Hogewoning 6 Monday, March 19, 2012
Decision Making in Routing • Unless preferences dictate otherwise, a router will pick the shortest path • A more specific route will always take preference • Filtering usually only done at the edge of the Internet – Filteringin the core of the Internet is far too complex and costly to achieve • Most filters are based on IP ranges – Input can come from the IRR Marco Hogewoning 7 Monday, March 19, 2012
3 AS 6 AS AS AS IX AS IX AS AS 1 AS Monday, March 19, 2012
3 AS 6 AS AS AS IX AS IX AS AS 1 AS “I have 193.0.0.0/19!” Monday, March 19, 2012
3 AS 6 AS AS AS IX AS IX AS AS 1 AS “I have 193.0.0.0/19!” “I know where 193.0.0.0/19 is” Monday, March 19, 2012
3 AS 6 AS AS AS IX AS IX AS AS 1 AS “I have 193.0.0.0/19!” “I know where 193.0.0.0/19 is” Monday, March 19, 2012
3 AS 6 AS AS AS IX AS IX AS AS 1 “I know where AS “I have 193.0.0.0/19 is” 193.0.0.0/19!” “I know where 193.0.0.0/19 is” Monday, March 19, 2012
“I know where 193.0.0.0/19 is” 3 AS 6 AS AS AS IX AS IX AS AS 1 “I know where AS “I have 193.0.0.0/19 is” 193.0.0.0/19!” “I know where 193.0.0.0/19 is” Monday, March 19, 2012
3 AS 6 AS AS AS IX AS IX AS AS 1 AS “I have 193.0.0.0/19!” Monday, March 19, 2012
3 AS 6 AS AS AS IX AS IX AS AS 1 AS “I have 193.0.0.0/19!” Monday, March 19, 2012
3 AS 6 AS AS AS IX AS IX AS AS 1 AS “I have 193.0.0.0/19!” Monday, March 19, 2012
“Haha, I have 193.0.3.0/24” 3 AS 6 AS AS AS IX AS IX AS AS 1 AS “I have 193.0.0.0/19!” Monday, March 19, 2012
“Haha, I have 193.0.3.0/24” 3 AS 6 AS AS AS IX AS IX AS AS 1 AS “I have 193.0.0.0/19!” Monday, March 19, 2012
“Haha, I have 193.0.3.0/24” 3 AS 6 AS AS AS IX AS IX AS AS 1 AS “I have 193.0.0.0/19!” Monday, March 19, 2012
Hijacking in Practice Monday, March 19, 2012
Hijacking in Order to Spam • Probably the easiest to do – You don’t need 100% coverage – Probably temporary anyway – You don’t care about identity or ownership • Find some space that is not in use – Registry can “guide” you to them • Find an upstream that does not filter – Or trusts what you tell them Marco Hogewoning 10 Monday, March 19, 2012
In Practical Terms • Look for older registrations or even better, look for something that is not registered at all • Maybe find an unused ASN to hide behind • Announce it on the Internet and do your thing • Role of the registries is very limited – We advise people to filter – Try to reclaim unannounced space Marco Hogewoning 11 Monday, March 19, 2012
Hijacking to Intercept • You are targeting space that is in use – The owner is much more likely to find out – You need to create a shorter or better AS path • Using a more specific creates a better path – Announce only the part you are interested in • Make sure you don’t create a blackhole • RIPE NCC provides tools that can spot these Marco Hogewoning 12 Monday, March 19, 2012
Injecting a Rogue Route AS AS AS AS AS AS AS Target victim AS AS Marco Hogewoning 13 Monday, March 19, 2012
Injecting a Rogue Route AS Inject AS AS AS AS AS AS Target victim AS AS Marco Hogewoning 13 Monday, March 19, 2012
Injecting a Rogue Route fake AS Inject AS AS AS AS AS AS Target victim AS AS Marco Hogewoning 13 Monday, March 19, 2012
Injecting a Rogue Route fake AS Inject AS AS AS AS AS AS Target victim AS AS Marco Hogewoning 13 Monday, March 19, 2012
Hijacking With the Intention to Sell • No need to fiddle with routing • Unregistered (legacy) space is probably the easiest to target • Registered space requires you to alter the RIPE Database • Amount of detail needed probably depends on who is buying it Marco Hogewoning 14 Monday, March 19, 2012
Protection and Prevention Monday, March 19, 2012
IPv4 Address Space Covered Legacy 15% RIPE NCC 15% Marco Hogewoning 16 Monday, March 19, 2012
Internet Registry • All assignments and allocations made by the RIPE NCC are protected by us • Attempts to modify data are monitored and immediately acted upon • Virtually impossible to steal registered space from the perspective of the Database • Routing is not depending on registry information Marco Hogewoning 17 Monday, March 19, 2012
RIPE Database • Strong protection using MD5 hashed passwords or PGP public/private key pairs • Only authenticated users can update or change information • Creation of so called route objects verified by password of both the IP and ASN holders • It is a public database! Marco Hogewoning 18 Monday, March 19, 2012
Internet Routing Registry • Combination of ASN and IP resources – “This space is announced by this AS” • Can be used to setup and maintain filters – Used by a number of larger operators – Only accept a route from a customer when properly registered – Blocks the injection of false routing information • Use of the IRR is voluntarily Marco Hogewoning 19 Monday, March 19, 2012
Internet Routing Registry (2) • Not all address space is covered • Not everything in the IRR is accurate – Stale information can be a problem – Manual overrides happen all the time • It is a distributed system – 14 databases that mirror each other – Verification and authentication methods vary between those databases Marco Hogewoning 20 Monday, March 19, 2012
Routing Information Service • We operate a number of route collectors – Thousands of networks feed us their view of the world – Provides a global view of the Internet • Information collected in a central database – Provides historic and real time information – Information is publicly accessible • Information can be used to monitor your space • Can also be used to find unused address blocks Marco Hogewoning 21 Monday, March 19, 2012
IS Alarms Service • Tool to monitor the Internet routing table – Using RIS as a source • Track changes in origin or transit AS for a given prefix • If a rogue route is detected an alarm is raised to the operator either via email or syslog • Can catch a lot of errors and hijack attempts Marco Hogewoning 22 Monday, March 19, 2012
Routing Registry Constancy Check • Compares the IRR and RIS • Highlights the mismatches in origin AS • Operator can choose from two options: – Fix the IRR to match routing – Fix the routing to match the IRR • Does not prevent or correct any hijacking but improves data quality in the IRR Marco Hogewoning 23 Monday, March 19, 2012
Certification • The idea came from the routing community – Secure InterDomain Routing (SIDR) WG in IETF • Route Origination Authorization (ROA) – Ties a specific prefix to an ASN – “Improved” version of the route object • Verified by the address holder – Registry is the trust anchor – Allows for better control compared to IRR Marco Hogewoning 24 Monday, March 19, 2012
Certification (2) • More and easier integration with the routing layer – Compared to the IRR system using the database • Should have less stale information – Turned out to still be error prone • Use is entirely voluntarily – How to handle invalids is up to the operator • Quality of the RPKI data will influence the speed of adoption amongst operators Marco Hogewoning 25 Monday, March 19, 2012
Certification (3) • Current guidelines are to alter preference: – Always prefer valid over invalid routes • Right now can only verify the origin of the route – Catches a lot of mistakes – “Path validation” added in the future • Filtering only becomes an option when everybody uses the system correctly Marco Hogewoning 26 Monday, March 19, 2012
Injecting a Rogue Route AS Inject X AS AS AS AS AS AS Target victim AS AS Marco Hogewoning 27 Monday, March 19, 2012
Legacy Is the Easy Victim RIPE NCC 15% Other IANA 14% APNIC 20% Legacy 15% AfriNIC 2% LACNIC 4% ARIN 30% Marco Hogewoning 28 Monday, March 19, 2012
Legacy Space • The most likely target for any form of hijacking or other abuse: – Not covered by the registry or stale information – Not covered by RPKI – More likely to not be used on the Internet • Project underway to bring these resources into the registry – Registration is free of charge Marco Hogewoning 29 Monday, March 19, 2012
Questions? Monday, March 19, 2012

