How to wipe an ISP off the Internet

rico112

Active Member
Joined
Feb 22, 2010
Messages
58
i sometimes wonder where do these headlines come from... Sensationalism...
 

MagicDude4Eva

Banned
Joined
Apr 2, 2008
Messages
6,479
Maybe a network engineer can clarify this for me: I always thought that BGP hijacking was only possible if the advertised BGP announcements were not filtered on the recipients/peers, thus allowing to divert traffic elsewhere. To me it almost sounds like IS lacked a certain level of security to protect themselves from hijacking IP-traffic.

I lack the indepth knowledge of how this works, but the way this article is written, all I need is a router and then broadcast BGP....
 

Jan

Drifting in the black
Joined
May 24, 2010
Messages
4,847
Hardly wiped off the inherent?

At the bottom of the article you'll find IS essentially saying that there is a danger of the whole network being brought down.

Maybe a network engineer can clarify this for me: I always thought that BGP hijacking was only possible if the advertised BGP announcements were not filtered on the recipients/peers, thus allowing to divert traffic elsewhere. To me it almost sounds like IS lacked a certain level of security to protect themselves from hijacking IP-traffic.

I lack the indepth knowledge of how this works, but the way this article is written, all I need is a router and then broadcast BGP....

I also thought there were safeguards, which is why IS's response was so surprising.
 

ponder

Honorary Master
Joined
Jan 22, 2005
Messages
86,014
This does not seem like malicious hijacking, more like a multiple origin AS conflict due to fat finger syndrome.
 

MagicDude4Eva

Banned
Joined
Apr 2, 2008
Messages
6,479
Maybe MyBB or someone with more technical knowledge can post a brief (or long) description how this was possible. In simplistic terms (for the non-network-gurus like me) it would be comparable to having two servers with the same IP - I do however appreciate the fact that in the BGP world of things there should be failsafes in place to avoid a fat-finger syndrome.
 

daffy

Expert Member
Joined
Jun 24, 2004
Messages
1,131
There should be safeguards for this sort of thing. But in the majority of cases there isn't.

Its very easy to bring up a BGP peer with a provider, but fine-tuning and maintaining a list of prefixes (addresses) that should be accepted requires constant maintenance.

Here's how it should work:
1) Customer brings up BGP session with ISP. Customer Provides ISP with a list of prefixes that belong to customer.
2) ISP builds a prefix-list and applies it to the Customer's BGP session.
-) should Customer announce anything outside of the agreed prefix list (malicious or fatfingered), ISP will ignore it.
If the customer gets another block of IPs, they notify the ISP of this, and ISP updates their prefix list. ISP then needs to inform it's upstream carriers to get them to accept the new prefix too. (most of the time, multiple upstream ISPs)

Here's how it works most of the time
1) Customer brings up BGP session with ISP. Customer Provides ISP with a list of prefixes that belong to customer.
2) ISP ignores prefix list. Network Engineer is happy enough that packets are flowing, so he calls it a day.
-) should Customer announce anything outside of the agreed prefix list (malicious or fatfingered), ISP accepts it and advertises it onwards.
 

Johand

Expert Member
Joined
Jan 21, 2005
Messages
1,582
Ummm.

The talk about "safe-guards" above shows that nobody really understands what BGP is. BGP is used so routers know which networks are where on the internet. Inherently there is a trust relationship between routes advertising networks.

From what I understand it is simply a case of somebody misconfiguration the address range of the network advertised on BGP. That means other networks were not able to reach IS. It has nothing to do with IS's systems, or communication between IS and their clients.

And yes... it is possible for organizations to do this. But I would say it is a bigger version of assigning yourself a static IP address belonging to somebody else :) They will not last long because everybody will cut them off!
 

MagicDude4Eva

Banned
Joined
Apr 2, 2008
Messages
6,479
Ummm.

The talk about "safe-guards" above shows that nobody really understands what BGP is. BGP is used so routers know which networks are where on the internet. Inherently there is a trust relationship between routes advertising networks.

