Upload
phunglien
View
221
Download
0
Embed Size (px)
Citation preview
startingwitha posttoJANOGML
• [janog:12845]IIJtothewhitecourtesyphone.– notifyingstrangeBGPannouncements– alsostatingtheprefixwaslistedattheSpamhausSBL
• Thanksfortheheads-up!
the/16IPv4prefix
• wastransferredtoIIJrecently– on21/Oct/2014
• IIJkeptitinstockforfutureuse– IIJdidn’tstarttoannounceitatthattimeL– whois informationatJPNICwasupdated,butnoIRRregistrationL
• AnISPinU.S.startedtoannouncetheIPblockas2x/17son5/Jan/2015– No,IIJdidn’taskthat
tostopthewrongannouncements• IIJcontactedtheannouncingISPimmediately– e-mailtotheirNOCfollowedbyaphonecall– andstartedBGPannouncementsbyourselves
• Thefirstcontact:– gotACKandthepersononthecallagreedtodealwiththeannouncements,butnothingwashappenedinthenext48hours
• Thesecondcontact:– convincedthe(different)persononthecall,andgotaticket#totracktheprogressofhandling
– theannouncementswerefinallystoppedJ
lessonlearned#1
• askforaticket#– especiallyincasetheISPhasaticketsystemtotracktheirjobs
• keepwhois DBup-to-date– Toproveyourcorrectness– Isentourwhois informationtotheNOCbye-mail,andalsoaskedtheNOCpersontoquerytheprefixbyhimself
theprogress
• 4/Feb/2015- theposttoJANOG- thefirstcontacttotheISP
• 6/Feb/2015- thesecondcontacttotheISP• 7/Feb/2015- therouteswerewithdrawn• 12/Feb/2015- contactedSpamhaus todelist• 13/Feb/2015- theprefixwasdelistedfromSBL
thecauseoftheannouncements
• AcustomeroftheISPwassubmittedaLoA(LetterofAuthority)tousetheprefix,andaskedtheISPtooriginatetheBGPannouncements
• No,IIJdidn’tsubmitsuchadocument
AnExampleofLetterofAuthority
<CompanyName><Address>
<date>To:<theCustomer>
Weauthorize<theCustomer>or<theISP>toannouncethefollowingIPblocks-
<IPaddressblocks>
Thisauthorizationshallbevaliduntilrevokedbyusinwritingorbye-mailfrom<e-mailaddress>.Imaybecontactedat<Tel#>or<e-mailaddress>
Sincerely,<signature><signer’snameinprint><CompanyName>
Logo
theactualLoA looks...strange
• Thecompanynamewasafamilycompanyofthepreviousresourceholder
• Suspicious– thedomainnameusedasacontacte-mailaddresswasdifferentfromtheactualone• Thedomainnamewasnewlyregisteredin2014
– theTel#waswrong- missingacountrycode• Asthepreviousholderregistereditwronglyatthewhois DBbefore
visitedthepreviousresourceholder
• metapersonwhowaspreviouslythecontactpersonoftheirwhois DBentry– andalsohisnamewasusedasasignerintheLoA
• No,hedidn’tsignthedocument,andtheircompanywasn’tawareoftheLoA andeventhedomainnamewhichwasusedintheLoA
thefakeLoA
<CompanyName><Address>
<date>To:<theCustomer>
Weauthorize<theCustomer>or<theISP>toannouncethefollowingIPblocks-
<IPaddressblocks>
Thisauthorizationshallbevaliduntilrevokedbyusinwritingorbye-mailfrom<e-mailaddress>.Imaybecontactedat<Tel#>or<e-mailaddress>
Sincerely,<signature><signer’snameinprint><CompanyName>
Logo
Copiedfromawebsiteofafamilycompanyofthepreviousresourceholder
Registeredanewdomainnamelookslikerelatedtotheorganization
Copiedfrompreviouswhois DBentry
Afakesignature
timelineIIJ
Transfer21/Oct/2014
4/Oct/2014registered anewdomainnamemadetheLoA
9/Dec/2014submitted theLoA
5/Jan/2015startedtheBGPannouncements
4/Feb/2015Noticedandreacted
7/Feb/2015withdrawn
foundatarget
Thepreviousresourceholder TheISP
Thecustomerof theISP(hijacker)
whois updated
thehijacker
• Wedon’tknowhowtheyusedthenetwork– noevidencesofar– nospamcompliantrelatedtotheprefix
• Afterstoppingtheannouncement,theystartedtouse‘thenext’prefixbyusingthesametechnique- bysubmittingafakeLoAL– anditwasnoticedandstoppedbytheactualresourceholderafewmonthslater
lookingback
• IIJshouldannounceallholdingprefixes– Wechangedourpolicytoannounceallofthem– Beforeannouncements,IIJregistersrouteobjectstoIRRs- JPIRRandRADB.ByregisteringarouteobjectatJPIRR,aroutemonitoringservicenamed‘keiro bugyo’automaticallystartstomonitormaliciousannouncementrelatedtotherouteobject.J
• TheISPshouldcarefullycheckIPblocksbeforeannouncements– Aswhois DBwasalreadychanged- indicatingIIJasaresourceholderatthattime
WHOIS
• WHOIScommand– whichWHOISservershouldIuseforstarting?• whois.iana.org ?
