Kurume 13 kuenda kuRIPE anti-abuse inoshanda boka funga BGP kubiwa (hjjack) sekutyora mutemo weRIPE. Kana chikumbiro chakagamuchirwa, mupi weInternet akarwiswa nekubatwa kwetraffic angave nemukana wekutumira chikumbiro chakakosha chekufumura munhu anorwisa. Kana boka rekuongorora rakaunganidza humbowo hwakakwana hunotsigira, iyo LIR iyo yaive tsime reBGP kubatwa kwaizoonekwa semupambi uye inogona kutorerwa chimiro chayo cheLIR. Paivawo nedzimwe nharo shanduko.
Muchinyorwa chino tinoda kuratidza muenzaniso wekurwiswa uko kusiri murwi chaiye chete aive mubvunzo, asiwo runyorwa rwese rwezvivakashure zvakakanganisika. Uyezve, kurwiswa kwakadaro zvakare kunomutsa mibvunzo pamusoro pezvinangwa zvekupindira mune ramangwana rerudzi urwu rwemotokari.
Kwemakore akati wandei apfuura, makakatanwa chete akaita seMOAS (Multiple Origin Autonomous System) akafukidzwa mumapepanhau seBGP. MOAS inyaya yakakosha apo masisitimu maviri akazvimiririra anoshambadza prefixes anopikisana ane maASN anoenderana muAS_PATH (yekutanga ASN muAS_PATH, yakazozivikanwa semabviro ASN). Zvisinei, tinogona kutaura zvishoma kuvharirwa kwetraffic, kubvumira munhu anorwisa kuti ashandise AS_PATH hunhu nekuda kwezvikonzero zvakasiyana, kusanganisira kupfuura nzira dzechizvino-zvino dzekusefa nekutarisa. Inozivikanwa kurwisa mhando - rudzi rwekupedzisira rwekupindira kwakadaro, asi kwete zvachose mukukosha. Zvinogoneka kuti iyi ndiyo chaiyo mhando yekurwisa kwatakaona mumavhiki apfuura. Chiitiko chakadaro chine chimiro chinonzwisisika uye mhedzisiro yakakomba.
Avo vari kutsvaga iyo TL; DR vhezheni vanogona kuendera kune iyo "Yakakwana Attack" subtitle.
Network background
(kukubatsira kuti unzwisise zviri nani maitiro anobatanidzwa muchiitiko ichi)
Kana iwe uchida kutumira packet uye uine akawanda prefixes patafura yenzira ine nzvimbo yeIP kero, ipapo iwe uchashandisa nzira yeprefix nehurefu hwakareba. Kana paine nzira dzinoverengeka dzakasiyana dzechivakashure chimwe chete patafura yenzira, iwe uchasarudza yakanakisa (maererano neyakanakisa nzira yekusarudza nzira).
Kusefa iripo uye nzira dzekutarisa dzinoedza kuongorora nzira nekuita sarudzo nekuongorora iyo AS_PATH hunhu. Iyo router inogona kushandura hunhu uhu kune chero kukosha panguva yekushambadzira. Kungowedzera ASN yemuridzi pakutanga kweAS_PATH (sezvakabva ASN) inogona kukwana kunzvenga mabviro azvino ekutarisa maitiro. Uyezve, kana paine nzira kubva kune yakarwiswa ASN kuenda kwauri, zvinokwanisika kutora uye kushandisa iyo AS_PATH yeiyi nzira mune zvimwe kushambadzira kwako. Chero AS_PATH-chete yekusimbisa zviziviso zvako zvekugadzira inozopfuura.
Pachine zvishoma zvisingakwanisi kutaurwa. Chekutanga, kana prefix kusefa nemupi wekumusoro, nzira yako inogona kuramba ichisefa (kunyangwe neiyo AS_PATH) kana prefix isiri yemutengi wako akagadzirirwa kumusoro. Chechipiri, iyo AS_PATH inoshanda inogona kusashanda kana nzira yakagadzirwa yakashambadzirwa nenzira isiriyo uye, nekudaro, inotyora mutemo wenzira. Chekupedzisira, chero nzira ine prefix inotyora hurefu hweROA inogona kunzi haina basa.
