Escolar Documentos
Profissional Documentos
Cultura Documentos
Agenda
8 *-# ; Internet 101 8 +ld (i)ackings 8 The 'ain 'onke1 3usiness
% MITM 'ethod, e"/lained % -ra/hs, etc % Li$e De'o
*-# 101
(o9 is the Internet <glued: together7
8 No central =core> 8 Indi$idual net9orks ?identified 31 ASN@ interconnect and =announce> I# s/ace to each other 8 Announce'ent contains I# /refi", AS-#AT(, co''unities, other attri3utes 8 AS-#AT( is a list of 9ho has /assed the announce'ent alongA used to a$oid loo/s ?i'/ortant for our 'ethod@ 8 ,unda'ental tenet in I# routingB More-s/ecific /refi"es 9ill 9in % e0g0 10000000C D 9ins o$er 10000000C!
+n #refi"esF
8 Internet routing is inherentl1 trust-3ased
% No =chain of trust> in I# assign'ents
8 I&ANN assigns s/ace to Eegional Internet Eegistries ?EIEs - AEINCEI#GCA,EINI&@ 8 EIEs assign to IS#s or LIEs ?in EI#G region@ 8 No association 3et9een ASN and I# for 'ost assign'ents ?e"ce/t EI#G@
8 &usto'erB
% +ften unfiltered *-#B 'a"-/refi" and so'eti'es AS#AT( % S'aller carriers and s'aller custo'ers % static /refi"-list, e'ails or /hone calls to u/date
8 Verification 31 =9hois>
8 #eerB
% T1/icall1 none 3e1ond 'a"-/refi" and scri/ts to co'/lain 9hen announcing so'ething the1 shouldn:t ?rare@ % Man1 don:t e$en filter their own internal network routes co'ing fro' e"ternal /eers
An IEE H/date
F5hich Should (a$e *een Iuestioned
From: db-admin@altdb.net To: xxx@wyltk-llc.com ReplyTo: db-admin@altdb.net Subject: Forwarded mail.... (fwd) Sent: u! "# $%%& ':(& )* +our tran,action -a, been proce,,ed by t-e .RRd routin! re!i,try ,y,tem. /ia!no,tic output: ----------------------------------------------------------T-e ,ubmi,,ion contained t-e followin! mail -eader,: From: xxx@wyltk-llc.com Subject: Forwarded mail.... (fwd) /ate: T-u# " u! $%%& $0:(&:12 -%(%% (3/T) *,!-.d: 4)ine.567.xxx@wyltk-llc.com8 // 9:: ;route< $(.0$%.1=.%>$( S$==$"
---------------------------------------.f you -a?e any @ue,tion, about 5T/A# plea,e ,end mail to db-admin@altdb.net.
&ri'inalit1
8 If no3od1 is using it, is it reall1 illegal7 8 I# /refi" is )ust a nu'3er 8 No /rosecutions for non-'alicious announce'ents that 9e are a9are of 8 5orst case scenario for non-'alicious hi)ackB AEINCEI#G /ull #TE records and transits shut 1ou off ?e$entuall1@
(o9-To (i)ack
8 ,ull hi)acking, a//arent authorit1 to announce
% This 9as cool in 001 % ,ind I# Net9ork ?using 9hois@ 9ith contact e'ail address in .hot'ail0co' or at do'ain that has e"/ired % Eegister do'ainCe'ail % &hange contact
(istorical (i)ackings
8 ASJ00J % :KJ, accidental 3g/-Lri/-L3g/ redistri3ution 3roke Internet ?tens of thousands of ne9 announce'ents filled router 'e'or1, etc@ 8 1D60 0C16 % Grie ,orge and Steel ?ho9 a/ro/os@ 8 16601!!C16 % &ara3ineros De &hile ?&hile #olice@ % hi)acked t9ice, 31 registered =&ara3ineros De &hile LL&, Ne$ada &or/oration> 8 More details a$aila3le on co'/lete9hois0co' 8 Accidental hi)ackings ha//en freMuentl1 % lo9 chance of getting caught
