 So what we're still filtering in the first slide you're seeing is just some silly stuff But a little bit about the presenters none of you probably know me the last talk. I gave it Nanog I rather deaf con was 11. We were still at the AP and it was hot and we were on the roof And it was bad and you almost died. I almost died. All right We almost died I wore yellow pants even just to be funny and then no one got it. Yeah, I don't get it exactly and so I do Internet working stuff. I like to know how routers work think a lot about the inside guts What's going on in code? What's going on in the logic they use? I run a co-location company in Wisconsin my email address should let you find that and We do a lot with you know anything that touches bits facilities power networks hardware And Alex I think is much the same Yep So are we good we still coming in it's still coming in so while we're still coming in here I do I want to say something and this comes from all the speaker staff and Most of the goon staff. We actually like you and we like you coming So thank you for coming because I can't deaf con if you don't come So thank you for coming. Thank you for bringing up with the bad food the smells Both from yourself and others Thank you for you know putting up with all the stuff that isn't so hot for all the stuff that really is awesome Thank you It makes it sir So you have the con I have the con enjoy. Thank you. This is gonna fucking rock Okay So we're here to talk about stealing the internet As if you didn't know already. So why does this stuff matter? Why is it relevant? I'm imagining that most of you can see quickly why it does but we're gonna go through a few points just in case you're one of the Media or someone watching who doesn't know this stuff intuitively or what so if someone can pass the leaner stuff your traffic That's a big reason to care We could also then by knowing what's coming into your network Know what to possibly want to look at that you're sending things or receiving things from so if we see these packets from address x heading to y y as you we can also hijack x to see what you're sending to x so we can discover the Other half the communication and further this whole process We also Think this is a relative relevant thing For you because once the data comes to our network we can do anything I mean really anything the sky's the limit and then the worst part about it I guess and one of the more concerning parts is that as an end user with an end system without access or touching the Core you really can't I use the word core wrong you really can't affect it That was an end user if you see this stuff happening if you can figure out it's happening as an end user you really can't fix it and if we do if we do everything right if the hijacker does everything right you can't even really tell and Who can who's using the DEF CON network today? Okay, since 12 o'clock. We've hijacked it and you have a copy of everything you've done and received in New York What we'll cover today is how that worked and we'll explain how it worked through a little bit of understanding of BGP Just to give me a consensus I really don't want to go into all the details that we've had put into this presentation I don't need to raise your hand if you've configured BGP set it up with a neighbor Done some routing. Okay, it's a minority. So we're going to talk a little bit about the basic stuff So you can appreciate some of the terms it's not to bore you with BGP factoids and crap You'll never use so it's no the verb no the vernacular no the terminology We're going to also discuss some some actual hijackings that are interesting and have been well well Publicized and you can find a lot more about even more than what we'll mention today Then we'll get into the main monkey business and we're going to talk about how our method is different from this hijacking We're going to talk about how we construct the man the middle attack on the internet And we'll show you some pretty pictures. We will then show you stuff in flight cool Yeah All right, so how does the internet's work? There is no core. That's the first misconception people say the core when they say the core they refer to a collection of networks they refer to like Some some number of them that say 15 or 20 that are considered what was called transit free settlement free networks if you will where they do not pay to reach any other network either everyone's a customer or Peer so they don't make don't pay anything they get to sprint if they're on unit and vice versa The the core if you will Is is made up of these these largest of the large networks? they have thousands of edges thousands of customers and The interconnection between them becomes what we consider the core Individual networks in BGP world in the internet world identified by an autonomous system number and this ASN is kind of just like a tag to say to another network Hey other network. I can reach IP address prefix X I can reach block X the IP Information that you can convey to me is just tagged against or if you will indexed against that identifier that ASN It contains again the prefix we're talking about the path we get it So we have this thing that's if you will Constructed as routes propagate through the net called the AS path. That's part of the announcement and This is this AS path is it's simply a list