Thursday, March 5, 2020

How to attack a routing system

Speaking about the routing system, there are several general types of attacks. Despite the difference in goals and the final effect, the attack mechanism is fundamentally based on the possibility of creating a distorted picture of the Internet topology of the attacked network, which is then transitively distributed throughout the Network.
Creating Black Holes. The purpose of this attack is the inaccessibility of a network or several networks for all or part of the Internet. All traffic related to these networks is redirected and then discarded. As a result, all services offered by these networks become inaccessible to users. The main objective of this type of attack is Denial of Service (DoS).
Redirection . In this case, traffic destined for one network is redirected to another network. Often this network is in the hands of the attacker and masquerades as an attacked network with the aim, for example, of obtaining secret information. Also, redirection can be used for cybercriminals to conduct certain short-term actions, such as spamming. After that, such a network, or its phantom, of course, disappears. Attackers often use an unallocated or long unused address space.
Interception . This attack is similar to the previous one, only after passing through the interceptor network the traffic returns to normal and gets to the recipient. Because of this, such an attack is harder to detect. The goal is usually to “eavesdrop” or modify the transmitted data.
Instability . Instability in the global routing system can be caused by frequent changes in the announcement of a particular network (alternate announcement and cancellation), with the aim of "damping" the routes of this network by providers and, as a result, blocking connectivity.
Fabrication of the address of the traffic source . Although in this case the routing system as such is not attacked, this method is widely used in so-called reflection attacks. In this case, the return traffic, for example, responses to initial requests, is sent not to the true source, but to the recipient whose address was fabricated. Typically, such attacks use the UDP protocol (User Datagram Protocol, http://ru.wikipedia.org/wiki/Udp ) and are based on the amplification effect when small requests from many sources generate significantly larger responses. One of the critical systems, mainly using UDP and prone to attacks of this kind, is DNS routers business.
Let's look at some examples of attacks on a routing system.

YouTube

On Sunday, February 24, 2008, Pakistan Telecom (AS17557) began unauthorized announcement of part of the address space used by YouTube (AS36561), namely the more specific prefix 208.65.153.0/24. One of Pakistan Telecom's transit providers, PCCW Global (AS3491) announced this route further to the global Internet, which led to the redirection of YouTube traffic on a global scale.
YouTube connectivity topology after 2 minutes, looked like this:
As you can see, all traffic destined for YouTube was redirected to the Pakistan Telecom network. This traffic was fragments of TCP sessions started with a real YouTube site and was simply dropped by Pakistan Telecom. For YouTube users, this looked like an unavailable resource.
The reason was the demand by the government of Pakistan to block access to a hostile site inside the country. However, the result was the creation of a typical "black hole", which led to a global interruption of YouTube services.

Pilosov attack

The attack on YouTube had significant visible consequences and received wide publicity and resonance in the online community. However, a number of attacks can go almost unnoticed, but even with more serious consequences.
We are talking about traffic interception, invisible to both the sender and recipient of traffic, and for most other participants. The goal may be, for example, to monitor data exchanged between specific networks, users, etc. The purpose may also be to modify this data.
The possibility and simplicity of organizing such an attack was presented at the DEFCON conference in August 2008 by Alex Pilosov and Anton Kapella. They demonstrated that
  • almost any prefix can be captured without breaking through connectivity;
  • this can be done very quietly by masking the presence of an attacker on the route of traffic (invisible to utilities such as traceroute, which allow you to get a list of nodes through which traffic is transmitted to the recipient).
The essence of the attack is to intercept traffic using standard methods (for example, by announcing the attacker a longer prefix of the attacked network, which makes the announcement of this subnet more attractive from the point of view of BGP, as happened with Pakistan Telecom). Further, traffic returns to its previous course by configuring a static route by the attacker. As a result, traffic is transmitted to a network that was part of the original traffic transmission path. Further, traffic transfer occurs in an absolutely legal way.

To mask the movement of traffic, the attacking network manipulates the TTL (Time To Live) parameter of packets of intercepted traffic. According to the protocol, when transmitting a packet from one router to another, each network node reduces this parameter by one. Without changing this parameter when passing through an attacking network, attackers can “mask” this area, thus excluding the attacker from the visible traffic transmission path. For utilities such as traceroute, path sections in the attacker's network simply do not get on the list.

No comments:

Post a Comment

The lightest bag in the world made of air(NASA)

  The lightest bag in the world is now a reality thanks to the French fashion brand Coperni and with technology from the American space agen...