IP Hijacking, part 1

Written by:

Farsight Security

Published on:

Apr 21, 2016

On This Page

TOC Element

Introduction

This is the first part of a multi-part series detailing how netblocks arehijacked, the ramifications of such an event, how a netblock hijackingevent can be mitigated or eliminated, and finally how Farsight’s DNSDB and other products can be part of thesolution.

What is IP hijacking?

In the broadest sense of the term, it is the misplacement of routes. For thepurpose of this series, we’ll define it as “the deliberate and maliciousmodification of public routing tables”.¹

There are multiple categories of route misplacement; briefly running throughthem will help illustrate why we’re focusing on what is the worst of the lot.

Intra-organization Hijack

This type is often a non-malicious systemic failure of one sort or another.It could be a misbehaving protocol, human error, or legacy cruft thathasn’t caused enough of a problem yet to be rectified. In any event, it isrestricted to an entity that can choose when and how it handles thefailure. Nobody on the public Internet should be affected. This type offailure is more common in large organizations with many differentlogistical domains, each with their ownIPAM and internalprocesses. This environment is rife with fragmentation of IP space, bothpublic and RFC1918. A subset ofintra-organization hijack involves using non-RFC1918 IP space for aninternal network. This creates reachability issues from within theorganization to the correct place for those IPs. A common mistake is usingspace within the

192.0.0.0/8

range that doesn’t include

192.168.0.0/16

Public BGP Table Hijack

Here we span two variations: one where the IP space is hijacked, andanother where the ASN and the IP space is hijacked. The former is morecommon and both can be either accidental as well as malicious. The latter isinsidious, mostly because it can look like normal anycast to the rest of theInternet.

In-Path ASN Hijack

It is also possible for an attacker to insert a target ASN in announcementsthey make to the global routing table thereby causing some portion oftraffic destined to the target to instead be routed through the attacker’snetwork. This presents a man-in-middle attack.

Public BGP Table Hijack (via Routing Registry)

This is the complete hijack scenario. For example, a network administratorwent through the trouble to integrate theirIRR objectscorrectly with a registry, but for some reason they find they are no longerin control of the maintainer object. Current recourse for recovery in thisscenario is contacting the routing registry and regaining control of themaintainer object.

Censorship Hijack

Less common is the use of a network hijack for censorship, either at thebehest of an individual, group, or sovereign nation. This type of hijackdiffers from the above because its main aim is to disable, restrict ordeny access to specific sources or destinations on the internet.

Specific Effects and a Few Case Studies

The main effect of an IP hijack is denial of service. The problem with an IPhijack’s DoS footprint is that it creates asplit horizonin the global routing table. An organization may be announcing the correctblock, receiving most traffic destined for that block, and able to reacheverything on the Internet. However, other places on the Internet may see thehijack BGP announcement as a more preferred route, and in the case of anon-malicious hijack, be unable to reach your organization. However, if thehijack is malicious, the hijacker may have created a duplication orman-in-the-middle attack devised to exfiltrate data from an organization.Another possible attack vector is a reflection attack against the hijackee.The attacker can issue TCP SYN queries around the Internet and across thesplit horizon and have the SYN/ACKs reflected at the legitimate organization.If the hijacked block is not black- or grey-listed, or worse, white-listed, alarge volume of unwanted traffic may result.

Case Studies

As the Internet has matured, so too has the approach to routing. Specificfailures have necessitated the creation of new methods for determining trust inrouting relationships. Much like other areas of technology, these solutionsoften end up shoe-horned and inadequate, with holistic change a coveted butunrealized ideal. The introduction ofRADb and expansion ofIRRs in general was meant to lessen the impact of routing failures. Since it isopt-in, only used for verification of, and parallel to the actual Internetrouting table, any network provider that does not require it of theirdownstream networks breaks the chain of trust. It is also the downstreamnetworks’ prerogative to trust upstream announcements and filter their inboundroutes as needed.

In the next article we’ll discuss the eventual and slowlydeploying solution of RPKI, an analogue for global routing trust what DNSSEC is fornamespace trust.

The easiest target for a netblock hijack is one that the Internet hasforgotten. If nobody is in the forest, nobody can hear the tree fall, but itwill certainly make a sound. An example of this is snowshoe spammers. The maintactic is to identify and hijack unused netblocks from large organizations withmore specific network announcements. Their intent is to use the IP spacetemporarily, on the order of hours, send as much spam as possible before theyare identified by the anti-spam community, then switch to the next block, and soon. The burden of mitigation remains on the targeted third parties, since theorganization whose address space is being misused probably doesn’t know aboutit.

The largest group of netblocks that may be subject to successful hijack arepart of small to mid-size organizations that have limited resources to identifyand mitigate the threat. They are farther down in the routing food chain andmay have to work through a few layers of their providers’ tech support. Thesupport groups may be unequipped to understand, much less rectify, a hijack oftheir customer’s IP space. This assumes that the organization has a largeenough footprint on the Internet to notice a split horizon without specificallymonitoring for it.

A much murkier type of hijack involves sovereign or state-sponsored hijacks. Withthis type of hijack, there are two possibilities, the more common of whichresults in censorship of in-border access to the external Internet. This isn’tjust a simple firewall at a country’s digital borders, but a completeredirection of traffic to provide monitoring, interdiction and othercapabilities for authorities in that jurisdiction. The less common hijackinvolves accidental or malicious announcement of IP blocks to the Internet. Anexample of accidental hijack is the Pakistan Government’s hijack of Youtube.

Conclusion

In this first article of the series, you learned what hijacking is, how it canhappen, and some of the more common symptoms and effects. In subsequentarticles in coming weeks, we will delve into specific ways to identify andmitigate IP hijacks.