of the networks the route has been learned across So if you are an end user looking at a route coming from Verizon You might see your provider's upstream AS number of something with five digits because they're a newcomer and they're not not that experienced 40,000 whatever the next AS might be you know 64 61 then 701 because the customer comes from unit Okay, example, but the AS path is a cumulative thing And the reason that the AS path is interesting one final point before I go on is that It's what is what used in BGP to avoid having routing loops form and our interesting method actually uses that to our advantage So one of the important tenants to understand as well I think we're all going to catch it is that the longest prefix wins the longest prefix is the most specific way to reach a certain Collection of IP addresses if you have a slash 16 that is less specific than a slash 18 If you have a slash 24 as lot less specific than a slash 30 And it's within the slash the notes just the number of bits masked off in the network for Portion versus the host portion if you will so if a slash 24 was cut in half a 25 would be the bottom half and top half Okay, the 24 is less specific than the 225 So remember that Now this is a scribble I found for you This is the internet son of whiteboard and it happened to photograph well and the guy at the jungar net put it up So thank you you can look at this offline this stuff is posted We're not going to talk about all the elements here But if you follow it through it's showing an IBGP mesh in the bottom left their provider giving a default route to AS 100 200 and 300 and they're renouncing their own prefixes back up to that parent AS great So in BGP world and network world we have relationships between networks And we're going to talk a bit about those here the first relationship, which is kind of the crux of why this works Why can we get our route around different networks is because they peer they exchange that reachability information Verizon needs to tell Sprint that hey, I have a customer slash 24 or a customer slash 20 here It is here is the IP next top But you'll use to reach it install that to your writing table think thanks, please and it does so And peers typically at the level we're talking just the reason it works out is because if they had to pay each other They would not not want to deal with the volume of money required and it would be senseless billing So in most of the core most of the largest settlement free asses the peering has always maintained close to one to one they try to balance traffic out among multiple locations and Essentially this this is what forms the collective of reachability The other relationship that's prevalent which we're going to talk about from the perspective of how we get our routes into the network Is the customer aspect if you're a customer relationship you pay someone simply to take your announcement and give it to everybody else And then also give you access on some sort of some amount of bandwidth some amount of connectivity Now importantly on the actual amount of information you're exchanging the actual prefix When we announce a route we expect that it's going to get handed off from our upstream provider to all other providers And they just won't they won't step on it. They won't filter it. They won't project it and by expecting that we engage the interesting trust model And that means that once it gets towards these central networks the largest say 10 or 20 that peer with everybody else That if you get to one you you essentially get to all of them this this means that there is a Chain interrelated change for us, but it doesn't necessarily mean anything about the address they've been given There's no way for them to know that that's my IP address necessarily more that I can prove on paper You can look in who is and say okay well Tony from this email address is asking to route a block registered to a different company As us come for a letter of authorization, and I could fake that too This is just how it is and I IP addresses have as a fundamental property in the internet routing world how it works out is I can Initially assigns slash 8 blocks to regional internet registries Aaron right baffer Nick JP Nick black Nick whatever assigned then to their regions of customer Handling if you will in this country, it's Aaron And then RIR is assigned to ISPs or LIRs like in ripe regions So ISPs get their IP address assignments from Aaron in the United States Aaron gets their blocks from from ICANN and Interestingly when you get an IP address range from Aaron There is no direct association between that IP range and your ASN now in some cases like in our company's case in five Nines is case we happen to have an ASN That's got all over contact information on it and registered it to us and our IP blocks in some cases We take on customers who have their own IPs registered to their own companies, but they have no AS number They have no network identifier, so we go ahead and announce that space for them And no one says no because we just tell our upstreams basically on a handshake This is okay, and they have to really take it or we don't get to you know We don't get to send traffic to them. They can't bill us for the traffic and no business is conducted So because of these states because of the way these things are it creates