Chiitiko
Masvondo mashoma apfuura takatambira chichemo kubva kune mumwe wevashandisi vedu. Takaona nzira nekwaakabva ASN uye /25 prefixes, nepo mushandisi achiti haana kuvashambadza.
TABLE_DUMP2|1554076803|B|xxx|265466|78.163.7.0/25|265466 262761 263444 22356 3491 2914 9121|INCOMPLETE|xxx|0|0||NAG||
TABLE_DUMP2|1554076803|B|xxx|265466|78.163.7.128/25|265466 262761 263444 22356 3491 2914 9121|INCOMPLETE|xxx|0|0||NAG||
TABLE_DUMP2|1554076803|B|xxx|265466|78.163.18.0/25|265466 262761 263444 6762 2914 9121|INCOMPLETE|xxx|0|0||NAG||
TABLE_DUMP2|1554076803|B|xxx|265466|78.163.18.128/25|265466 262761 263444 6762 2914 9121|INCOMPLETE|xxx|0|0||NAG||
TABLE_DUMP2|1554076803|B|xxx|265466|78.163.226.0/25|265466 262761 263444 22356 3491 2914 9121|INCOMPLETE|xxx|0|0||NAG||
TABLE_DUMP2|1554076803|B|xxx|265466|78.163.226.128/25|265466 262761 263444 22356 3491 2914 9121|INCOMPLETE|xxx|0|0||NAG||
TABLE_DUMP2|1554076803|B|xxx|265466|78.164.7.0/25|265466 262761 263444 6762 2914 9121|INCOMPLETE|xxx|0|0||NAG||
TABLE_DUMP2|1554076803|B|xxx|265466|78.164.7.128/25|265466 262761 263444 6762 2914 9121|INCOMPLETE|xxx|0|0||NAG||
Mienzaniso yezviziviso zvekutanga kwaApril 2019
NTT munzira ye /25 prefix inoita kuti inyumwe. LG NTT yanga isingazive nezve nzira iyi panguva yechiitiko. Saka hongu, mumwe mushandisi anogadzira yese AS_PATH yeaya prefixes! Kutarisa pane mamwe ma router kunoratidza imwe ASN: AS263444. Mushure mekutarisa dzimwe nzira neiyi yakazvimirira system, takasangana neanotevera mamiriro:
TABLE_DUMP2|1554076800|B|xxx|265466|1.6.36.0/23|265466 262761 263444 52320 9583|IGP|xxx|0|0||NAG||
TABLE_DUMP2|1554076800|B|xxx|265466|1.6.38.0/23|265466 262761 263444 52320 9583|IGP|xxx|0|0||NAG||
TABLE_DUMP2|1554076800|B|xxx|265466|1.23.143.0/25|265466 262761 263444 22356 6762 9498 9730 45528|IGP|xxx|0|0||NAG||
TABLE_DUMP2|1554076800|B|xxx|265466|1.23.143.128/25|265466 262761 263444 22356 6762 9498 9730 45528|IGP|xxx|0|0||NAG||
TABLE_DUMP2|1554076800|B|xxx|265466|1.24.0.0/17|265466 262761 263444 6762 4837|IGP|xxx|0|0||NAG||
TABLE_DUMP2|1554076800|B|xxx|265466|1.24.128.0/17|265466 262761 263444 6762 4837|IGP|xxx|0|0||NAG||
TABLE_DUMP2|1554076800|B|xxx|265466|1.26.0.0/17|265466 262761 263444 6762 4837|IGP|xxx|0|0||NAG||
TABLE_DUMP2|1554076800|B|xxx|265466|1.26.128.0/17|265466 262761 263444 6762 4837|IGP|xxx|0|0||NAG||
TABLE_DUMP2|1554076800|B|xxx|265466|1.64.96.0/20|265466 262761 263444 6762 3491 4760|IGP|xxx|0|0||NAG||
TABLE_DUMP2|1554076800|B|xxx|265466|1.64.112.0/20|265466 262761 263444 6762 3491 4760|IGP|xxx|0|0||NAG||
Edza kufunga kuti chii chakashata pano
Zvinoita sekuti mumwe munhu akatora prefix kubva munzira, akaipatsanura kuita zvikamu zviviri, uye akashambadza nzira neiyo AS_PATH yezviya prefixes zviviri.
