Youtube.com Hijack Case Study (Analysis from RIPE.net)

It reminds me how inter AS connection should be trusted one another. They just advertises same prefix with more specific subnets. According to the BGP role, longest matched subnet would be preferred.

On Sunday, 24 February 2008, Pakistan Telecom (AS17557) started an unauthorised announcement of the prefix 208.65.153.0/24. One of Pakistan Telecom’s upstream providers, PCCW Global (AS3491) forwarded this announcement to the rest of the Internet, which resulted in the hijacking of YouTube traffic on a global scale.

In this report we show how the events were seen by RIPE NCC’s Routing Information Service (RIS) and how, in general, one can use the RIS tools to obtain hard data on network events.

Event Timeline

• Before, during and after Sunday, 24 February 2008: AS36561 (YouTube) announces 208.65.152.0/22. Note that AS36561 also announces other prefixes, but they are not involved in the event.
• Sunday, 24 February 2008, 18:47 (UTC): AS17557 (Pakistan Telecom) starts announcing 208.65.153.0/24. AS3491 (PCCW Global) propagates the announcement. Routers around the world receive the announcement, and YouTube traffic is redirected to Pakistan.
• Sunday, 24 February 2008, 20:07 (UTC): AS36561 (YouTube) starts announcing 208.65.153.0/24. With two identical prefixes in the routing system, BGP policy rules, such as preferring the shortest AS path, determine which route is chosen. This means that AS17557 (Pakistan Telecom) continues to attract some of YouTube’s traffic.
• Sunday, 24 February 2008, 20:18 (UTC): AS36561 (YouTube) starts announcing 208.65.153.128/25 and 208.65.153.0/25. Because of the longest prefix match rule, every router that receives these announcements will send the traffic to YouTube.
• Sunday, 24 February 2008, 20:51 (UTC): All prefix announcements, including the hijacked /24 which was originated by AS17557 (Pakistan Telecom) via AS3491 (PCCW Global), are seen prepended by another 17557. The longer AS path means that more routers prefer the announcement originated by YouTube.
• Sunday, 24 February 2008, 21:01 (UTC): AS3491 (PCCW Global) withdraws all prefixes originated by AS17557 (Pakistan Telecom), thus stopping the hijack of 208.65.153.0/24. Note that AS17557 was not completely disconnected by AS3491. Prefixes originated by other Pakistani ASs were still announced by AS17557 through AS3491.

See the complete analysis here

ASIC router

Surfing from the internet and found a history of ASIC routers.

First ASIC router, M40, delivered on 1998, almost 10 years ago.

http://www.juniper.net/company/presscenter/pr/1998/pr-980701.html

Emphasize on separate control and forwarding function. Now, this term become standard of networking devices (Router etc). Also, It emphasize on software control using modular design and unix. Fail on one process does not mean interrupt in a whole box.

What does separate control and forwarding means?

The main function of control part is perform routing protocols and updates.

The other hand, forwarding part main job is perform route lookup for packet to reach the destination, so there are groups of next-hop database in the forwarding part.

The control part will calculates routing protocols update, and then put those results to forwarding part. Basically control and forwarding part must be synchronized one another. Late synchronize between control and forwarding would make a black hole for some packets. Late of synchronization can be made by software bugs or lack of memory. The device architectures itself will prove the quality of real performance.

Securing Router ::: Templates

All router connected to the network need to be harden to limiting impact of attacks. Your router must be secure from malicious attacker.

Link below show security template of Juniper router. You can modify it and apply it for your own.

Click here And Here (Firewall)

In the Juniper router, you have to put firewall filter into looback lo0 address. Lo0 located in the Routing Engine (RE) which is become main target for attacker. So, put firewall in the RE is good choices for us.

Packet Forwarding Engine (PFE) are connected to Routing Engine (RE) using Ethernet interface either FE or GE. It would be a good idea to rate limiting all traffic coming from PFE to RE. Packets like Telnet, SSH, ICMP, FTP are forwarded to RE (Include as exception packet). So, you have to limiting all those packets before someone use it as a security hole. Usually, I put 1Mb policer and aplied it to traffic like ICMP and Traceroute. If the traffics through the router more than 1Mb, it will be discarded.

Policer configuration:

    policer radius-policer {

        if-exceeding {

            bandwidth-limit 1m;

            burst-size-limit 15k;

        }

        then discard;

    }

This policer combine with specific ICMP or Traceroute terms:

        term trace-route {

            from {

                protocol udp;

                destination-port 33434-33523;

            }

            then {

                policer small-bandwidth-policer;

                accept;

            }

        }

Limiting SSH and Telnet are simply put source address permitted to routers. The template is like this one:

        term ABCD {

            from {

                source-prefix-list {

                    radius-addresses|telnet-address|ssh-address;

                }

                protocol udp|tcp;

                port radius|telnet|ssh;

            }

            then {

                policer radius-policer;

                accept;

            }

        }

Templates above are used to remote access router. It configure under ABCD term. ABCD term contains source-prefix-list which is needed and configured under policy-options stanza. It means that all packets from source-address (from prefix list) radius-address|telnet-address|ssh-address are allowed to do remote and SSH, Telnet or AAA checking using Radius. If the source address doesn’t match, it will discards.