interesting problems for the operational aspects of the network and One of the ways to stop the problem that we're going to talk about is through filtering what you send to a provider and what they Send to the customer and what providers send to providers from a customer point of view The problem we can see is that often your upstream provider doesn't do much at all doesn't hardly filter anything They might set a certain number of max permit prefixes. They might say you can only send us 300 They don't want you to leak them a full table is what they're saying They don't want you to give them 200,000 routes and then flood them with the copy of the internet from your perspective And sometimes they'll filter on us of the AS path So let's say we'll only take routes that are claimed to come from your AS number and not something beyond that Or not a set of hosts that we don't know beyond that. So this is normal in smaller carriers in smaller locations They can often get away with a higher touch feature like individually allowing each IP address static prefix lists But generally as providers get larger, you don't see these types of things Sometimes they'll even check you out if they have a person dedicated to doing it and in larger carriers between them They will typically have a internet routing databases where you can build prefix lists build filter lists between Networks and these kind of you know solve a lot of the problems, but don't address the ones we're going to pick at today So when you pure someone this is even worse than a customer Customers have some filtering some sanity checks, but when you peer with another network if if if you net peers up with telea There's so many customers on both networks and a definite Company and business interests are not exchanging all that detail. You don't want to know who's using who they don't want to give that business information up There's no interest then in building comprehensive detailed filters to say okay unit only have me routes that we know you have customers for And and restrict the stuff that pile o and teacup are selling you that's wrong They don't do that. It's really not tenable So we have an avenue Now even better if a provider happens to use a certain range of IP addresses internally say they have 146.20 16 assigned to a bunch of web servers Some providers will not be smart enough even to filter from other customers and other upstreams their own IP addresses So imagine this imagine someone's got a 16 on the net and you go and announce a slash 20 Of IPs that they're using internally So they would they would often accept this and pass out their own legitimate traffic out to you in lieu of their own internal machines Just because they don't filter their own IP address on input. It's great So the writing registry is a match puzzle that no one seems to like and I'm blaming them. That was a horrible book So the way that the registers to work today is that people go and pop their entries into these databases You go and say hey this company name this AS claims to have this stuff and once you do that it flies around the world IRR servers mirror other servers, it's kind of a community of folks that do this and Filtering on this mechanism will help stop the macro problems It'll stop unit from leaking routes from Sprint when they shouldn't because clear who's got what general blocks Who's got what kind of interconnections happening? You should never see X behind X because you peer with them directly for instance But it doesn't get doesn't get that far So sometimes when you want to do this at scale you have certain problems If you are sufficiently large network You're gonna have tens of thousands of customer routes and perhaps perhaps hundreds and If you wanted to have everybody else build filters to only accept what you tell them is actually a customer They would have to put that and take that load on and every router the network that touches your network It could be 50 could be 30 routers could be many many sessions globally and at scale filtering aggressively is challenging because of that Now imagine a filter list per peer at each router 23 times over in your network just sitting there in config space Cisco can't really hold this and then VRAM You have to source them from a teeth to piece for a boot often It's kind of a conundrum juniper has some solutions, but no one's really deploying it broadly to my knowledge And the worst of this is IRRs aren't maintained Terribly well when people put a route in they rarely ever remember to take it out when the customer is gone oops And even better, they are incredibly insecure almost anyone can just go toss anything and do it and we'll show you This is how we successfully gotten the route that Defcon uses 24.12856.0 22 actually, wasn't it? Well, this is the 24 we registered and be a hijacked It comes from a parent 22 if you look in BGP 24 12850 6 0 22 is actually the bounding prefix But what you'll see here is on August 7th, 2008 at 948 p.m We told alt db. Hey as 26627 can route that IP address And anybody who uses alt db to build their filter lists now thinks that we're valid We didn't even have to attack anything. It's not we did social engineer shit. You just said it It's like hey big teller. How about a grand? So this stuff gets you to the point of being able to announce IP space you don't belong to you don't have the right to use But you can you can still do it no one's stopping you and further You can do really cool stuff that we're going to show you in a bit But there are the uses for hijacking when you don't we would you break things? And at one point it was difficult to get address space quickly and so folks would often just take it People still use this stuff people Announce IP space Use it for a few hours send a bunch of spam do a bunch of phishing sites blast wherever they're going to blast and go away And the favorites here are using unallocated address space So things from blocks not assigned by ICANN to an IRR or LIR yet things that aren't assigned to Aaron yet You think of some blocks Alex like is it 46 slash 8? What's what's a block on a sign you like 46? 