8 #akistan:s go$ern'ent decides to 3lock 6ouTu3e 8 #akistan Teleco' internall1 nails u/ a 'ore s/ecific route ? 0!064014N00C D@ out of 6ouTu3e:s C to null0 ?the routers discard interface@ 8 So'eho9 redists fro' static 3g/, then to #&&5 8 H/strea' /ro$ider sends routes to e$er1one elseF 8 Most of the net no9 goes to #akistan for 6ouTu3e, gets nothingO 8 6ouTu3e res/onds 31 announcing 3oth the C D and t9o 'ore s/ecific C 4s, 9ith /artial success 8 #&&5 turns off #akistan Teleco' /eering t9o hours later 8 N to 4 'inutes after9ard, glo3al 3g/ ta3le is clean again
+f InterestF
I# (i)acking *o,
8 Hn-official e$ent at NAN+- conference 8 5e test securit1 of Internet routing infrastructure 8 Eecent e"ercisesB
% (i)acked 1000000C!B K0P success % (i)acked 1D60 00000C16B K4P success % Atte'/ted to announce net9orks longer than C DB fro' C 4 do9n to CN 9ith coo/eration of large &DN:s0 D0P successful o$erall
8 Gnd/oint enu'eration - direct disco$er1 of 9ho and 9hat 1our net9ork talks to 8 &an 3e acco'/lished glo3all1, an1-to-an1 8 (o9 9ould 1ou kno9 if this isn:t ha//ening right no9 to 1our traffic at DG,&+N7
Then it clicked % use the Internet itself as re/l1 /ath, 3ut ho97
ASN0
Target ASN 00
AS40
ASN0
Target ASN 00
AS40
ASN0
Target ASN 00
AS40
2 3 4 5 ( 7 8 9 10 11 12 13
12.87.94.9 !" 7018# 8 msec 8 msec 4 msec t$r1.c%cil.ip.att.net &12.122.99.38' !" 7018# 4 msec 8 msec 8 msec %%r2.c%cil.ip.att.net &12.123.(.29' !" 7018# 4 msec 8 msec 4 msec 192.205.35.42 !" 7018# 8 msec 4 msec 8 msec cr2-loop$ack.chd.sa))is.net &208.172.2.71' !" 35(1# 1( msec 12 msec . cr2-pos-0-0-5-0.*e+,ork.sa))is.net &204.70.192.110' !" 35(1# 28 msec 32 msec 32 msec 204.70.19(.70 !" 35(1# 28 msec 32 msec 32 msec 208.175.194.10 !" 35(1# 32 msec 32 msec 32 msec %i%5-1.es+03.las.s+itchcomm%roup.com &((.209.(4.18(' !" 23005# 88 msec 88 msec 84 msec ((.209.(4.85 !" 23005# 88 msec 88 msec 88 msec %i%0-2.es+07.las.s+itchcomm%roup.com &((.209.(4.178' !" 23005# 84 msec 84 msec 88 msec acs-+ireless.demarc.s+itchcomm%roup.com &((.209.(4.70' !" 23005# 88 msec 88 msec 88 msec
1ijacked2
2 3 4 5 ( 7 8 9 10 11 12 13 12.87.94.9 !" 7018# 8 msec 8 msec 4 msec t$r1.c%cil.ip.att.net &12.122.99.38' !" 7018# 4 msec 8 msec 8 msec %%r2.c%cil.ip.att.net &12.123.(.29' !" 7018# 4 msec 8 msec 4 msec 192.205.35.42 !" 7018# 8 msec 4 msec 8 msec cr2-loop$ack.chd.sa))is.net &208.172.2.71' !" 35(1# 1( msec 12 msec . cr2-pos-0-0-5-0.*e+,ork.sa))is.net &204.70.192.110' !" 35(1# 28 msec 32 msec 32 msec 204.70.19(.70 !" 35(1# 28 msec 32 msec 32 msec 208.175.194.10 !" 35(1# 32 msec 32 msec 32 msec %i%5-1.es+03.las.s+itchcomm%roup.com &((.209.(4.18(' !" 23005# 88 msec 88 msec 84 msec ((.209.(4.85 !" 23005# 88 msec 88 msec 88 msec %i%0-2.es+07.las.s+itchcomm%roup.com &((.209.(4.178' !" 23005# 84 msec 84 msec 88 msec acs-+ireless.demarc.s+itchcomm%roup.com &((.209.(4.70' !" 23005# 88 msec 88 msec 88 msec
In conclusion
8 5e learned that an1 ar3itrar1 /refi" can 3e hi)acked, 9ithout 3reaking end-to-end 8 5e sa9 it can ha//en nearl1 in$isi3l1 8 5e noted the *-# as-/ath does re$eal the attacker 8 Shields u/A filter 1our custo'ers0
Thanks ; #raise
8 8 8 8 8 ,eli" S,TS Lindner Ua1 *eale Dan 2a'insk1 Defcon S/eaker -oons ; Staff Todd Hnder9ood