– moderncommandhopefullyhandlesitwell– areyoufamiliarwithCLI?windowsusers?
• webbasedWHOISgateway– whichoneshouldIuse?• startingwithhttp://whois.iana.org/?
findingaresourceholderbyWHOIS
• IANA->RIR->(NIR->)LIR– ThinkaboutregionswhichdonothaveNIRs,andprobablysomepeoplearenotawareofit
• AllocationsandAssignments– Canyoudistinguishtheseonwhois?
• ERXsandinter-RIRtransfers– IANA->RIR->RIR->(NIR->)LIR– ItseemseachIRusesownexpressiontoindicateareferenceforfurtherinformation
whois atIANA
$whois -hwhois.iana.org '160.13.0.0'%IANAWHOISserver%formoreinformation onIANA,visithttp://www.iana.org%Thisqueryreturned1object
refer:whois.arin.net
inetnum: 160.0.0.0- 160.255.255.255organisation:Administered by ARINstatus:LEGACY
whois:whois.arin.net
changed:1993-05source:IANA
whois atARIN
$whois -hwhois.arin.net '160.13.0.0'
##ARINWHOISdataandservicesaresubjecttotheTermsofUse#availableat:https://www.arin.net/whois_tou.html##Ifyouseeinaccuraciesintheresults,pleasereportat#http://www.arin.net/public/whoisinaccuracy/index.xhtml#
##Queryterms are ambiguous.Thequeryisassumedtobe:#"n160.13.0.0"##Use "?"togethelp.#
##Thefollowingresultsmayalsobeobtainedvia:#http://whois.arin.net/rest/nets;q=160.13.0.0?showDetails=true&showARIN=false&showNonArinTopLevelNet=false&ext=netref2#
NetRange:160.11.0.0-160.30.255.255CIDR:160.24.0.0/14,160.11.0.0/16,160.30.0.0/16,160.28.0.0/15,160.12.0.0/14,160.16.0.0/13NetName:APNIC-ERX-160-11-0-0NetHandle:NET-160-11-0-0-1Parent: NET160(NET-160-0-0-0-0)NetType: EarlyRegistrations,Transferred to APNICOriginAS:Organization:Asia PacificNetworkInformationCentre (APNIC)RegDate: 2004-04-05Updated:2009-10-08Comment:ThisIPaddressrangeisnotregisteredintheARINdatabase.Comment:ThisrangewastransferredtotheAPNICWhois DatabaseasComment:partoftheERX(EarlyRegistrationTransfer)project.Comment:Fordetails,refertotheAPNICWhois DatabaseviaComment:WHOIS.APNIC.NETorhttp://wq.apnic.net/apnic-bin/whois.plComment:Comment:**IMPORTANTNOTE:APNICistheRegionalInternetRegistryComment:fortheAsiaPacificregion.APNICdoesnotoperatenetworksComment:usingthisIPaddressrangeandisnotabletoinvestigateComment:spamorabusereportsrelatingtotheseaddresses.FormoreComment:help,refertohttp://www.apnic.net/apnic-info/whois_search2/abuse-and-spammingRef:http://whois.arin.net/rest/net/NET-160-11-0-0-1
ResourceLink:http://wq.apnic.net/whois-search/static/search.htmlResourceLink:whois.apnic.net
OrgName:Asia PacificNetworkInformationCentreOrgId:APNICAddress:POBox3646City:SouthBrisbaneStateProv: QLDPostalCode:4101Country:AURegDate:Updated:2012-01-24Ref:http://whois.arin.net/rest/org/APNIC
ReferralServer: whois://whois.apnic.netResourceLink:http://wq.apnic.net/whois-search/static/search.html
OrgAbuseHandle:AWC12-ARINOrgAbuseName:APNICWhois ContactOrgAbusePhone:+61738583188OrgAbuseEmail:[email protected]:http://whois.arin.net/rest/poc/AWC12-ARIN