46 Like 70 7 I think it's not so there's a number of slash 8s that I can kind of sign the people that aren't Assigned that you can go ahead and use and have almost no repercussions because there's no who is entries for them They point to the I report to ICANN. So who you complain to? You know who is the address from this block and it's not going to give you anything useful or actionable And that's a good thing if you're a spammer apparently And also you just you can't you can't get the complaints in the first place So you can also use jacking to cause or hijacking of a prefix by announcing more specifics to causes a raw outage and On on certain types of industries or in certain industries This is pretty popular if you're an adult site that makes money on initial signups and customers never come back You really want to have most of the meetings you can have and by keeping your Competition away from the customer base just by numbers games you end up winning So if you can hold them down for a few hours a day and not spend a lot of traffic on it no denial of service attacks for Botnets to have to do for you. This is a low Low work way to hold them down and this goes on but it's not very popular. It doesn't get you Something it helps you if you've already got a process that benefits you by suppressing another The best part about jacking could be if you didn't if you didn't want to do any of the other Nassiness would be to put up fake websites for blocks that are in use like for example 128 121 146 Dot 0 24 that's last 24 is for Twitter. I could think of a ton of better sites to put up I mean couldn't you he repressed and So naturally we have to wonder what are we doing in the terms of whether this is like legal or not who's turf are we trouncing on and The first question you have to ask you is if it's unused space Unallocated and I can quote-unquote as authority by some ridiculous amount of paperwork proxies stemming from DARPA days Who really owns it if there's no one's using it who can notice to care? Further it's just a number. It's not like it's IP. It's not a business process You can't patent an IP address You can't own them as an end user you're assigned them and the provider that assigned you that address doesn't own it either they got it from their IRR or rather RIR and And so up and down the chain. There's no real solid ownership and so that's confounding And as far as we're aware there's been no prosecutions no attraction in you know bringing one to some sort of justice at all and people There's people know the actors yet. Nothing goes on The worst case is that your bad stuff is seen and they pull your pointers and maybe your upstreams turning off So they're real cool stuff. How do you do it? So the first method for on hijacking Back in the day it was popular to go traverse who is records for subnets and find any that didn't have a valid domain name And programmatically that was pretty easy scripts, right? Any NX returns want to look at those again? Go register that domain This will become that domain change the contact information with Aaron now that you have the valid domain Or just announce it Just take it forget doing it proper And in many ways this is fine because people just don't care enough to filter we kind of covered the problems with doing it at scale And anyway, they want to they want to do business with you Option providers want to wrap that IP space if they can reasonably gas and be sure that they're not going to Just go out of business because of your one-act one need Interesting history Anybody remember this one seven thousand seven ninety seven so this is us This is back. We internet was a handful, you know of routes as it is today. Maybe a few thousand routes And we were using rip internally routing information protocol, which did not understand classless stuff yet Well, you know, it did ninety seven repeat who did but in this case These guys somehow redistributed BGP into rip which cut everything off 24 is Which wasn't what was in the real table They were longer and then they redistributed them back to BGP to sprint and all the all the traffic for most of the internet Chose that more specific path through sprint Dawson sprint and overflowing router memory that couldn't handle that many routes. It was a great day One for six dot twenty Yuri forging steel. It was literally forged and stolen by a person that was then handing out Slash 20 is to a bunch of his friends. It's pretty cool One six six one eight is interesting story the Chilean police Actually got jacked twice by into the most notable one of the company in