Recommandé

Panda security Presentación Adaptive Defense
Panda security Presentación Adaptive DefensePanda security Presentación Adaptive Defense
Panda security Presentación Adaptive DefensePanda Security
 
Massif cluster meeting
Massif cluster meetingMassif cluster meeting
Massif cluster meetingfcleary
 
Cyber Crime
Cyber CrimeCyber Crime
Cyber CrimeEki Hendrawanbrata
 
Active Testing
Active TestingActive Testing
Active Testingfrisksoftware
 
Digital Threats: Scenarios Exercise
Digital Threats: Scenarios ExerciseDigital Threats: Scenarios Exercise
Digital Threats: Scenarios ExerciseElena Kvochko
 
Cyber after Snowden (OA Cyber Summit)
Cyber after Snowden (OA Cyber Summit)Cyber after Snowden (OA Cyber Summit)
Cyber after Snowden (OA Cyber Summit)Open Analytics
 
Cyberstorm[1]
Cyberstorm[1]Cyberstorm[1]
Cyberstorm[1]Joservaldez14
 
Internet Pirates: blackholing, hijacking and other dirty tricks
Internet Pirates: blackholing, hijacking and other dirty tricksInternet Pirates: blackholing, hijacking and other dirty tricks
Internet Pirates: blackholing, hijacking and other dirty tricksCarlos Fragoso
 

Recommandé

Panda security Presentación Adaptive Defense
Panda security Presentación Adaptive DefensePanda security Presentación Adaptive Defense
Panda security Presentación Adaptive DefensePanda Security
 
Massif cluster meeting
Massif cluster meetingMassif cluster meeting
Massif cluster meetingfcleary
 
Cyber Crime
Cyber CrimeCyber Crime
Cyber CrimeEki Hendrawanbrata
 
Active Testing
Active TestingActive Testing
Active Testingfrisksoftware
 
Digital Threats: Scenarios Exercise
Digital Threats: Scenarios ExerciseDigital Threats: Scenarios Exercise
Digital Threats: Scenarios ExerciseElena Kvochko
 
Cyber after Snowden (OA Cyber Summit)
Cyber after Snowden (OA Cyber Summit)Cyber after Snowden (OA Cyber Summit)
Cyber after Snowden (OA Cyber Summit)Open Analytics
 
