On Mon, Jun 5, 2017 at 12:28 PM, Mel Beckman <m...@beckman.org> wrote:
> Chris, > > I didn’t research Ron’s specific example. I was speaking in generalities. > I’m assuming any BGP hijacker already has two or more DIA connections. It > only costs $100 to add BGP peering to that setup. Yes, they will need an > ASN. I was only > most times i've seen isp DIA links bgp was 'free' or had been.. > talking about the cost of adding an upstream BGP session. > ok. so either free or some up-charge by the isp. > > -mel > > > On Jun 5, 2017, at 9:03 AM, Christopher Morrow <morrowc.li...@gmail.com> > wrote: > > > > On Mon, Jun 5, 2017 at 7:05 AM, Mel Beckman <m...@beckman.org> wrote: > >> One way is for the hijacker to simply peer with himself. The hijacker has >> an existing peering arrangement with, say, AT&T. He then tells AT&T that he >> will be transit for ASxxxx advertising XYZ routes, by dint of a cheerfully >> forged LOA. Once filters have been updated, the hijacker advertises the >> space to himself, and then from thence to AT&T. >> > > that doesn't seem to be what's happening in ron's example though... > > it looks, to me, like the example ron has is more a case of: > 1) register contacts for lost asn (AS34991) > 2) setup equipment/etc at an IX (bulgaria-ix it seems, at least) with > another shill/lost-child asn (AS206776) > 3) start doing the bgps with the IX fabric's route-server > 4) profit (or something) > > so here the IXP operator (balkans ix actually?) > http://lg.bix.bg/?query=summary&addr=&router=rs1.bix.bg+%28IPv4%29 > (search for 206776 -> http://lg.bix.bg/?query= > bgp&addr=neighbors+193.169.198.191&router=rs1.bix.bg+(IPv4)) > > should probably look more than just side-eyes at their customer... > > >> >> It's no great trick getting peering set up. Just fill out a ten-question >> BGP app and pay a one-time fee of maybe $100, and you're done. >> > > err, you'll have to better explain this I think. > > Are you saying: "get an ASN from RIR that costs 100USD" (might, probably > does) > > this doesn't get you a peering/transit contract though... > > -chris > > >> >> -mel beckman >> >> > On Jun 5, 2017, at 3:56 AM, Ronald F. Guilmette <r...@tristatelogic.com> >> wrote: >> > >> > >> > The more I know, the less I understand. >> > >> > Maybe some of you kind folks can help. >> > >> > Please explain for me the following scenario, and how this all actually >> > works in practice. >> > >> > Let's say that you're a malevolent Bad Actor and all you want to do is >> > to get hold of some ASN that nobody is watching too closely, and then >> > use that to announce some routes to some IPv4 space that nobody is >> > watching too closely, so that you can then parcel out that IP space >> > to your snowshoe spammer pals... at least until somebody gets wise. >> > >> > OK, so you pull down a copy of, say, the RIPE WHOIS database, and you >> > programatically walk your way through it, looking for contact email >> > addresses on ASN records where the domain of the contact email address >> > has become unregistered. Say for example the one for AS34991. So >> > then you re-register that contact domain, fresh, and then you start >> > telling all of your friends and enemies that you -are- AS34991. >> > >> > That part seems simple enough, and indeed, I've seen -this- part of the >> > movie several times before. However once you have stepped into the >> > identity of the former owners of the ASN, if you then want to actually >> > proceed to -announce- some routes, and actually ave those routes make >> > it out onto the Internet generally, then you still have to -peer- with >> > somebody, right? >> > >> > So, I guess then, if you're clever, you look and see who the ASN you've >> > just successfully hijacked has historically peered with, and then you >> > somehow arrange to send route announcements to those guys, right? >> > (I'm talking about AS206776 and AS57344 here, BTW.) >> > >> > But see, this is where I get lost. I mean how do you push your route >> > announcements to these guys? (I don't actually know that much about >> > how BGP actually works in practice, so please bear with me.) How do >> > you know what IP address to send your announcements to? And if you are >> > going to push your route announcements out to, say, the specific routers >> > that are run by AS206776 and AS57344, i.e. the ones that will send your >> > desired route announcements out to the rest of the Internet... well.. >> > how do you find out the IP addresses of those routers on those other >> > networks? Do you call up the NOCs at those other networks and do a bit >> > of social engineering on them to find out the IP addresses you need to >> > send to? And can you just send BGP messages to the routers on those >> > other networks without -any- authentication or anything and have those >> > routers just blindly accept them -and- relay them on to the whole rest >> > of the Internet?? >> > >> > I've read article after article after article bemoanging the fact that >> > "BGP isn't secure", but now I'm starting to wonder just how massively >> > and unbelieveably unsecure it actually is. I mean would these routers >> > being run by AS206776 and AS57344 just blindly accept -any- route >> > announcements sent to them from literally -any- IP address? (That seems >> > positively looney tunes to me! I mean things can't really be THAT >> > colossally and unbelievably stupid, can they?) >> > >> > Thanks in advance for any enlightenment. >> > >> > >> > Regards, >> > rfg >> > >> > >> > P.S. It would appear to be the case that since some time in April of >> this >> > year the "Bulgarian" network, AS34991, had evinced a rather sudden and >> > pronounced affinity for various portion of the IPv4 address space >> nominally >> > associated with the nation of Columbia, including at least five /24 >> blocks >> > within 168.176.0.0/16 which, from where I am sitting, would appear to >> belong >> > to the National University of Columbia. >> > >> > Oh well. They apparently haven't been missing those five gaping holes >> in >> > their /16 since the time the more specifics started showing up in April. >> > >> > And anyway, so far it looks like the new owners of AS34991 haven't >> actually >> > sub-leased any of those /24s to any spammers yet. Only the >> 190.90.88.0/24 >> > block seems to be filled, wall-to-all, with snowshoe spammers so far. >> > >> > >> > > >