OrgTechHandle: AWC12-ARINOrgTechName:APNICWhoisContactOrgTechPhone:+61738583188OrgTechEmail:[email protected]: http://whois.arin.net/rest/poc/AWC12-ARIN
##ARINWHOISdataandservicesaresubjecttotheTermsofUse#availableat:https://www.arin.net/whois_tou.html##Ifyouseeinaccuraciesintheresults,pleasereportat#http://www.arin.net/public/whoisinaccuracy/index.xhtml#
whois atAPNIC
$whois -hwhois.apnic.net '160.13.0.0'%[whois.apnic.net]%Whois datacopyrighttermshttp://www.apnic.net/db/dbcopyright.html
%Informationrelatedto'160.13.0.0- 160.13.255.255'
inetnum: 160.13.0.0- 160.13.255.255netname:IIJdescr:InternetInitiativeJapanInc.descr:Iidabashi GrandBloom,descr:2-10-2Fujimi,Chiyoda-ku,descr:Tokyo,102-0071Japancountry:JPadmin-c: JNIC1-APtech-c: JNIC1-APstatus:ALLOCATEDPORTABLEremarks:Emailaddress for spam or abuse complaints :[email protected]:IRT-JPNIC-JPmnt-by: MAINT-JPNICmnt-lower:MAINT-JPNICchanged: [email protected] 20050712changed: [email protected] 20141021source: APNIC
irt:IRT-JPNIC-JPaddress:Urbannet-Kanda Bldg 4F,3-6-2Uchi-Kandaaddress:Chiyoda-ku,Tokyo101-0047,Japane-mail:[email protected]: [email protected]: JNIC1-APtech-c: JNIC1-APauth:#Filteredmnt-by: MAINT-JPNICchanged: [email protected] 20101108changed: [email protected] 20101111changed: [email protected] 20140702source: APNIC
role:JapanNetworkInformationCenteraddress:Urbannet-Kanda Bldg4Faddress:3-6-2Uchi-Kandaaddress:Chiyoda-ku,Tokyo101-0047,Japancountry:JPphone:+81-3-5297-2311fax-no:+81-3-5297-2312e-mail:[email protected]:JI13-APtech-c:JE53-APnic-hdl:JNIC1-APmnt-by:MAINT-JPNICchanged:[email protected] 20041222changed:[email protected] 20050324changed:[email protected] 20051027changed:[email protected] 20120828source:APNIC
%Informationrelatedto'160.13.0.0- 160.13.15.255'
inetnum:160.13.0.0- 160.13.15.255netname:IIJNETdescr:IIJInternetcountry:JPadmin-c:JP00010080tech-c:JP00010080remarks: Thisinformation has been partially mirrored by APNICfromremarks: JPNIC.To obtain more specific information,please use theremarks: JPNICWHOISGatewayatremarks: http://www.nic.ad.jp/en/db/whois/en-gateway.html orremarks: whois.nic.ad.jp for WHOISclient.(TheWHOISclientremarks: defaults to Japanese output,use the /e switch for Englishremarks: output)changed:[email protected] 20150417changed:[email protected] 20150424source:JPNIC
%Thisquery wasserved by the APNICWhois Serviceversion 1.69.1-APNICv1r7-SNAPSHOT(WHOIS4)
whois atJPNIC
$whois -hwhois.nic.ad.jp '160.13.0.0/e'[JPNICdatabaseprovides informationregardingIPaddressandASN.Itsuse][isrestrictedtonetworkadministrationpurposes.Forfurtherinformation,][use'whois -hwhois.nic.ad.jp help'.ToonlydisplayEnglishoutput, ][add'/e'attheendofcommand,e.g.'whois -hwhois.nic.ad.jp xxx/e'.]
