Blackhat USA 2015: BGP Stream Presentation

4. 4 •  Network of Networks, it’s a Graph! •  Each organizations on the Internet is called an Autonomous system. •  Each node represents an Autonomous system (AS). •  AS is identified by a number. •  OpenDNS is 36692, Google is 15169. •  Each AS has one or more Prefixes. •  36692 has 56 (ipv4 and IPv6) network prefixes. •  BGP is the glue that makes this work! Result is a topology map of the Internet Internet 101 & BGP

5. 5 andree@rtr1.syd> show route protocol bgp www.facebook.com inet.0: 528878 destinations, 1095067 routes (528873 active, 3 holddown, 12 hidden) + = Active Route, - = Last Active, * = Both 179.60.193.0/24 *[BGP/170] 2w6d 21:16:18, MED 0, localpref 100 AS path: 32934 I > to 202.167.228.39 via ge-1/1/9.0 [BGP/170] 1w6d 02:04:04, localpref 100 AS path: 4637 1221 32934 I > to 210.176.38.1 via xe-0/0/0.0 [BGP/170] 4d 21:09:54, MED 0, localpref 100 AS path: 2914 38561 1221 32934 I > to 202.68.65.149 via xe-2/0/0.0 Example BGP troubleshooting How do I route to Facebook?

6. 6 Recent High Profile BGP Incident Examples BGP hijack used for spamming BGP hijack used for ﬁnancial gain (bitcoin hijack) BGP hijack by Hacking team Large scale mulC day outages in Syria and Egypt BGP hijack by Turkey to censor popular DNS resolvers Many more accidental BGP hijacks

7. 7

8. 8

9. 9 High level Architecture BGP Stream analyzer BGP data Classifier Notification Expected Support for: IPv4 & IPv6 16 & 32bit AS numbers Expected state: •  Preﬁx / Origin AS •  AS relaCons •  Historical info •  GEO info •  Whois info •  Etc. Observed BGP data from hundreds of BGP peers globally

10. 10 BGP Stream Classifier BGP data •  Expected Origin AS vs. Detected origin AS •  Existing Business relationship? •  Does Detected AS announce other Expected AS prefixes in BGP •  Is there an existing peering relationship •  Did Detected AS recently announce Expected AS prefixes •  Exclude well relations and ASNs (i.e. DoD Asns, special Anycast prefixes). •  Whois information •  Valid RPLS route object in RIR / IRR databases? •  Allocation data •  Name collision in name, description, emails •  Geo Info •  Do Expected and Detected operate in same country •  For US, same state •  Detected by number of BGPmon peers

11. 11 BGPStream Data Visualization Client

12. 12

13. 13 $blackhat there is more.. RUN BGPDNS

14. 14 Requests Per Day 80B Countries 160+ Daily Active Users 65M Enterprise Customers 10K Our Perspective Diverse Set of Data & Global Internet Visibility

15. 15

16. 16 Malaysia Airlines DNS Hijack January 25, 2015

17. 17 MALICIOUS ASN/IP IDENTIFIED Owned by Lizard Squad who hacked PS3 and Xbox Networks in December 2014

18. 18

19. 19 POPVOTE.HK 750 Million DNS requests 1 hour

20. 20

21. 21

22. 22 The Future…. More Tuning and Training Integrate DNSStream into BGPStream portal Build a community of BGP and DNS watchers

23. 23 @bgpstream @dnsstream