Cyberstorm[1]
Cyberstorm[1]Cyberstorm[1]
Cyberstorm[1]Joservaldez14
 
Internet Pirates: blackholing, hijacking and other dirty tricks
Internet Pirates: blackholing, hijacking and other dirty tricksInternet Pirates: blackholing, hijacking and other dirty tricks
Internet Pirates: blackholing, hijacking and other dirty tricksCarlos Fragoso
 
Duan
DuanDuan
Duansamuelrajueda
 
5. Experience from recent national & international cyber exercises
5. Experience from recent national & international cyber exercises5. Experience from recent national & international cyber exercises
5. Experience from recent national & international cyber exercisesisc2-hellenic
 
Attack on graph
Attack on graphAttack on graph
Attack on graphScott Miao
 
Wireless Spreading of WiFi APs Infections Using WPS Flaws
Wireless Spreading of WiFi APs Infections Using WPS FlawsWireless Spreading of WiFi APs Infections Using WPS Flaws
Wireless Spreading of WiFi APs Infections Using WPS FlawsAmirali Sanatinia
 
Anatomy of a Targeted Attack against Mobile Device Management (MDM)
Anatomy of a Targeted Attack against Mobile Device Management (MDM)Anatomy of a Targeted Attack against Mobile Device Management (MDM)
Anatomy of a Targeted Attack against Mobile Device Management (MDM)Lacoon Mobile Security
 
Cyber Warfare Systems
Cyber Warfare SystemsCyber Warfare Systems
Cyber Warfare SystemsPrateek Sachdev
 
OWASP Top 10 : Scanning JSF
OWASP Top 10 : Scanning JSFOWASP Top 10 : Scanning JSF
OWASP Top 10 : Scanning JSFadesso AG
 
Cyber warfare: an unorthodox view from the battlefield
Cyber warfare: an unorthodox view from the battlefieldCyber warfare: an unorthodox view from the battlefield
Cyber warfare: an unorthodox view from the battlefieldRoberto Rigolin F. Lopes
 
Penetration Testing Techniques - DREAD Methodology
Penetration Testing Techniques - DREAD MethodologyPenetration Testing Techniques - DREAD Methodology
Penetration Testing Techniques - DREAD MethodologyRapid7
 
Making Threat Management More Manageable
Making Threat Management More ManageableMaking Threat Management More Manageable
Making Threat Management More ManageableIBM Security
 
Grc t17
Grc t17Grc t17
Grc t17SelectedPresentations
 
A Call to Arms: Using a Working Model of the Attack Surface to Improve Incide...
A Call to Arms: Using a Working Model of the Attack Surface to Improve Incide...A Call to Arms: Using a Working Model of the Attack Surface to Improve Incide...
A Call to Arms: Using a Working Model of the Attack Surface to Improve Incide...Skybox Security
 
Introduction to Snort Rule Writing
Introduction to Snort Rule WritingIntroduction to Snort Rule Writing
Introduction to Snort Rule WritingCisco DevNet
 
Project Universe – Context-aware Project Management System
Project Universe – Context-aware Project Management SystemProject Universe – Context-aware Project Management System
Project Universe – Context-aware Project Management SystemDaniel Kornev
 
Gary Leatherman - A Holistic Approach for Reimagining Cyber Defense
Gary Leatherman - A Holistic Approach for Reimagining Cyber DefenseGary Leatherman - A Holistic Approach for Reimagining Cyber Defense
Gary Leatherman - A Holistic Approach for Reimagining Cyber DefenseEnergySec
 
Navigating IP Addresses: Insights from your Regional Internet Registry
Navigating IP Addresses: Insights from your Regional Internet RegistryNavigating IP Addresses: Insights from your Regional Internet Registry
Navigating IP Addresses: Insights from your Regional Internet RegistryRIPE NCC
 
Traces of Power: Internet Governance and Climate Action
Traces of Power: Internet Governance and Climate ActionTraces of Power: Internet Governance and Climate Action
Traces of Power: Internet Governance and Climate ActionRIPE NCC
 
Governing Environmental Sustainability in Tech
Governing Environmental Sustainability in TechGoverning Environmental Sustainability in Tech
Governing Environmental Sustainability in TechRIPE NCC
 
Gerardo-Viviers-RPKI-presentation-DKNOG14.pdf
Gerardo-Viviers-RPKI-presentation-DKNOG14.pdfGerardo-Viviers-RPKI-presentation-DKNOG14.pdf
Gerardo-Viviers-RPKI-presentation-DKNOG14.pdfRIPE NCC
 
LIA HESTINA - Minimising impact before incidents occur with RIPE Atlas and RIS
LIA HESTINA - Minimising impact before incidents occur with RIPE Atlas and RISLIA HESTINA - Minimising impact before incidents occur with RIPE Atlas and RIS
LIA HESTINA - Minimising impact before incidents occur with RIPE Atlas and RISRIPE NCC
 
Intro to RIPE and RIPE NCC: RIPE Atlas workshop
Intro to RIPE and RIPE NCC: RIPE Atlas workshopIntro to RIPE and RIPE NCC: RIPE Atlas workshop
Intro to RIPE and RIPE NCC: RIPE Atlas workshopRIPE NCC
 
IGF UA - Dialog with I_ organisations - Alena Muavska RIPE NCC.pdf
IGF UA - Dialog with I_ organisations - Alena Muavska RIPE NCC.pdfIGF UA - Dialog with I_ organisations - Alena Muavska RIPE NCC.pdf
IGF UA - Dialog with I_ organisations - Alena Muavska RIPE NCC.pdfRIPE NCC
 