TABLE_DUMP2|1554076800|B|xxx|263444|1.6.36.0/23|263444 52320 9583|IGP|xxx|0|0|32:12595 52320:21311 65444:20000|NAG||
TABLE_DUMP2|1554076800|B|xxx|263444|1.6.38.0/23|263444 52320 9583|IGP|xxx|0|0|32:12595 52320:21311 65444:20000|NAG||
TABLE_DUMP2|1554076800|B|xxx|61775|1.6.36.0/23|61775 262761 263444 52320 9583|IGP|xxx|0|0|32:12595 52320:21311 65444:20000|NAG||
TABLE_DUMP2|1554076800|B|xxx|61775|1.6.38.0/23|61775 262761 263444 52320 9583|IGP|xxx|0|0|32:12595 52320:21311 65444:20000|NAG||
TABLE_DUMP2|1554076800|B|xxx|265466|1.6.36.0/23|265466 262761 263444 52320 9583|IGP|xxx|0|0||NAG||
TABLE_DUMP2|1554076800|B|xxx|265466|1.6.38.0/23|265466 262761 263444 52320 9583|IGP|xxx|0|0||NAG||
TABLE_DUMP2|1554076800|B|xxx|28172|1.6.36.0/23|28172 52531 263444 52320 9583|IGP|xxx|0|0||NAG||
TABLE_DUMP2|1554076800|B|xxx|28172|1.6.38.0/23|28172 52531 263444 52320 9583|IGP|xxx|0|0||NAG||
Mienzaniso nzira dzeimwe yeakapatsanura prefix peya
Mibvunzo yakawanda inomuka panguva imwe chete. Pane munhu akamboedza here rudzi urwu rwekupindira mukuita? Pane atora nzira idzi here? Ndezvipi zvivakashure zvakakanganiswa?
Apa ndipo panotanga tambo yedu yekutadza uye imwezve denderedzwa rekuodzwa mwoyo nemamiriro azvino ehutano hweInternet.
Nzira yekukundikana
Zvinhu zvekutanga kutanga. Tingazive sei kuti ndeapi ma routers akagamuchira nzira dzakavharirwa dzakadai uye traffic yaani inogona kudzoserwa nzira nhasi? Isu takafunga kuti tichatanga ne /25 prefixes nekuti ivo "havagone kugovera pasi rose." Sezvaunogona kufungidzira, takakanganisa zvikuru. Iyi metric yakazove ine ruzha uye nzira dzine prefixes dzakadaro dzinogona kuoneka kunyangwe kubva kuTier-1 vanoshanda. Semuenzaniso, NTT ine 50 prefixes yakadaro, iyo inogovera kune vatengi vayo. Kune rimwe divi, metric iyi yakaipa nekuti prefixes yakadai inogona kusefa kana mushandisi akashandisa , kumativi ose. Naizvozvo, iyi nzira haina kukodzera kuwana vese vashandisi vane traffic yakadzoserwa nekuda kwechiitiko chakadaro.
Imwe pfungwa yakanaka yatakafunga kutarisa . Kunyanya kune nzira dzinotyora maxLength mutemo weiyo inoenderana ROA. Nenzira iyi taigona kuwana huwandu hweakasiyana mabviro maASN ane chinzvimbo Invalid aionekwa kune yakapihwa AS. Zvisinei, pane dambudziko "diki". Avhareji (yepakati uye modhi) yenhamba iyi (nhamba yemabviro akasiyana maASNs) inosvika zana nemakumi mashanu uye, kunyangwe tikasefa madiki prefixes, inoramba iri pamusoro pe150. Iyi mamiriro ezvinhu ane tsananguro yakapusa: pane chete vashoma vanoshandisa vanotoshandisa ROA- mafirita ane βreset Invalid routesβ policy panzvimbo dzekupinda, kuitira kuti pese panoonekwa nzira ine ROA kutyorwa munyika chaiyo, inokwanisa kupararira kwese kwese.
Nzira mbiri dzekupedzisira dzinotibvumira kuwana vashandisi vakaona chiitiko chedu (sezvo chaive chakakura), asi kazhinji hazvishande. Zvakanaka, asi tingawana here mupambi? Ndeapi maitiro akajairika ekunyengedza AS_PATH? Pane mashoma mashoma ekufungidzira:
- Chivakamberi chakanga chisati chamboonekwa;
- Mabviro ASN (chiyeuchidzo: chekutanga ASN muAS_PATH) inoshanda;
- Yekupedzisira ASN muAS_PATH ndiyo ASN yeanorwisa (kana muvakidzani wake akatarisa ASN yemuvakidzani munzira dzese dzinouya);
- Kurwiswa kunobva kune mumwe mupi.