Nevada the governor's they Chile LLC So so literally people, you know, it's thug-on-thug hate out there even in IP jacking Now interesting if you're interested in this kind of like tracking the bad guys kind of stuff complete who is calm He's a somewhat canonical resource this guy's mission. It seems in life is to track these things And for reasons that we suspect in the comment in the slide And so Aside from direct interested stuff. This stuff does happen accidentally like the AS 7,000 7 back in the day And one of the more recent ones that's interesting of note people in accidental hijackings We're going to go ahead for a one sec When when YouTube went down in early February, okay? So so if this one was willing to spend a few minutes on because we're getting kind of towards the bottom of the hour The YouTube hijack was was clever rock clever, but interestingly acts conveniently accidental They announced a few prefixes some some 24s 22 20 and 19 So Pakistan governments one one day decides hey, there's some bad stuff out here We need to block a few IP addresses and somehow that turns into blocking a whole subnet. We don't know how that happened Then packets on telecom Request nails up a more specific route a 24 out of the 22 which happens to be we're like I think the main Content portal happens and then it redirects you to the actual video content CDM nodes and whatnot But the original input node lives in that 24 And so they nail it up to null zero to discard it which is a fine way to filter it at your borders unfortunately, it somehow ends up in BGP and Even worse because PCCW doesn't fucking filter it ends up in their table and because PCCW appears with all the big guys It ends up in the whole fucking internet So now YouTube is down and they get nothing they go to Pakistan and they get timeouts. It's great If only they had thought about putting up a fake site with some useful content So so the response was to try to win by a longer prefix. They announced a 24 again They had a 22 previously to that they announced a 24 to try to win the specificity and they announced some 25s And 25s are propagated on people who again don't filter Most folks filter at 24 length. That's a standard practice going back for a while But you can pay larger providers to internally at least take 25s and so they try that and it kind of helps Doesn't solve the problem So PCCW finally turns off Pakistan telecom two hours later just shuts down the pier and that seems to resolve it and After things we converge everyone's happy again. They're back watching YouTube fat and happy You guys aren't any of those so we're fine. So here's the actual notice from the government. I only names three IP addresses Yet again that turns into a cluster fuck internally and becomes a 24 and it leaks to the world So we think it was unintentional So people who do look at hijacking more interestingly critically than we do here Do exist and they happen to go to Nanog the North American Obscrup meeting Anybody go to Nanog. Oh I know you So it's a great meeting. I recommend anyone who cares about an hour ago And with a little bit of help from our friends. I think we have some Bombay type people and sapphire and all that We then have exercises emerge out of those moments and So we tried some random shit recently and one was to announce one slash eight that actually got to most of the world one four six twenty for old time's sake got to really pretty much all the world and then we tried things just for the heck of it longer than 24 and Almost half in some cases down to the individual IP addresses slash 32 worked a globally speaking We also tried some funky stuff to try to break routing table tree construction I'm not sure if anybody knows a little bit about Seth But in some cases the way the tree the way the the route resolution happens in this memory structure is indexed on The the length of prefixes by having a zero length prefix This resets the root of the tree causing the entire thing to be recalculated It's a big heavy operation and if you announce them withdraw that say every few seconds you can really cause some problems So we tried zero slash eight and zero zero slash sixteen and it got some places only four or five routers So things actually seem to not take it smart We also tried a zero which shouldn't work and it used to crash some Juneau stuff That didn't get very far either. So it's been fun This all means really that to deal with these problems is is somewhat complicated state state of affairs No one wants to go and push really hard for excessive amounts of work to do pki or some sort of certificate chaining model to To sign your routes or sign your ASN plus your routes and then a way to verify that it adds a lot of extra work And we're just ramming forward scale in the net so fast and furiously. We just don't think we can do it collectively And again back to the weakest link problem unless everybody does it there's at least one ingress point You are kind of screwed and even if there aren't no ingress points and it's all well filtered and you have these wonderful IRRs now we have the whole trust problem of who can contribute to those lists in the first place So to deal with it. We have some solutions. There are some automated systems that at least can Watch announcements from various vantage points on the internet and tell you hey something has