Internet Hijacks, still in the wild west era

okay so let's move forward and now we'll have Carl FASA is going to be speaking about some internet hijacks so thank you Carl uh hello everyone good morning uh it was an excellent keynote that we have just had um um I would like to start by thanking the the the organization and everyone for for having me um so uh I'm Carl FAS I work for the Portuguese national research and education network uh which is fccn which is a unit of fct the national foundation for uh technolog uh for technology so uh I work at the security team of fccn which is rcts C and I'm here to talk a bit about uh something that I've

been experiencing in the last years uh which uh is internet ax and I I would like to start um thinking about uh Global Internet disruption so if someone wants to seriously disrupt internet uh where uh which which Target would they choose uh would they go for submarine cables um I guess there are uh hundreds of Submarine Cable Systems around the world there is bgp that connects networks it's on the scale of thousands so um I checked yesterday there are about 75,000 uh different autonomous systems and uh in the the scale of millions you have uh domains so uh this talk is about the the the bgp the the networking uh the IP lay of uh uh how you can uh um do

something uh harm so uh first for for those that are not familiar with pgp so uh border Gateway protocol it's a very um um simplistic protocol that has been ened over the years uh it has the characteristic of being multiprotocol so first you had ipv4 uh in the light later years uh I pv6 was added um and it's for me it's very simple someone may not agree with me but well uh for me this is just bgp is just I announce my prefixes and I re receive uh prefixes from others uh there are also some Concepts about it so um there are upstreams and peers so uh I usually don't pay to uh exchange traffic so those are the my

peers and to Upstream providers uh I usually pay to have my traffic uh reach uh any part of of the internet so there are also internet exchanges route servers that uh permit uh that allow networks to do multilateral peerings um there is obviously the also the the concept of pushing traffic and receiving traffic so uh you can you can send the the the your packets uh through one side and receive receive uh packets from other networks uh from from from uh another side uh the main uh issue that uh everyone must understand is that uh country borders uh are not the same as Internet borderers so uh in bgp you don't have countries you have networks

that mostly are uh in one country or in more than one country so uh borders is uh uh a really different Concept in the internet uh there is one uh fundamental um problem that was uh highlighted recently with bgp is that uh it has too much exposure uh so uh Shadow server recently uh was well they they do research uh and uh they uh found almost 400,000 uh accessible bgp speakers so they are uh likely to be attacked and used on on attacks uh against third parties so this is a concern this is something that must be tackled and uh I think mostly the cyber security people needs to be aware of about this even if

their knowledge about bgp is uh not so broad but so now uh about AXS which is the main topic that led me here um first things first I I I want to um uh discuss what is an hijack because there are also leaks which are accidents but an hijack is perceived as being something intentional so uh there are people that uh announce prefixes to other networks that don't belong to them and um this is very bad one one bad thing for me is that uh most people or a lot of people uh simply um just U uh don't care because uh they they just think it's hard to tell if an incident is an iack or a leak

um I I strongly disagree with that and uh it makes me Furious sometimes because uh accidents don't uh accidents don't have a span of weeks or months so if something is done intentionally uh we can uh be able to with the help of research to uh understand what what uh is going on or what did go wrong uh for uh a period of time and uh another issue is that uh well this this is a snapshot from uh Cloud Flair's radar so um thank you uh for for that CL Cloud flare is um providing U almost a real time uh list of uh incidents they see and they classify as uh objects uh so they also have a column with the

degree of confidence so they say this is an iack with medium confidence or with higher uh degree of confidence so aexs happen on a daily basis and well this doesn't seem to um worry uh too much people uh I also uh have uh an issue with ax is that uh it's not a problem only when an hijacker steals your prefix but when you as a third party Network are talking to uh um a network that was hijacked so if you intend to uh talk to I don't know YouTube If someone hijacks YouTube you will not get the service you you are expecting to to get uh well in YouTube was uh probably one of the most not notable incidents over

the years um there was an order from the Pakistani government to to to Pakistani Telecom to um um censor some video or some censor the platform because it was showing some video they they didn't like and instead of blocking access to YouTube they uh leaked uh uh a prefix uh from YouTube and every suddenly uh every everybody in the world or big part of of networks in the world thought that YouTube was being uh uh served by Pakistani Telecom which obviously it wasn't so they basically black ho holders blackold the service and well this obviously didn't went under the radar there were some also some uh strange and some some things that were probably uh state sponsored actions uh

so traffic from uh South America that went through bellus so it was these kinds of strange things happens happen and it it shouldn't happen uh there is also uh one um well at some point uh it and this is what really um awaken me awake me for for this problem IC is that in 2018 uh a guy that was doing a company that that that that was doing hijacks for quite some time um was um reported publicly in in in uh in community forums so uh there was the fact that this guy operated from Portugal so uh this was the original message on on the anog list and uh well I I just want to share the

mainly the the last um the last phrase as I always ask rhetorically in case like this where where are the grown-ups so this was happening for quite a long time uh a prefixes prefix were being stolen then the uh after some time uh they were not announced anymore and more prefixes were stolen from from other folks so so uh I I think at some point uh even prefixes from uh the US government were stolen and well uh uh that went that didn't didn't go very well uh so this happened and uh someone had to do something that that was the the call for um some years later with a different um actor uh we also Al seen