Kana fungidziro dzese dzakarurama, saka nzira dzese dzisina kururama dzicharatidza ASN yeanorwisa (kunze kwekutangira ASN) uye, nekudaro, iyi ndiyo "yakakosha" poindi. Pakati pevapambi vechokwadi paive neAS263444, kunyangwe paine vamwe. Kunyangwe patakarasa nzira dzechiitiko kubva pakufunga. Sei? Chinhu chakakosha chinogona kuramba chakakoshera kunyangwe kune nzira dzakakodzera. Inogona kunge iri mhedzisiro yekusabatana zvakanaka munharaunda kana zvipingamupinyi mukuonekwa kwedu pachedu.
Nekuda kweizvozvo, kune nzira yekuona munhu anorwisa, asi chete kana zvese zviri pamusoro apa zvasangana uye chete kana kuvharira kwakakura zvakakwana kuti ipfuure zvikumbaridzo zvekutarisa. Kana zvimwe zvezvinhu izvi zvikasazadzikiswa, saka tinogona here kuziva prefixes yakatambura nekubatwa kwakadaro? Kune vamwe vashandisi - hongu.
Kana munhu anorwisa achigadzira imwe nzira chaiyo, prefix yakadaro haishambadzirwe nemuridzi wechokwadi. Kana iwe uine rondedzero ine simba yezvese prefixes kubva kwairi, zvino zvinogoneka kuita kuenzanisa uye kuwana yakamonyaniswa dzimwe nzira dzakananga. Isu tinounganidza iyi rondedzero ye prefixes tichishandisa yedu BGP zvikamu, nekuti isu tinopihwa kwete chete yakazara runyorwa rwenzira dzinoonekwa kune anoshanda izvozvi, asiwo runyoro rwese prefixes yainoda kushambadza kupasi. Nehurombo, ikozvino kune akati wandei vashandisi veRadar vasingapedze chikamu chekupedzisira nemazvo. Tichavazivisa munguva pfupi uye toedza kugadzirisa nyaya iyi. Wese munhu anogona kujoina yedu yekutarisa system izvozvi.
Kana tikadzokera kuchiitiko chepakutanga, zvose zvinorwisa uye nzvimbo yekugovera zvakaonekwa nesu nekutsvaga pfungwa dzakakosha. Zvinoshamisa kuti AS263444 haina kutumira nzira dzakagadzirwa kune vese vatengi vayo. Kunyangwe pane imwe nguva isingazivikanwe.
BGP4MP|1554905421|A|xxx|263444|178.248.236.0/24|263444 6762 197068|IGP|xxx|0|0|13106:12832 22356:6453 65444:20000|NAG||
BGP4MP|1554905421|A|xxx|263444|178.248.237.0/24|263444 6762 197068|IGP|xxx|0|0|13106:12832 22356:6453 65444:20000|NAG||
Muenzaniso wenguva pfupi yapfuura wekuedza kubata nzvimbo yedu yekero
Pakagadzirwa mamwe maprefixes edu, yakanyatsogadzirwa AS_PATH yakashandiswa. Zvakadaro, AS_PATH haina kukwanisa kutorwa kubva kune imwe yenzira dzatapfuura. Hatina kana kutaurirana neAS6762. Tichitarisa mamwe magwara muchiitiko ichi, mamwe acho aive neAS_PATH chaiyo yakamboshandiswa, nepo vamwe vasina, kunyangwe ichiita seyayo chaiyo. Kuchinja AS_PATH zvakare hakuite chero pfungwa inoshanda, sezvo traffic ichizoendeswa kune anorwisa zvakadaro, asi nzira dzine "yakaipa" AS_PATH dzinogona kusefa neASPA kana chero imwe nzira yekuongorora. Pano isu tinofunga nezvekukurudzira kwemubiki. Parizvino hatina ruzivo rwakakwana rwekusimbisa kuti chiitiko ichi chaive hurongwa hwekurwiswa. Kunyange zvakadaro, zvinobvira. Ngatiedzei kufungidzira, kunyangwe tichiri kufungidzira, asi zvingangoitika chaizvo, mamiriro.