Contenu connexe

En vedette

5. Experience from recent national & international cyber exercises
5. Experience from recent national & international cyber exercises5. Experience from recent national & international cyber exercises
5. Experience from recent national & international cyber exercisesisc2-hellenic
 
Attack on graph
Attack on graphAttack on graph
Attack on graphScott Miao
 
Wireless Spreading of WiFi APs Infections Using WPS Flaws
Wireless Spreading of WiFi APs Infections Using WPS FlawsWireless Spreading of WiFi APs Infections Using WPS Flaws
Wireless Spreading of WiFi APs Infections Using WPS FlawsAmirali Sanatinia
 
Anatomy of a Targeted Attack against Mobile Device Management (MDM)
Anatomy of a Targeted Attack against Mobile Device Management (MDM)Anatomy of a Targeted Attack against Mobile Device Management (MDM)
Anatomy of a Targeted Attack against Mobile Device Management (MDM)Lacoon Mobile Security
 
OWASP Top 10 : Scanning JSF
OWASP Top 10 : Scanning JSFOWASP Top 10 : Scanning JSF
OWASP Top 10 : Scanning JSFadesso AG
 
Cyber warfare: an unorthodox view from the battlefield
Cyber warfare: an unorthodox view from the battlefieldCyber warfare: an unorthodox view from the battlefield
Cyber warfare: an unorthodox view from the battlefieldRoberto Rigolin F. Lopes
 
Penetration Testing Techniques - DREAD Methodology
Penetration Testing Techniques - DREAD MethodologyPenetration Testing Techniques - DREAD Methodology
Penetration Testing Techniques - DREAD MethodologyRapid7
 
Making Threat Management More Manageable
Making Threat Management More ManageableMaking Threat Management More Manageable
Making Threat Management More ManageableIBM Security
 
A Call to Arms: Using a Working Model of the Attack Surface to Improve Incide...
A Call to Arms: Using a Working Model of the Attack Surface to Improve Incide...A Call to Arms: Using a Working Model of the Attack Surface to Improve Incide...
A Call to Arms: Using a Working Model of the Attack Surface to Improve Incide...Skybox Security
 
Introduction to Snort Rule Writing
Introduction to Snort Rule WritingIntroduction to Snort Rule Writing
Introduction to Snort Rule WritingCisco DevNet
 
Project Universe – Context-aware Project Management System
Project Universe – Context-aware Project Management SystemProject Universe – Context-aware Project Management System
Project Universe – Context-aware Project Management SystemDaniel Kornev
 
Gary Leatherman - A Holistic Approach for Reimagining Cyber Defense
Gary Leatherman - A Holistic Approach for Reimagining Cyber DefenseGary Leatherman - A Holistic Approach for Reimagining Cyber Defense
Gary Leatherman - A Holistic Approach for Reimagining Cyber DefenseEnergySec
 

En vedette (15)

Duan
DuanDuan
Duan
 
5. Experience from recent national & international cyber exercises
5. Experience from recent national & international cyber exercises5. Experience from recent national & international cyber exercises
5. Experience from recent national & international cyber exercises
 
Attack on graph
Attack on graphAttack on graph
Attack on graph
 
Wireless Spreading of WiFi APs Infections Using WPS Flaws
Wireless Spreading of WiFi APs Infections Using WPS FlawsWireless Spreading of WiFi APs Infections Using WPS Flaws
Wireless Spreading of WiFi APs Infections Using WPS Flaws
 
Anatomy of a Targeted Attack against Mobile Device Management (MDM)
Anatomy of a Targeted Attack against Mobile Device Management (MDM)Anatomy of a Targeted Attack against Mobile Device Management (MDM)
Anatomy of a Targeted Attack against Mobile Device Management (MDM)
 
Cyber Warfare Systems
Cyber Warfare SystemsCyber Warfare Systems
Cyber Warfare Systems
 
OWASP Top 10 : Scanning JSF
OWASP Top 10 : Scanning JSFOWASP Top 10 : Scanning JSF
OWASP Top 10 : Scanning JSF
 
Cyber warfare: an unorthodox view from the battlefield
Cyber warfare: an unorthodox view from the battlefieldCyber warfare: an unorthodox view from the battlefield
Cyber warfare: an unorthodox view from the battlefield
 
Penetration Testing Techniques - DREAD Methodology
Penetration Testing Techniques - DREAD MethodologyPenetration Testing Techniques - DREAD Methodology
Penetration Testing Techniques - DREAD Methodology
 
Making Threat Management More Manageable
Making Threat Management More ManageableMaking Threat Management More Manageable
Making Threat Management More Manageable
 
Grc t17
Grc t17Grc t17
Grc t17
 
A Call to Arms: Using a Working Model of the Attack Surface to Improve Incide...
A Call to Arms: Using a Working Model of the Attack Surface to Improve Incide...A Call to Arms: Using a Working Model of the Attack Surface to Improve Incide...
A Call to Arms: Using a Working Model of the Attack Surface to Improve Incide...
 