this uh well this was this year earlier this year uh we uh well there was some someone that was trying to connect to our platform and uh we investigated we do some kind of due diligence and while we investigated we found that this person had uh or this network had announced uh a out from a company that was uh already closed in 2017 so this was basically grabbing a prefix that nobody was using and saying well now this is mine so uh you can send packets to these IPS uh towards me so uh just to uh say that while the 2018 problem was tackled uh there are still people here here in Portugal that that think that uh

the others are stupid enough to uh still accept networks that are not from them that are not really them uh from their ownership uh so comparing these two cases uh I must say that uh the model ofandi was very very very different uh so the the first case that was exposed in 2018 uh was uh research spe uh um to to 4 years previously and uh several prefix several hundred prefixes were um discovered as being deject and the the as investigations proceeded uh the the main aim for for these hijacks were spam operations on the second case well this is this uh as it's a case that it's so tiny it's it's still under most Radars

and uh as far as I know it's it has absolutely nothing to to do with Spam so going on to uh uh end games uh here so um one of the possible end games is to uh divert some someone else's traffic uh another one is to influence algorithms and uh well um for instance to steal crypto currencies there have been several documented cases between 2014 and 2022 uh well probably more are ongoing uh but uh maybe uh they are not U noticed and um some other uh possible uh objectives of doing AXS uh are to escape attribution so uh if um if you do something wrong with a network that isn't yours you can say no

no this network is from that company that was uh um that has closed operations some years ago so it wasn't me uh or or in some cases also to just well as ipv4 is uh not cheap anymore to just uh grab grab your your part of ipv4 for free uh so what can we do collectively so uh there are some initiatives uh these problems were identified by a group of people some years ago uh standards were developed and there is basically rpk so rpki Works in a simplistic Way by publishing uh certificates associated with your routes so if someone tries to eject them uh if you have a certificate people can validate if the certificate uh

matches the the the network you declared it with uh so there is also uh two sides so it's not just publishing the the certificates you also need to perform validation and that's what is not that's really is what what is not uh going very greatly at the moment uh we also need to talk more about it uh so um if if you have uh a published certificate about a certain prefix and network and if you receive the same prefix from a different network uh you should drop it so some some people prefer to Just DE prefer it but in some case es the safest way is really to to drop it and not use the the

prefix uh this is the uh current state of deployment of rpki um all Global is about 38% which is not very um great so uh in Portugal the the measured value is around 5 52% which is better than the world world average but well we still also have uh a lot path to cover um again here um data from uh Cloud Flair so thanks again uh continuing so uh we well me me and other people have been um also uh looking at another angle which is the that that the industry stops using uh loas uh letters of authorization so uh in some cases uh hijackers what they do is uh they uh sign a document

saying they are the owner of uh the certain uh IP prefix and for me that's not uh enough so you can just sign a paper sign a paper saying this is yours but it's it's not really yours you need you need uh at this moment with cryptographic assurance available what you need to do is to be able to uh sign your your prefixes on the rpki system um this is uh being worked at uh first the forum for incident response and security team so uh it's uh fairly open Forum so you can also follow this effort if you like as a final um food for thought I would I would uh uh like to raise the

issue so if making the parallel with uh IP networks if someone decided to take away the the telephony prefixes in Portugal for 94 97 and 98 what do you think it would happen almost instantly so if if someone was able to do this to what what would happen my parallel with the IP network is that nobody is really having any consequences on doing these these hijacks and these are the main takeway takeaways of this talk so bgp is here bgp is uh still uh going to be important for the internet work in the following following years uh it's not the most secure protocol uh but it's working and uh well I hope I've uh transmitted the idea that

hijackers uh IP hijackers are closer than you may expect so we also have some of them operating in Portugal and uh and there are solutions to uh make everyone know that who owns Which IP so uh it's rpki and we need to advance uh in a in an operator at operator level to um to deploy and mainly to uh make uh the validation part also so if if crap routing information is received it must be dropped uh so um the here are some references and I'm happy to take questions if there are [Applause] any [Applause]

uh microphone I was too quick

probably someone from someone with the microphone or can we try without the microphone okay caros from C

Flair

uh I think the the problem is kind of in line what the keynote talk was about is the well uh but nobody's dying so nobody's worrying so here here Pro probably the incidents are not so um so problematic that uh people uh understand that they need to take some action on on another aspect uh I also uh believe that there is kind of a gap between the networking and the Cyber security side so um perhaps this perhaps this problem statement is in between of the two teams and well the for the networking guys the routes are arriving and it's okay so we will send packets if we receive routes and for the security uh guys well

we are not managing routers so this might be a problem for the networking guys so uh I think there must be some more cooperation between those two fields to to tackle this uh this issue and there are are still no microphone again uh any more

questions the organization it seems went some other place

so well uh I I can also um tell you about another detail uh I I don't know if you are aware about internet. NL which has a test for uh testing uh security and it it it shows a score between 0 and 100 uh as a part of their test they uh are already evaluating that if uh if the name servers that support the domain uh are uh under an rpki certificate so if you don't have uh a certificate over your uh over the route that covers your name servers uh your score will be lower so that's probably a small incentive to tell your operators please uh do this so uh I can get my

security um my security score uh better to to improve my security score um this um this thing um well the the name servers are obviously important uh because well if someone diverts the route that covers them they could set up different name servers and uh anyone else in the world that uh that is using that iack throughout route can uh do nasty things with with your domain so this is basically it um any more questions or can someone go find Bruno or

George okay so if there are no more more questions thank [Applause] you