happened within the range of Addresses that you care about and they can let you know someone possibly is hijacking your space The best bet today to try to do the right thing is to register your ASN prefixes in some sort of RIRs And maybe eventually it's almost start using it, but if no one uses it yet, it's never going to happen The other problem with this little tack that we're going to talk about and show you is that you still on an IP level on a layer 3 level can be Subvisible you can be essentially passive in the path, but your BGP aspects are still quite visible So the hijacked route to just have that work necessarily has to be visible now It'd be ultimately interesting to try to hide that we haven't only thought through the whole problem space But what we're doing today doesn't hide the fact in BGP. We are announcing something within a larger range of somebody else's something so Did anybody notice anything strange happening around noon today with the DevCon network? I guess not I guess nobody noticed So And further if If the security is interested in being tight Yet the stuff that we see that's popular doesn't actually cause any problems Was it a value to do in the first place if it's working and no one's complaining Why are we spending money on that every executive asked the question? We can't tell them why other than that So say you do get hijacked Interesting state of affairs is that once you find out you've been hijacked you get to just basically yell at your upstreams You could be an end user and sprint on a T1 or a DS3 or something and be part of a larger slash 16 or 18 in your region and Narrow 24 around you and a couple other customers happens to be hijacked Well the entirety of the prefix is not disturbed nobody else is down and if the actual Revenue or the value of those connections isn't very high. It's hard to get a good response. It's just the nature of things So the scale of the stuff ranges from minutes to perhaps hours and weeks If you're like a YouTube kind of consumer of the resources of bandwidth of networking You can get attention quick and in a couple hours find the right people the communities are quite small I see the nanog shirt now and I understand if you know people and you certainly would Contacting the Knox is easy to shortcut the customer service for your moral They're not going to help you I can understand what this stuff really means as much as someone who runs BGP And so you should compare it to something that's more relevant Trying to have someone stop bot netting flooding your server. It's about on par with that You know ask them nicely. Maybe you're pay the ransom. I don't know Okay, so pulling it down for the first half hour of nonsense This means that you can have it a whole lot of laughs and lolls You can combine things and Dan Kaminsky and Jay and a couple other folks even alluded to this Imagine that if you had a man the middle attack using our mechanism And and could monitor the return traffic to a client Imagine all the wonderful stuff you can insert to in JavaScript land and images land in Controls land and flash everything else all of it even better no reason to even Try to set up a connection or poke at stuff actively if you have the packets in both directions so the other interesting point is This gives you a Again, it's a level of invisibility as you'll see That's um, isn't isn't paralleled typically if you want to be in line with someone you have to go to the provider Or somewhere near the edge near the constriction and it's even worse if that person you're trying to work on has multiple connections Right to their edge. They could have a couple DS3s to their site You have to monitor both or somehow work on both you can't get in a building So this this solves the problem in a far more elegant and very much less intrusive way So by man the milling the stuff and by jacking prefixes and doing everything else You can also discover passively who you're talking to from a traffic analysis point of view could be very valuable to know about Endpoints that are VP ending to you all the time people at home working from home on static cable or DS3 Seller what have you people that you have tunnels to on static office endpoints Not knowing the particulars of the inside tunnel traffic is one thing But nearly knowing how you communicate what you're doing is another further if you want to just break selective traffic this way You certainly can again half the communication comes through us pretty much average for protocols two-way So if you want to really mess up a sales staff, maybe you take out IP sec and leave everything else working I don't know Best it global reach from a local perspective. You can hijack stuff from China to the US. You can do it the opposite So perhaps it's more concerning and again, we've kind of alluded to this, but how do you know? It's not already happening. It's something you can't even tell who's on a laptop right now Who's on a computer try trace routing to your address at Defconn and out from Defconn Well, you can oh come on. That's so disappointing. Who's brave enough to put their damn Wi-Fi on? I mean, I agree. We have that dough in a VPN over that so I mean I don't blame you but Come on Well, I'll bounce back trace drop back in You'll see what we mean. We're gonna go on what you're doing that though. So well You can go. What is