Introduction to Snort Rule Writing
Introduction to Snort Rule WritingIntroduction to Snort Rule Writing
Introduction to Snort Rule Writing
 
Project Universe – Context-aware Project Management System
Project Universe – Context-aware Project Management SystemProject Universe – Context-aware Project Management System
Project Universe – Context-aware Project Management System
 
Gary Leatherman - A Holistic Approach for Reimagining Cyber Defense
Gary Leatherman - A Holistic Approach for Reimagining Cyber DefenseGary Leatherman - A Holistic Approach for Reimagining Cyber Defense
Gary Leatherman - A Holistic Approach for Reimagining Cyber Defense
 

Plus de RIPE NCC

Navigating IP Addresses: Insights from your Regional Internet Registry
Navigating IP Addresses: Insights from your Regional Internet RegistryNavigating IP Addresses: Insights from your Regional Internet Registry
Navigating IP Addresses: Insights from your Regional Internet RegistryRIPE NCC
 
Traces of Power: Internet Governance and Climate Action
Traces of Power: Internet Governance and Climate ActionTraces of Power: Internet Governance and Climate Action
Traces of Power: Internet Governance and Climate ActionRIPE NCC
 
Governing Environmental Sustainability in Tech
Governing Environmental Sustainability in TechGoverning Environmental Sustainability in Tech
Governing Environmental Sustainability in TechRIPE NCC
 
Gerardo-Viviers-RPKI-presentation-DKNOG14.pdf
Gerardo-Viviers-RPKI-presentation-DKNOG14.pdfGerardo-Viviers-RPKI-presentation-DKNOG14.pdf
Gerardo-Viviers-RPKI-presentation-DKNOG14.pdfRIPE NCC
 
LIA HESTINA - Minimising impact before incidents occur with RIPE Atlas and RIS
LIA HESTINA - Minimising impact before incidents occur with RIPE Atlas and RISLIA HESTINA - Minimising impact before incidents occur with RIPE Atlas and RIS
LIA HESTINA - Minimising impact before incidents occur with RIPE Atlas and RISRIPE NCC
 
Intro to RIPE and RIPE NCC: RIPE Atlas workshop
Intro to RIPE and RIPE NCC: RIPE Atlas workshopIntro to RIPE and RIPE NCC: RIPE Atlas workshop
Intro to RIPE and RIPE NCC: RIPE Atlas workshopRIPE NCC
 
IGF UA - Dialog with I_ organisations - Alena Muavska RIPE NCC.pdf
IGF UA - Dialog with I_ organisations - Alena Muavska RIPE NCC.pdfIGF UA - Dialog with I_ organisations - Alena Muavska RIPE NCC.pdf
IGF UA - Dialog with I_ organisations - Alena Muavska RIPE NCC.pdfRIPE NCC
 
Opportunities for Youth in IG - Alena Muravska RIPE NCC.pdf
Opportunities for Youth in IG - Alena Muravska RIPE NCC.pdfOpportunities for Youth in IG - Alena Muravska RIPE NCC.pdf
Opportunities for Youth in IG - Alena Muravska RIPE NCC.pdfRIPE NCC
 
RIPE NCC Internet Measurement Tools
RIPE NCC Internet Measurement ToolsRIPE NCC Internet Measurement Tools
RIPE NCC Internet Measurement ToolsRIPE NCC
 
IPv6 in Central Europe and the Baltics
IPv6 in Central Europe and the BalticsIPv6 in Central Europe and the Baltics
IPv6 in Central Europe and the BalticsRIPE NCC
 
RPKI For Routing Security
RPKI For Routing SecurityRPKI For Routing Security
RPKI For Routing SecurityRIPE NCC
 
SEEDIG 8 - Alena Muravska RIPE NCC.pdf
SEEDIG 8 - Alena Muravska RIPE NCC.pdfSEEDIG 8 - Alena Muravska RIPE NCC.pdf
SEEDIG 8 - Alena Muravska RIPE NCC.pdfRIPE NCC
 
Know Your Network: Why Every Network Operator Should Host RIPE Atlas
Know Your Network: Why Every Network Operator Should Host RIPE AtlasKnow Your Network: Why Every Network Operator Should Host RIPE Atlas
Know Your Network: Why Every Network Operator Should Host RIPE AtlasRIPE NCC
 
Minimising Impact When Incidents Occur With RIPE Atlas
Minimising Impact When Incidents Occur With RIPE AtlasMinimising Impact When Incidents Occur With RIPE Atlas
Minimising Impact When Incidents Occur With RIPE AtlasRIPE NCC
 
RIPE NCC Internet Measurement Services
RIPE NCC Internet Measurement ServicesRIPE NCC Internet Measurement Services
RIPE NCC Internet Measurement ServicesRIPE NCC
 
Spotting Latency Issues with RIPE Atlas
Spotting Latency Issues with RIPE AtlasSpotting Latency Issues with RIPE Atlas
Spotting Latency Issues with RIPE AtlasRIPE NCC
 
Spotting Latency Issues with RIPE Atlas
Spotting Latency Issues with RIPE AtlasSpotting Latency Issues with RIPE Atlas
Spotting Latency Issues with RIPE AtlasRIPE NCC
 
Spotting Latency Issues with RIPE Atlas
Spotting Latency Issues with RIPE AtlasSpotting Latency Issues with RIPE Atlas
Spotting Latency Issues with RIPE AtlasRIPE NCC
 
111 views of Swiss Internet Infrastructure
111 views of Swiss Internet Infrastructure111 views of Swiss Internet Infrastructure
111 views of Swiss Internet InfrastructureRIPE NCC
 
