Lucene search

K
myhack58佚名MYHACK58:62201565915
HistoryAug 19, 2015 - 12:00 a.m.

BlackHat topic analysis: analysis of BGP hijacking exploit-vulnerability warning-the black bar safety net

2015-08-1900:00:00
佚名
www.myhack58.com
15
bgp hijacking
exploit vulnerability
blackhat conference
routing information exchange
as system
prefix hijacking
subprefix hijack
internet path design
trust network
denial of service
man in the middle attacks
unencrypted session
isp
tls encryption method

BGP hijacking in 2 0 0 8 years defcon conference once involved, however, in 2 0 1 5 year’s blackhat has been selected as the subject, visible the seriousness of the problem, frozen three feet, a cold, BGP hijacking issues to organizations around the world work together to solve it.
0×0 0 what is a BGP
BGP for different Autonomous system AS the exchange between the Routing Information. When the two AS need to Exchange Routing Information, each AS must specify a run BGP node, to represent the AS with other of the AS Exchange Routing Information. This node can be a host. But usually is the router to perform BGP.
Due to the possible and different AS is connected, in a The AS internal there may be multiple running BGP border router. The same Autonomous system(AS)of the two or more peer entities between running BGP is called IBGP Internal/Interior BGP is. These sub-networks connected to each other through the BGP Protocol to tell each other their own sub-network in which IP addresses and their AS number, AS Number and some other information.
Here again to be ripped to the Internet IP address allocation. The Internet IP address allocation is centralized, ICANN is the mechanism of the IP address segment allocated to Regional Internet Registries(the RIRS, the Regional Internet Registries. The RIRS then put the IP address of the segment after the breakdown points to the ISP.
In most cases, AS the Number and points to the AS what IP segment is not any relationship.
BGP Protocol although there are some simple security authentication part, but for the two has been successfully established BGP connection AS to say, the basic will unconditionally believe in each other AS the information coming, including the other claims to have the IP address range.
For the ISP assigned to the large corporate clients of the addresses, the ISP will often BGP do some limited filtering. But for a large ISP, because the other party has the IP address of the segment may be too dispersed, it is generally according to the maximum range set the BGP prefix address filter. Generally the ISP assigned to the IP address segments are continuous, but substantially also has a operation space, can put hundreds to a few million does not own the IP of a legitimate addition to their own BGP information.
Similar problem in the clouds on a relatively good explanation, the transfer gate
0×0 1 BGP hijacking overview
We put BGP hijacking divided into two categories
1,Prefix hijacking
prefix hijacking, when the victim is legitimate to assign IP prefix when the hijacking AS to apply the same prefix, counterfeiting of the BGP statement from the hijack AS, a message by the routing system to spread, the other AS with the local strategy to select legitimate AS the route or fake BGP route.
! [](/Article/UploadPic/2015-8/2 0 1 5 8 1 9 0 5 3 2 4 2 4 0. png)
2,the subprefix hijack
Using a subprefix hijack, the attacker can intercept the victim IP all the traffic, hijack AS to create a victim IP prefix. subprefix, so the prefix will be the victim IP prefix covering.
2 0 0 8 years 2 months 2 to 4 November, Pakistan telecommunications company attack so that Youtube can not be accessed is to such attacks.
! [](/Article/UploadPic/2015-8/2 0 1 5 8 1 9 0 5 3 2 4 6 3 3. png)
The Internet of the path design is based on the trust network provider to communicate with each other, which makes the unintentional leakage path becomes difficult to solve. However(BGP border gateway hijacking is not being valued, although all know it can lead to denial of service, man in the middle attacks and steal unencrypted session, but with a strong TLS encryption method popularity, the attacker contacts to important data becomes more and more impossible, so the hijacking is a good way.
BGP hijack due to ISP Internet service provider before forwarding without filtering from a peer node of the prefix statement. Once an attacker get the peer node of the permissions, he can let the other peer node broadcasting any prefix, hijacking the previous node and the upstream ISP
0×0 2 globalization and local hijacking
Hijacking and leakage is usually considered by hackers, the government hired personnel to initiate the specific activities it does not happen often, it seems to me they are really rare, since people the wrong operation so that the leakage path can be seen everywhere, however why hackers have ignored they can steal the prefixs of the possibilities.
A large ISP has measures to prevent hijacking, but from the point of view is not so useful, a small ISP don’t care about prefix filtering problem. Because of this the ISP will always meet the network application, even if the border is very fragile. On a technical hacker, hack into an ISP, feel free to modify the statement is not very difficult. However, in my opinion, it is hardly unwarranted to happen.
For example
1, AS-A to its upstream AS-C statement X. Y. Z. 0/22
2, AS-M to its upstream AS-B declares X. Y. Z. 0/23
3, the ISP default path is provided upstream, and then use the local network replace it, in such a scenario, the local path will be higher than other networks. In this case the path/2 3 will be path/2 2 instead.
4, all communication packets are transmitted via the AS-B is sent to the AS-M
The transmission way of the intermediate device are to select the shortest path to that, however, AS the distance between The can be hack modification, the attacker has hijacked all the goals AS the traffic. In order to get back the data packets through your router, you need to record a trace route to the target network after which AS. Use AS-PATH prepend list to include these AS Number, set the static route to the traceroute appeared first ASN
0×0 3 The hijacking of a CA certificate authority certificate
Through TLS the CA for the user to obtain a TLS certificate process is as follows
1,First at CA Web application for an account
2,the authentication login request CSR certificate signing request is created and loaded, although this is important, some of CA even allowed to skip this step directly from the CA to take the private key
3,the CA offers a lot of options to authenticate the user ownership
Query whois records,
To load a specific html in a specific url by the authentication
The user in the dns table to build a custom token
4,when confirming the ownership, the user payment, the CA issued the TLS authentication, then you can use this CA certificate to your web page to the user to prove identity.
If we choose the right CA, the BGP hijacking interrupted CA between the call could not be found.
The victims of the server and the client are in the United States, but the prefix has been hijacked in China, and then we can pretend the victim in this CA there is no reliable authentication, or posing a WHOIS authentication server to obtain the target domain of legitimate TLS authentication. This process up to 5 to 1 0 minutes, after the attacker stops the statement the victim’s prefix, only in this time period in order to find the exception. Although this CA from the victim is quite far away, but certificates are in global scope, so this move around the world are feasible.
To achieve such an attack you need only two
1, one can control the boundary routing
2 You BGP node information: it is the customer, the provider, the node information, the public service similar Qrator Radar or BGP listener. Spend an hour of the confirmation of these fundamental information, ASpath trace route, etc.
0×0 4 How to prevent attacks
There are many monitoring system BGPmon, the Qrator Radar will notify the victim prefix is hijacked, but the important point is this, and CA nothing to do.
RFC 7 4 6 9 http public key extension, taking into account the problem to the https statement, it is a good concept, but
1,like the BGPsec just as it is currently just a concept,
2,This is another alternative, to put the question of the key points from the CA transferred to the customer
Other measures include the browser platforms, including firefox authentication patrols, and to completely solve this problem, we must break the TLS PKI or Internet Routing. But both are difficult to have too big change, the new PKI concepts such as DNS-based real-name authentication is the same to us to provide solutions to ideas.
This is not about vulnerabilities in software is the concept of the defect, the Internet Routing shouldn’t be based on trust, we increasingly recognize that it is wrong at the same time, but also for the security of the Internet looking for ideas, and not in a hurry to use them.