my p.com and get it yourself, please? Oh That's the total tour experience isn't it? Okay, so what's new about this hijack? This is the good stuff you start listening again So the change here is we originally throughout like we always did that's not the change we went to the usual means Through longer prefix that is more specific route or shorter path if we can if you have multiple places to announce throughout from We don't have to have a longer longer prefix. We can have the same 24 and just win through numbers That's rare. Not many attackers have a coordinated set of 16 data centers or whatever There's there and so as long as we tracked a majority of the internet to us we consider that a win and Yes, so our method okay, this is the cool part. This is where it gets interesting To do more than hijack and handle the traffic locally pass it back out You need to somehow get the packets you receive back to the actual target and for a long time that was hard You thought about it thought about it thought about it then this bright guy actually somehow came to this You want to talk about that part? We're right. So the problem is that once you hijack the traffic you get it back to you How do you get it back to the target? So the question is how do you tell the routers in the middle between you and the target not to take this route? And we use the BGP Priority that routers will not accept BGP advertisement with its own ASN in the path So what we do we say that this route actually came from The targets don't give it away yet The other option the other option was telling it back there. That's not so great Reply path. Yes, you can wait too far ahead so So anyway, we want to use you as a reply path if we don't use as a reply path this method doesn't work We're back to where we are right now. You can jack her out. You can't make it keep working You get noticed things get fixed. You're out of the loop So let's hack hijack with them and the middle method. So first you got to know some stuff We are gonna know what our current path to that target is Does it go out from you to some ISP then some other? It certainly it does But you know that ahead of time track that then figure out the AS number of each ISP that you've reversed It might be two ISPs four could be six whatever record those Then as you announce the hijacked route apply AS path pre-pens Naming each of the ASNs you're going to use for the current reply path and and on into the future This means that the path you're forwarding in right now, which the internet follows is going to remain in place Then you nail a pathetic route for the pre-fix your hijacking to that same neighbor tree This in Texas is a little bit dense. So done now you are the man the middle you are there You're announcing the hijacked you're getting it to you and back out But the pictures are worth a thousand words. So first Target ASN he's he's routing 10 10 to 20 because he wants to cause ma and so he announces that to AS 20 to 30 That route propagates it propagates it propagates random user sees 10 10 to 20 through this collection of crap If you were to look at the forwarding databases on the routers the actual forwarding entries that say where to put packets to a certain Desk out you'd see those blue lines indicating that the route taken back towards 10 to 20 So we know that we were forwarding out from the tacker ASN towards 10 and 20 So we're going to plan to use this reply path. Okay when we build our hijacked route So when we do this what we're going to name is the three autonomous system numbers We're going to name AS 10 AS 20 and 200 now why we would want to have AS 200 not take our hijacked route as well as a bit more subtle. I'll get to that in a moment But we minimally need AS 10 AS 20 not to forward to us once we start hijacking that route or else We can't get the traffic back to the users We can't make it transparent. So let's set up our actual hijacked route in Cisco land This is what you'd look like a route map that actually matches our announcement are 24 again We're taking a longer prefix win here. So we'll get all the traffic We're then saying in the route map, which is probably too small font to read. I'm sorry. This will be up online That we're saying prepend 10 20 and 200. So as our route goes out to AS 40 AS 60 and AS 10 and then propagates our words The actual forwarding path that emerges is reversed So as you see we suck in all the data from 40 60 30 and 50 AS's and then apparently pass it back to AS 10 and 20 AS 10 and 20 keep forwarding as they always did. So we lose those customers. We lose those users We can't hijack them. So that's a caveat clearly anybody in the reply path obeys the normal natural forwarding towards that 22 The people who actually see are 24 the ones who don't cause the AS path loop detection to form the router and that's it That's the piece What's that? Of course it works So this lets us take in that 24 everywhere basically this map can't show all the AS as there's like 25,000 of them active So you only have two or three between you and the target typically on on the well-connected internet of today So that's a small number of people not to caught to catch in your net compared to the rest of the internet So once you have that route jacked and the forwarding is kind of ready to go You put a static route again back in towards that neighbor AS 