The RIPE NCC’s View of IPv6 in Sweden
The RIPE NCC’s View of IPv6 in SwedenThe RIPE NCC’s View of IPv6 in Sweden
The RIPE NCC’s View of IPv6 in SwedenRIPE NCC
 

Plus de RIPE NCC (20)

Navigating IP Addresses: Insights from your Regional Internet Registry
Navigating IP Addresses: Insights from your Regional Internet RegistryNavigating IP Addresses: Insights from your Regional Internet Registry
Navigating IP Addresses: Insights from your Regional Internet Registry
 
Traces of Power: Internet Governance and Climate Action
Traces of Power: Internet Governance and Climate ActionTraces of Power: Internet Governance and Climate Action
Traces of Power: Internet Governance and Climate Action
 
Governing Environmental Sustainability in Tech
Governing Environmental Sustainability in TechGoverning Environmental Sustainability in Tech
Governing Environmental Sustainability in Tech
 
Gerardo-Viviers-RPKI-presentation-DKNOG14.pdf
Gerardo-Viviers-RPKI-presentation-DKNOG14.pdfGerardo-Viviers-RPKI-presentation-DKNOG14.pdf
Gerardo-Viviers-RPKI-presentation-DKNOG14.pdf
 
LIA HESTINA - Minimising impact before incidents occur with RIPE Atlas and RIS
LIA HESTINA - Minimising impact before incidents occur with RIPE Atlas and RISLIA HESTINA - Minimising impact before incidents occur with RIPE Atlas and RIS
LIA HESTINA - Minimising impact before incidents occur with RIPE Atlas and RIS
 
Intro to RIPE and RIPE NCC: RIPE Atlas workshop
Intro to RIPE and RIPE NCC: RIPE Atlas workshopIntro to RIPE and RIPE NCC: RIPE Atlas workshop
Intro to RIPE and RIPE NCC: RIPE Atlas workshop
 
IGF UA - Dialog with I_ organisations - Alena Muavska RIPE NCC.pdf
IGF UA - Dialog with I_ organisations - Alena Muavska RIPE NCC.pdfIGF UA - Dialog with I_ organisations - Alena Muavska RIPE NCC.pdf
IGF UA - Dialog with I_ organisations - Alena Muavska RIPE NCC.pdf
 
Opportunities for Youth in IG - Alena Muravska RIPE NCC.pdf
Opportunities for Youth in IG - Alena Muravska RIPE NCC.pdfOpportunities for Youth in IG - Alena Muravska RIPE NCC.pdf
Opportunities for Youth in IG - Alena Muravska RIPE NCC.pdf
 
RIPE NCC Internet Measurement Tools
RIPE NCC Internet Measurement ToolsRIPE NCC Internet Measurement Tools
RIPE NCC Internet Measurement Tools
 
IPv6 in Central Europe and the Baltics
IPv6 in Central Europe and the BalticsIPv6 in Central Europe and the Baltics
IPv6 in Central Europe and the Baltics
 
RPKI For Routing Security
RPKI For Routing SecurityRPKI For Routing Security
RPKI For Routing Security
 
SEEDIG 8 - Alena Muravska RIPE NCC.pdf
SEEDIG 8 - Alena Muravska RIPE NCC.pdfSEEDIG 8 - Alena Muravska RIPE NCC.pdf
SEEDIG 8 - Alena Muravska RIPE NCC.pdf
 
Know Your Network: Why Every Network Operator Should Host RIPE Atlas
Know Your Network: Why Every Network Operator Should Host RIPE AtlasKnow Your Network: Why Every Network Operator Should Host RIPE Atlas
Know Your Network: Why Every Network Operator Should Host RIPE Atlas
 
Minimising Impact When Incidents Occur With RIPE Atlas
Minimising Impact When Incidents Occur With RIPE AtlasMinimising Impact When Incidents Occur With RIPE Atlas
Minimising Impact When Incidents Occur With RIPE Atlas
 
RIPE NCC Internet Measurement Services
RIPE NCC Internet Measurement ServicesRIPE NCC Internet Measurement Services
RIPE NCC Internet Measurement Services
 
Spotting Latency Issues with RIPE Atlas
Spotting Latency Issues with RIPE AtlasSpotting Latency Issues with RIPE Atlas
Spotting Latency Issues with RIPE Atlas
 
Spotting Latency Issues with RIPE Atlas
Spotting Latency Issues with RIPE AtlasSpotting Latency Issues with RIPE Atlas
Spotting Latency Issues with RIPE Atlas
 
Spotting Latency Issues with RIPE Atlas
Spotting Latency Issues with RIPE AtlasSpotting Latency Issues with RIPE Atlas
Spotting Latency Issues with RIPE Atlas
 
111 views of Swiss Internet Infrastructure
111 views of Swiss Internet Infrastructure111 views of Swiss Internet Infrastructure
111 views of Swiss Internet Infrastructure
 
The RIPE NCC’s View of IPv6 in Sweden
The RIPE NCC’s View of IPv6 in SwedenThe RIPE NCC’s View of IPv6 in Sweden
The RIPE NCC’s View of IPv6 in Sweden
 

Dernier

Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMESafe Software
 
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...Principled Technologies
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyKhushali Kathiriya
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsJoaquim Jorge
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc
 
