BGP Hijack and Mitigation

BGPBorder Gateway Protocol (BGP) is like a large scale of routers connect autonomous systems(AS) all over the world.  normally, BGP is eBGP, that connects different  AS. On contrast, iBGP is for larger scale of BGP, it used for communication inside BGP. 
Small BGP pay larger BGP to traverse data.
AS : An autonomous system (AS) is a scope of network which share the same routing prefixes. For example, AS '128.230.0.0/16' has the same 16 bits prefix. Each AS has its own AS number for identify.

3 types of AS
  • Stub
Go to one single ISP
  • Multihomed 
When one neighbor AS is down, can have other work
Will not transit packet for other AS.
  • Transit
Provide transit service, transit packet from AS to other AS. 

How BGP works?

  • Based on TCP change information.
  • Keep sending 'keep alive' to check if they are connected.
  • Use BGP speaker to send BGP 'update' message to announce which one can reach which one. When you want to change it send new update message and withdraw the formal one.
  • Default port number is 179


How BGP know the AS PATH?
When a BGP router sends out an update to a neighbor, it adds its own AS number to the front (left side) of the AS path. So the AS path lists all the ASes that need to be traversed to reach the location where the prefix that the path is attached to is advertised from. As such, a traceroute should encounter those same ASes.
For example 
3754(sender) -->11537(next hop) -->22388(next next hop)

Choose the path in BGP:
Set the weight on each path, set local preference on each AS.
For example, AS1 has 100, AS2 has 150, it will choose AS2(150).

How to set the priority manually? 
If AS1, AS2, AS3 can all connect AS4, but AS2 and AS3 have priority. In other words, when these two are broken, we will choose AS 1 instead.
Solution : set AS1 route itself to make it looks like it has longer AS PATH, like 'AS1 AS1 AS1'.

How to choose the BGP according to the prefix?
Choose the longer match.
For example, 41.214.128.5 will choose 41.214.128.0/20 instead of 41.214.128.0/19
Plus : An IP address has 8 * 4 = 32 bits

IP anycast: the same hostname(like google.com) in different region or country share the same IP address. 
So, how to choose the best one?
Routers will select the desired path on the basis of number of hops, distance, the lowest cost, latency measurements or based on the least congested route. 

Can we use IP anycast on web server?
Obviously, for short connection or stateless connection, it works. However, longger connection like telnet, it will be reset by the server.

Prefix hijacking attack
Problem: How to make the victim cannot access other AS.
Victim: 1.2.0.0/16

Step 1: we have to own two ASes.when we match more, we will win. Then have one is '1.2.128.0/17' and the other is '1.2.0.0/17'.
Why we have to choose both two instead of just '1.2.0.0/17'?
Because to match '1.2.0.0/17', we have to match all the 17 bits, that means the third IP should be '0000 0000' and the first '0' is fixed. In this case, we just have '0000 0000' to '0111 1111'. 
Then we need '1000 0000' to '1111 1111' to make it complete match. 128 is '1000 0000'  in binary, that's why we choose '1.2.128.0/17'.

Step 2: we make these two ASes to pair and announce to other ASes, the AS PATH will change and the traffic went to the victim will be change to attacker's AS.

How to get back the traffic?(mitigation)
Use ASes which has 18 bit or more to match more to get it back.

Other attack:
spoofing attack
encryption TCP reset attack

Mitigation 
  • prefix filtering 
  • AS PATH filtering 
  • Using public key.
  • ISP fix the AS manually 



Popular posts from this blog

Phonebook - Hack the box Write up -- Web LDAP injection

Image
 0x00 Problem  0x01 Check the vulnerability When we see the login form on the website, it might be command injection, SQL injection, LDAP injection.  We can see that this need us to login with workstation username, it might be LDAP injection. 0x02 LDAP injection payload Here is the basic LDAP injection payload. We can check the vulnerability. user=*)(& password=*)(& --> (&(user=*)(&)(password=*)(&))  After we type it, we found the response shows successful, and return a page has search box. Then we type a character in the search box, and it returns some user phonebook information. I tried 'flag', 'HTB', it doesn't find any results. Then we try to find user 'Reese', but the information doesn't look like flag.   0x03 Locate the flag  Then we change our payload to check if the password is the flag. user=Reese password=HTB*)(& --> (&(user=Reese)(password=HTB*)(&  It can also return to the search page which means it...
Read more

wafwaf -- Hack The Box -- Web SQL injection

Image
0x00 Problem 0x01 Check the Source Code We open the website and only see the source code on the website. As we can see, there is a WAF will filter some characters and words, that means the normal injection will not work. However, we can see, there is a json_decode() function will decode JSON data, that means the data can be accepted should be JSON format.  The example JSON format data is like: /u0074, /u0075. In addition, there is a "php://input",  accesses the read-only stream of the requested raw data, executing the data in the post request as PHP code. 0x02 Local Test We can launch an Apache server to test it. I copy the source code and make a little change to test this. This file is in /var/www/html. We will construct the data first. This time I use 'select' as an example. The word transfer to ASCII, then to hex, then replace the '\0x' as '\u00'. This can be test in the browser console. At the end, we can test it with curl . As we can see, the SQL...
Read more

Cheat sheet for security+

Image
Malware virus: need people action to execute and spread. Hoax: trick the victim to infect, like game. worms: spread and execute without humman  trojans: can get remote control. RAT(remote access Trojan) ransomware: take control of your computer system, pay for unlock, most time will not unlock if you pay spyware: audit the callender, website history and other actions. rootkit: a type of backdoor, software design to administrative level control or root priviledge without detection. use DLL injection. malicious code inserted into a running process or kernel-mode device drvier. intercept calls and redirect to the malicous code. spam: CAN-Spam Act law to stop relaying send out email through other's mail server. Spim(instant message) like chat, text message.
Read more