I won’t explain all term and configuration of Juniper security. You could read it from the link I gave you above.

Another good sources coming from Cymru.

Please click below to show their templates:

Cymru Junos Template

You can read it, and then remake it for your own.

::: Securing all router is must and mandatory for all live routers :::

DDos BGP Protection

DDos (Distributed Denial-of-Service) has become one serious attacks in the internet world today. Unfortunately, there is no mechanism in BGP which is used as Inter-Domain protocols to detect and block DDos automatically.

In order to block certain IP Address, Customer NOC must manually block and hiding which ip address under attack.

There was RFC to identify how to hiding some ip address subnet. one is rfc3882, created in 2004 but still applicable today.

The idea is create BGP blackhole community and influence next-hop address of IP Address which is under attacks.

This parts definitely need cooperation between ISP and customers.

ISP need to configured blackhole BGP community and then change next-hop address which is match BGP blackhole community to discards interface.

Customers need to send IP Address (Usually subnet /32) with community Blackhole to ISP.

When customer detects DDos attacks, they will send only /32 ip address to the ISP with BGP blackhole community. ISP detect subnet with BGP blackhole community and change the next-hop to discards interface. So, when all packet from internet coming in to specific /32 IP Address, ISP router will forward it to discards interface. The packet then never reach it destination.

This was just basic Idea, you should be able to improve and make it flexibility to your network.

My Internet Speed

Captured from http://www.speedtest.net/

Testing conduct at 4:00 AM. In the working hour, speed cannot reach these results. I’m using Fastnet. Overall, this ISP is ok for me, although sometimes there was a problems in their network and affecting speed performance.

To IXP (National)

To Europe (Amsterdam)

To US (Los Angeles)

To Australia (Sydney)

 

Looking Glass:

BGP routing table entry for 61.247.4.0/22
Paths: (11 available, best #10, table Default-IP-Routing-Table)
  Advertised to non peer-group peers:
  195.28.164.125 203.119.0.116
  1930 20965 3356 7473 4761 4761 23700
    193.136.5.1 from 193.136.5.1 (193.136.5.1)
      Origin IGP, localpref 100, valid, external
      Community: 20965:3356
      Last update: Wed Feb  6 03:31:26 2008

 

Fastnet’s ASN is 23700.

Their upstream provider is Indosat (4761)

Fastnet ASN report

 

The complete path is like this:

Fastnet—–Indosat—–Singtel——Level3

Level3 is their Tier-1 carrier.

From the looking glass results, Indosat (ASN 4761) shown as single upstream provider used by Fastnet. Anyway, most of local ISP using dual homing BGP to provides redundancy. Better if they have more upstream providers than rely on single one.

 

Cheapest Tariff of Cellulars (Be carefull)

Many operators in Indonesia continues to provide cheap service for customer. All mobile seluller from GSM to CDMA /W enter into the trap and fighting each others.

It was surprise when i see XL “BEBAS” GSM product from one of largest GSM operators in Indonesia.  To be able to enjoy this tariff, you don’t have to buy special or new packages. If you have present product from this operator, it will automatically convert charging method of your present packages, so you can enjoy new Promo tariff.

They claimed and release promotion of their product which is become the cheapest tariff in Indonesia, Rp 0,1/second. Sounds like all operators including CDMA/W products will be defeated. This promotion are very special, because this tariff (0,1 /s)  will valid not only for calls between XL to XL, but from XL to other operator.  In my point of view, it is impossible. Traffic outgoing and incoming between 2 operators will not easily pass as they can arrange  local traffic and charging as they want. One operator shall pay some charging as mentioned in the Agreement between each operator. CMIIW.

The Promo period is 18 January– 30 April 2008.

Be aware if you want to use this Promo. It’s not clear that you will get charged Rp 0,1/second every time make a call. There is special condition that you must to know carefully. I tried to summarize this condition.

1. If you make a call from XL to XL, in the first 2.5 minutes you will charge  Rp 10/second. After 2.5 minutes, you will enjoy Rp 0,1/second. (Applicable for Jabotabek area, other area will have different treatment).

2. If you make a call from XL to other operator, in the first 2 minutes you will charge Rp 25/second. Minutes 2 to 4 Rp 0,1/second, Minutes 4 to 6 Rp 25/second, continue changed every 2 minutes periods. I guess it will avoid customer to make a call more than 4 minutes.

You can see the detail condition from http://www.xl.co.id/Bebas/Tarif_Termurah_bebas

After read and understood it, i do not agree if this is cheapest tariff.

I like advertisement in Television, Someone says “I will get married with a monkey if you can find cheaper tariff than this (Another)”.