Manulife - Insurer Innovation Award 2024
Manulife - Insurer Innovation Award 2024Manulife - Insurer Innovation Award 2024
Manulife - Insurer Innovation Award 2024The Digital Insurer
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Miguel Araújo
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
HTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation StrategiesHTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation StrategiesBoston Institute of Analytics
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businesspanagenda
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobeapidays
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityPrincipled Technologies
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Drew Madelung
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProduct Anonymous
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...apidays
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘RTylerCroy
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfsudhanshuwaghmare1
 

Dernier (20)

Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : Uncertainty
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
Manulife - Insurer Innovation Award 2024
Manulife - Insurer Innovation Award 2024Manulife - Insurer Innovation Award 2024
Manulife - Insurer Innovation Award 2024
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
HTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation StrategiesHTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation Strategies
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 

IP Hijacking - Securing Internet Routing

  • 1. RIPE NCC IPv4 Pool Legacy 15% Other IANA 14% AfriNIC 2% LACNIC 4% RIPE NCC 15% ARIN 30% APNIC 20% Marco Hogewoning 1 Monday, March 19, 2012
  • 2. IP Hijacking Securing Internet Routing Marco Hogewoning Training Services Monday, March 19, 2012
  • 3. Never attribute to malice that which is adequately explained by stupidity. -- Robert J Hanlon Monday, March 19, 2012
  • 4. Why Would You Hijack? • Sending spam or malware unnoticed • Intercept traffic to a specific host • Sell the resources Marco Hogewoning 4 Monday, March 19, 2012
  • 5. Two Targets for Hijacking • The Internet routing table – Influence how traffic flows by manipulating BGP • The Internet registry – Possibly manipulating BGP filters – Hide or change ownership details Marco Hogewoning 5 Monday, March 19, 2012
  • 6. Internet Routing • Non hierarchical • The internet registries only have limited control – It’s the operator who decides – We can only offer some guidance • Internet Routing Registry – Integrated in the RIPE Database – Ties together a prefix and an ASN • RPKI Certification – ROAs couple a prefix and an ASN Marco Hogewoning 6 Monday, March 19, 2012
  • 7. Decision Making in Routing • Unless preferences dictate otherwise, a router will pick the shortest path • A more specific route will always take preference • Filtering usually only done at the edge of the Internet – Filteringin the core of the Internet is far too complex and costly to achieve • Most filters are based on IP ranges – Input can come from the IRR Marco Hogewoning 7 Monday, March 19, 2012
  • 8. 3 AS 6 AS AS AS IX AS IX AS AS 1 AS Monday, March 19, 2012
  • 9. 3 AS 6 AS AS AS IX AS IX AS AS 1 AS “I have 193.0.0.0/19!” Monday, March 19, 2012
  • 10. 3 AS 6 AS AS AS IX AS IX AS AS 1 AS “I have 193.0.0.0/19!” “I know where 193.0.0.0/19 is” Monday, March 19, 2012
  • 11. 3 AS 6 AS AS AS IX AS IX AS AS 1 AS “I have 193.0.0.0/19!” “I know where 193.0.0.0/19 is” Monday, March 19, 2012
  • 12. 3 AS 6 AS AS AS IX AS IX AS AS 1 “I know where AS “I have 193.0.0.0/19 is” 193.0.0.0/19!” “I know where 193.0.0.0/19 is” Monday, March 19, 2012
  • 13. “I know where 193.0.0.0/19 is” 3 AS 6 AS AS AS IX AS IX AS AS 1 “I know where AS “I have 193.0.0.0/19 is” 193.0.0.0/19!” “I know where 193.0.0.0/19 is” Monday, March 19, 2012
  • 14. 3 AS 6 AS AS AS IX AS IX AS AS 1 AS “I have 193.0.0.0/19!” Monday, March 19, 2012
  • 15. 3 AS 6 AS AS AS IX AS IX AS AS 1 AS “I have 193.0.0.0/19!” Monday, March 19, 2012
  • 16. 3 AS 6 AS AS AS IX AS IX AS AS 1 AS “I have 193.0.0.0/19!” Monday, March 19, 2012
  • 17. “Haha, I have 193.0.3.0/24” 3 AS 6 AS AS AS IX AS IX AS AS 1 AS “I have 193.0.0.0/19!” Monday, March 19, 2012
  • 18. “Haha, I have 193.0.3.0/24” 3 AS 6 AS AS AS IX AS IX AS AS 1 AS “I have 193.0.0.0/19!” Monday, March 19, 2012
  • 19. “Haha, I have 193.0.3.0/24” 3 AS 6 AS AS AS IX AS IX AS AS 1 AS “I have 193.0.0.0/19!” Monday, March 19, 2012
  • 21. Hijacking in Order to Spam • Probably the easiest to do – You don’t need 100% coverage – Probably temporary anyway – You don’t care about identity or ownership • Find some space that is not in use – Registry can “guide” you to them • Find an upstream that does not filter – Or trusts what you tell them Marco Hogewoning 10 Monday, March 19, 2012
  • 22. In Practical Terms • Look for older registrations or even better, look for something that is not registered at all • Maybe find an unused ASN to hide behind • Announce it on the Internet and do your thing • Role of the registries is very limited – We advise people to filter – Try to reclaim unannounced space Marco Hogewoning 11 Monday, March 19, 2012
  • 23. Hijacking to Intercept • You are targeting space that is in use – The owner is much more likely to find out – You need to create a shorter or better AS path • Using a more specific creates a better path – Announce only the part you are interested in • Make sure you don’t create a blackhole • RIPE NCC provides tools that can spot these Marco Hogewoning 12 Monday, March 19, 2012