NetworkInformation:a.[NetworkNumber]160.13.0.0/20b.[NetworkName]IIJNETg.[Organization]IIJInternetm.[AdministrativeContact]JP00010080n.[TechnicalContact]JP00010080p.[Nameserver]dns0.iij.ad.jpp.[Nameserver]dns1.iij.ad.jp[AssignedDate]2015/04/17[ReturnDate][LastUpdate]2015/04/2411:47:06(JST)
Less Specific Info.----------InternetInitiativeJapanInc.
[Allocation]160.13.0.0/16
MoreSpecific Info.----------Nomatch!!
whois atJPNICagain
$whois -hwhois.nic.ad.jp '160.13.0.0/16/e'[JPNICdatabaseprovides informationregardingIPaddressandASN.Itsuse][isrestrictedtonetworkadministrationpurposes.Forfurtherinformation,][use'whois -hwhois.nic.ad.jp help'.ToonlydisplayEnglishoutput, ][add'/e'attheendofcommand,e.g.'whois -hwhois.nic.ad.jp xxx/e'.]
NetworkInformation:[NetworkNumber]160.13.0.0/16[NetworkName][Organization]Internet InitiativeJapanInc.[AdministrativeContact]JP00010080[TechnicalContact]JP00010080[Abuse][email protected][AllocatedDate]2014/10/21[LastUpdate]2014/10/2115:04:47(JST)
Less Specific Info.----------Nomatch!!
MoreSpecificInfo.----------IIJInternet
IIJNET[Assignment]160.13.0.0/20IIJInternet
IIJNET[Assignment]160.13.16.0/24[...]
allocations• It’salreadycomplicated– andgettingmorecomplicated
• IRwhois isnotsohumanfriendlynormachinefriendly– Youneedtotrainengineersabouteverywhois DB’sexpressions,historyoftheInternet,thecurrentresourcepolicies.Yes,it’simportantthough...
– Andprobablythat’swhywehaveIRRstoregisterroutingrelatedinformation
• Weneedsomethingbettertoproveourholdingresources
RPKI
• PublicKeyInfrastructureforNumberResources– suchasIPaddressesandASnumbers– a digitalcertificatecanprovethatyouarethecurrentresourceholderofspecificnumberresource
– youcanadddigitalsignaturetoyourdocumentslikeLoA ortransferagreement
• YoucanissueROAstoindicateoriginatingASforprefixes
lessonlearned#2
• announceallholdingprefixes– registerrouteobjectstoanIRRforreference
• IRwhois is...complicated– hierarchy,ERXsandtransfers– assignmentsandallocationsinthesameDB
• RPKIisthenextchoiceforus– weneedtopromoteRPKImore,andtrainengineerstobeawareofpublic-keycryptography
– signingandverifyingbyusingpublic-keycryptographyisakeytechnologynowdays
thecurrentsituation
• ranoutIPv4FreeSpace– gettingdifficulttogetenoughIPv4space
• IPreputationdatabase– toavoidaccessfrom/tomaliciousactivities
• Aaaaah,thesituationprobablymotivatesmaliciousfolkstohijackaprefixmoreandmore...
Summary
• AnintentionalBGP-hijackingwashappened– Ibelievethehijackerhadmaliciousintentionas:• registeredafakedomainname• madeafakeLoA
– bythese,thehijackercouldconvinceanISPtoannouncetheIPblocks
• Weneedastronginfrastructuretoproveournumberresources– timetoadoptRPKI!