From what I understand it is simply a case of somebody misconfiguration the address range of the network advertised on BGP. That means other networks were not able to reach IS. It has nothing to do with IS's systems, or communication between IS and their clients.

And yes... it is possible for organizations to do this. But I would say it is a bigger version of assigning yourself a static IP address belonging to somebody else :) They will not last long because everybody will cut them off!

That's not my understanding. I always thought (as @daffy also mentioned) that the "peering/recipient" partners of BGP notifications would filter based on prefixes.
 

magneto

Senior Member
Joined
Aug 3, 2005
Messages
748
bgp = i trust u , u trust me and we all happy :)

Wonder if they are using Cyclops for monitoring and notification.?
It will report to you if someone other than your ASN is announcing your prefix(es), or if it/they is/are coming from another ISP other than your upstream ASN Peer(s). Oh yes and its FREE
 

ambo

Expert Member
Joined
Jun 9, 2005
Messages
2,682
That's not my understanding. I always thought (as @daffy also mentioned) that the "peering/recipient" partners of BGP notifications would filter based on prefixes.
Some do... many don't. It is often becomes difficult to maintain filters when 1000's or even 100 000's of routes are being exchanged between 2 ISPs and humans are lazy.

In this case there is not a lot that IS could have done. IS do filter their network strictly but any other ISP that fails to filter correctly could be the cause of this kind of issue.

New mechanisms like RPKI have been developed to secure the routing protocols using cryptographic signatures. This however requires (once again) other networks to filter based on this data and reject the bad routes. Not yet very much of that happening.
 

Paul Hjul

Honorary Master
Joined
Aug 31, 2006
Messages
14,902
Maybe MyBB or someone with more technical knowledge can post a brief (or long) description how this was possible. In simplistic terms (for the non-network-gurus like me) it would be comparable to having two servers with the same IP - I do however appreciate the fact that in the BGP world of things there should be failsafes in place to avoid a fat-finger syndrome.

the great hacker of Johannesburg is not a network guru?
say it isn't so?

just now you'll say you use Windows and didn't trade in your 486 (which boots up in a day and a half) for a Pentium
:D


On a more serious note:
I unfortunately suspect that there is a growing shortage of network gurus
 

MagicDude4Eva

Banned
Joined
Apr 2, 2008
Messages
6,479
the great hacker of Johannesburg is not a network guru?

Hahaha - I have a Mac and manage to get through life with Google & Wikipedia. Everything else I seem to stumble into which one way or another seems to get me into unpredictable trouble ;-)
 

ranger

Expert Member
Joined
May 2, 2007
Messages
2,060
There should be safeguards for this sort of thing. But in the majority of cases there isn't.

Its very easy to bring up a BGP peer with a provider, but fine-tuning and maintaining a list of prefixes (addresses) that should be accepted requires constant maintenance.

Here's how it should work:
1) Customer brings up BGP session with ISP. Customer Provides ISP with a list of prefixes that belong to customer.
2) ISP builds a prefix-list and applies it to the Customer's BGP session.
-) should Customer announce anything outside of the agreed prefix list (malicious or fatfingered), ISP will ignore it.
If the customer gets another block of IPs, they notify the ISP of this, and ISP updates their prefix list. ISP then needs to inform it's upstream carriers to get them to accept the new prefix too. (most of the time, multiple upstream ISPs)

Here's how it works most of the time
1) Customer brings up BGP session with ISP. Customer Provides ISP with a list of prefixes that belong to customer.
2) ISP ignores prefix list. Network Engineer is happy enough that packets are flowing, so he calls it a day.
-) should Customer announce anything outside of the agreed prefix list (malicious or fatfingered), ISP accepts it and advertises it onwards.

Or:
1) ISP brings up BGP session with peering ISP. First ISP provides 2nd ISP with a list of prefixes that belong to customer.
2) 2nd ISP applies prefix list.
3)First ISP advertises new routes to all their peers, but forgets to notify all their peers of the new prefix lists, then migrates lots of traffic to the new prefixes
4)2nd ISP gets tired of paying for transit to get to peer, and removes the access list from the peering session (temporarily)
5)First ISP then makes a typo
 
Top