  • 24. Injecting a Rogue Route AS AS AS AS AS AS AS Target victim AS AS Marco Hogewoning 13 Monday, March 19, 2012
  • 25. Injecting a Rogue Route AS Inject AS AS AS AS AS AS Target victim AS AS Marco Hogewoning 13 Monday, March 19, 2012
  • 26. Injecting a Rogue Route fake AS Inject AS AS AS AS AS AS Target victim AS AS Marco Hogewoning 13 Monday, March 19, 2012
  • 27. Injecting a Rogue Route fake AS Inject AS AS AS AS AS AS Target victim AS AS Marco Hogewoning 13 Monday, March 19, 2012
  • 28. Hijacking With the Intention to Sell • No need to fiddle with routing • Unregistered (legacy) space is probably the easiest to target • Registered space requires you to alter the RIPE Database • Amount of detail needed probably depends on who is buying it Marco Hogewoning 14 Monday, March 19, 2012
  • 29. Protection and Prevention Monday, March 19, 2012
  • 30. IPv4 Address Space Covered Legacy 15% RIPE NCC 15% Marco Hogewoning 16 Monday, March 19, 2012
  • 31. Internet Registry • All assignments and allocations made by the RIPE NCC are protected by us • Attempts to modify data are monitored and immediately acted upon • Virtually impossible to steal registered space from the perspective of the Database • Routing is not depending on registry information Marco Hogewoning 17 Monday, March 19, 2012
  • 32. RIPE Database • Strong protection using MD5 hashed passwords or PGP public/private key pairs • Only authenticated users can update or change information • Creation of so called route objects verified by password of both the IP and ASN holders • It is a public database! Marco Hogewoning 18 Monday, March 19, 2012
  • 33. Internet Routing Registry • Combination of ASN and IP resources – “This space is announced by this AS” • Can be used to setup and maintain filters – Used by a number of larger operators – Only accept a route from a customer when properly registered – Blocks the injection of false routing information • Use of the IRR is voluntarily Marco Hogewoning 19 Monday, March 19, 2012
  • 34. Internet Routing Registry (2) • Not all address space is covered • Not everything in the IRR is accurate – Stale information can be a problem – Manual overrides happen all the time • It is a distributed system – 14 databases that mirror each other – Verification and authentication methods vary between those databases Marco Hogewoning 20 Monday, March 19, 2012
  • 35. Routing Information Service • We operate a number of route collectors – Thousands of networks feed us their view of the world – Provides a global view of the Internet • Information collected in a central database – Provides historic and real time information – Information is publicly accessible • Information can be used to monitor your space • Can also be used to find unused address blocks Marco Hogewoning 21 Monday, March 19, 2012
  • 36. IS Alarms Service • Tool to monitor the Internet routing table – Using RIS as a source • Track changes in origin or transit AS for a given prefix • If a rogue route is detected an alarm is raised to the operator either via email or syslog • Can catch a lot of errors and hijack attempts Marco Hogewoning 22 Monday, March 19, 2012
  • 37. Routing Registry Constancy Check • Compares the IRR and RIS • Highlights the mismatches in origin AS • Operator can choose from two options: – Fix the IRR to match routing – Fix the routing to match the IRR • Does not prevent or correct any hijacking but improves data quality in the IRR Marco Hogewoning 23 Monday, March 19, 2012
  • 38. Certification • The idea came from the routing community – Secure InterDomain Routing (SIDR) WG in IETF • Route Origination Authorization (ROA) – Ties a specific prefix to an ASN – “Improved” version of the route object • Verified by the address holder – Registry is the trust anchor – Allows for better control compared to IRR Marco Hogewoning 24 Monday, March 19, 2012
  • 39. Certification (2) • More and easier integration with the routing layer – Compared to the IRR system using the database • Should have less stale information – Turned out to still be error prone • Use is entirely voluntarily – How to handle invalids is up to the operator • Quality of the RPKI data will influence the speed of adoption amongst operators Marco Hogewoning 25 Monday, March 19, 2012
  • 40. Certification (3) • Current guidelines are to alter preference: – Always prefer valid over invalid routes • Right now can only verify the origin of the route – Catches a lot of mistakes – “Path validation” added in the future • Filtering only becomes an option when everybody uses the system correctly Marco Hogewoning 26 Monday, March 19, 2012
  • 41. Injecting a Rogue Route AS Inject X AS AS AS AS AS AS Target victim AS AS Marco Hogewoning 27 Monday, March 19, 2012
  • 42. Legacy Is the Easy Victim RIPE NCC 15% Other IANA 14% APNIC 20% Legacy 15% AfriNIC 2% LACNIC 4% ARIN 30% Marco Hogewoning 28 Monday, March 19, 2012
  • 43. Legacy Space • The most likely target for any form of hijacking or other abuse: – Not covered by the registry or stale information – Not covered by RPKI – More likely to not be used on the Internet • Project underway to bring these resources into the registry – Registration is free of charge Marco Hogewoning 29 Monday, March 19, 2012