10 for three two one in this case is the far side of a slash 31 and That's it. Those two configs do it So it's nice, but it creates interesting stuff if you trace route You see this big hairy list of path into this weird network somewhere distant from where you're intending to go and then back out And it just makes the path look crazy, and I'd be pretty obvious So it's time to do some ptl jack moves So we want to do this because you can then hide our devices handling the traffic and a lot of you Who know like IP tables or TC or whatever on Linux? No, you can mangle TTL just fine at any stage of the game pre-routing and post-routing whatever and Our choice here was to add TTL So what's this do for us the hides all of our inbound paths essentially an outbound So now you don't even know we're in line We've attracted your entire traffic set for whatever we announced and you just don't see it You might see higher latency or further away from you than you normally would be but you don't see our hops You can't call anybody about it. That's the point. So without Jack moves. You probably can't read that But it's 23 hops from Madison to New York Then out Pilots off then out and layer then out limelight back to switch com group Which is the ISP for the wireless to the building. Okay, 23 hops. So with TTL Jackery Now you turn to 13 Ten of them go away That's kind of cool. So right there the traffic disappears after Savas and then just shows up in switch com group How's that work? It's 50 milliseconds further away. It must be MPLS. They'll say Those hidden hops they don't recommend right no no PHP reverse, right? And and that's it now compare the unjacked path To the jacked path. I'm gonna read this off. It's probably too small to see there either the providers You see from Madison, Wisconsin perspective towards Defcon towards this place is through AT&T to limelight to switch com With the Jack in place. It's AT&T to Savas to switch com No different no weird Savas is a normal SP switch com, you know switch com buys from those guys So it's not unexpected that they couldn't go through Savas and why it looks that way for a certain 24 out of 22 as a user You just don't care. You're not gonna investigate that most likely and very few engineers even wouldn't I know if several of them So now it's time for Donald's eat meat pillow So we had this Prefixes hijacked and the trafficker directed to our Linux box in New York, and let's see how much data did we get to collect it? All right, so he is Showing LS with all of these wonderful things and the file at the bottom named Defcon dump you guys see that back there Okay, this is about Gigabyte extra. Can you read it? Is it all good? Not too small. Okay. Yeah, so it's like seven gigs do it Yeah, it's like age I lost this yeah, I know how to use this. This is Unix. I have them high school. I know this Who knows the iris? Okay, so for example Right now the packets are going out through the each one On this box. We can just back up Alex So what happens is that the routes are announced from a router they get to that router? It's static over to a PC, right? And the PC is just doing TCP dump and to writing the back Then it comes back out the TCP rather comes back up the PC on another gig port back out the router back out the hijacked return path Other than the non hijacked return path. So go for it. Right. So this is your This is your bucket Let's look at port 53. Yeah This is the whatever they let's suppress the IP addresses for the heck of it. I mean those aren't interesting We know where they're going. No, I have no idea how to Let's just look through the file. Let's let's do some Grapping around and see if what we can find So we found some mime attachments coming in earlier on pop with no encryption That was cool Expected though Well, there are some The sessions that you see here is only one way traffic whether this fellow three well to see to make it intercept Puckets and convert this one way conversation into two way conversation We just didn't want to deal with the law enforcement looking at us and looking the passwords that we would have captured So in our case, they are not capturing your passwords, but we are capturing them if you checked your email over Wireless and it was not encrypted. We see it in New York. Yeah, that's important What? Yes, we could share This is actually going through the seven gig file on disk. So it's a little slow and with hijacking of port 53 Essentially, if you have looked at Google and if we bother to set up DNS spoof Just men grip You can see some actual text once he knows rejects. You want to tell some? Yeah so we could have You know since we control this traffic the traffic comes through us Whatever the responses for Google Whatever we could have returned any IP address that we really wanted So forget the race conditions If you trust DNS and you probably do The responses you get to an A or a C name are going to be whatever we want So that could work So there's a lot of work involved in at our cap and things that do easy Man the middle-ing work. We couldn't get the dependencies met for some of that shit and gave up on a development box So don't sue us But this is the proof of concept. So Don't tell us IPs you want to have hijacked. Don't tell us what you want us to work on. We can't you can figure it out Probably take care of yourself Thanks