Perfect Attack
Chii chatinacho? Ngatitii uri mupi wekufambisa nhepfenyuro nzira dzevatengi vako. Kana vatengi vako vaine kuwanda kwakawanda (multihome), ipapo iwe unongogashira chikamu chetraffic yavo. Asi iyo traffic yakawanda, inowedzera mari yako. Saka kana ukatanga kushambadza subnet prefixes yeidzi nzira dzakafanana neAS_PATH, unogashira yasara traffic yavo. Somugumisiro, imwe mari yakasara.
ROA ichabatsira here apa? Zvichida hongu, kana ukasarudza kurega kuishandisa zvachose . Pamusoro pezvo, hazvidiwe zvakanyanya kuve nemarekodhi eROA ane intersecting prefixes. Kune vamwe vashandisi, zvirambidzo zvakadaro hazvigamuchirwi.
Tichifunga nezvedzimwe nzira dzekuchengetedza nzira, ASPA haizobatsiri mune iyi nyaya kana (nekuti inoshandisa AS_PATH kubva munzira inoshanda). BGPSec haisati iri sarudzo yakakwana nekuda kwemazinga akaderera ekugamuchirwa uye mukana wasara wekudzikisa kurwiswa.
Saka isu tine mhedzisiro yakajeka kune anorwisa uye kushaikwa kwekuchengeteka. Musanganiswa mukuru!
Chii chandinofanira kuita?
Iyo iri pachena uye yakanyanya nhanho nhanho ndeyekuongorora yako yazvino routing policy. Dzvanya kero yako kuita zvidimbu zvidiki (hapana zvakapindirana) zvauri kuda kushambadza. Saina ROA kwavari chete, pasina kushandisa maxLength parameter. Mune ino kesi, yako yazvino POV inogona kukuponesa kubva pakurwiswa kwakadaro. Nekudaro, zvakare, kune vamwe vashandisi nzira iyi haina musoro nekuda kwekushandiswa kwega kwenzira dzakanangana. Matambudziko ese ane mamiriro azvino eROA uye nzira zvinhu zvichatsanangurwa mune imwe yeamangwana zvigadzirwa.
Mukuwedzera, iwe unogona kuedza kutarisa kupindira kwakadaro. Kuti tiite izvi, tinoda ruzivo rwakavimbika nezve prefixes yako. Saka, kana iwe ukamisa musangano weBGP nemuunganidzi wedu uye ukatipa ruzivo nezvekuonekwa kwako paInternet, tinogona kuwana chiyero chezvimwe zviitiko. Kune avo vasati vabatanidzwa kune yedu yekutarisa sisitimu, kutanga, rondedzero yenzira chete ine prefixes yako ichave yakakwana. Kana iwe uine musangano nesu, ndapota tarisa kuti nzira dzako dzese dzakatumirwa. Nehurombo, izvi zvakakosha kuyeuka nekuti vamwe vashandisi vanokanganwa prefix kana maviri nekudaro vanokanganisa nzira dzedu dzekutsvaga. Kana zvikaitwa nemazvo, tichava nedata rakavimbika nezve prefixes yako, iyo mune ramangwana ichatibatsira kuziva uye kuona izvi (nedzimwe) mhando dzetraffic kubatwa kwenzvimbo yako yekero.
Kana iwe ukaziva nezve kubatwa kwakadaro kwetraffic yako munguva chaiyo, unogona kuedza kuzvipikisa iwe pachako. Nzira yekutanga ndeyekushambadza nzira neaya chaiwo prefixes iwe pachako. Muchiitiko chekurwisa kutsva pane izvi prefixes, dzokorora.
Yechipiri nzira ndeyekuranga munhu anorwisa uye avo vaari nhanho yakakosha (yenzira dzakanaka) nekucheka kupinda kwenzira dzako kune anorwisa. Izvi zvinogona kuitwa nekuwedzera anorwisa ASN kune AS_PATH yenzira dzako dzekare uye nekudaro kuvamanikidza kuti vadzivise iyo AS vachishandisa yakavakirwa-mukati loop yekuona michina muBGP. .
Source: www.habr.com