ASN allocation versus BGP

Imagine that anyone can grab 1,300 IP addresses from a major ISP, redirect traffic that should go through someone else’s DNS services, and steal $150,000 worth of cryptocurrency. Nonsense? But in April 2018 such a scam checked with Amazon.

The reason goes back to BGP, the routing protocol that glues the entire Internet together. The most interesting thing is that it works on trust. And this is what gave rise to BGP hijacking, deliberate or accidental capture of other people’s IP addresses. And if you think that the case of Amazon is unique, then we have to upset you – the Internet is much more fragile than it seems at first glance. Research reveals the whole story APNICone of the world’s five Internet registrars.

Article translated from the site APNIC (link to original). * marks editorial insertions.

Article author Francesco Sassi PhD student at the Systems Lab group at the Sapienza University of Rome. His research interests include computer systems and network security.

Autonomous Systems (AS) Parallel Lives: ASN Distribution vs. BGP

The Internet includes thousands of interconnected Autonomous Systems (ASes).

These autonomous systems exist in two dimensions – administrative and operational. Regional Internet Registrars (RIRs, * RIR in practice – a database containing information for coordinating the actions of Internet providers) manage the first, and BGP (Border Gateway Protocol / Border Gateway Protocol), *BGP – a protocol for choosing the shortest path to a point) – second.

These two dimensions actually live in parallel. However, each of them affects each other:

• To declare prefixes in BGP (operational), autonomous systems must obtain an ASN (autonomous network number, *actually ASN – provider network id) that uniquely identifies them (administrative).

• If the ASN has not been used for a long time (operational), such as several months, Regional Internet Registrars may revoke it (administrative), * which is critical for 16-bit numbers.

• When the RIR revokes the autonomous network number (administrative), it cannot be used in BGP (operational). * This is not an automated process, i.e. if the upstream provider is not notified that the ASN has been reassigned, then everything will continue to work.

While these interactions between ASN and BGP transmission may seem straightforward, the reality is actually more complex.

In our recent research work we at Sapienza University of Rome, in collaboration with CAIDA (UC San Diego) and MIT, have conducted a first-of-its-kind study on how autonomous networks emerge and behave in these two dimensions. We sought to determine the relationship of these two dimensions over time and the unusual behavior of ASNs in both dimensions.

Building parallel lives

In order to build the administrative dimension, for this study we have processed all transfer files published by all RIRs since 2003. These files are snapshots of the state of Internet resources, including ASNs.

We considered an ASN administratively “alive” on a given day if it appeared as “dedicated” or “assigned” in the corresponding transfer file, which meant that the autonomous network number was transferred to the organization on that day. As soon as we found some inconsistencies in these files (for example, that ASNs were allocated by two registrars at the same time, that records were missing or duplicated, etc.), we began a thorough restoration process associated with Regional Internet Registrars (RIRs ) to better understand their practice and disambiguate the more bizarre cases.

In terms of operational measurement, we processed BGP data from the RIPE Routing Information Service and BGP Route Lookup compilers using CAIDA BGPStream, collecting over 930 billion RIB dump records and 2.3 trillion updates. We considered an ASN active in the BGP plan if it appeared in the AS-PATH.

With these two measurements in mind, we developed two lenses that could be used together or separately.

When used individually, we were able to analyze the status of ASNs – when they were “alive”, how many “lives” they had – as well as historical trends, including a description of the evolution of the Internet along geographical lines (for more information, see our report).

However, when used together, these lenses become so powerful that they allow us to find interesting results when looking for inconsistencies between two directions. For example, thumb errors are configuration errors due to typos or operator errors.

Watch out for thumbs… thumbs… thumbs!

In the course of our research, we found that the Regional Internet Registrars have never assigned any organization 868 ASNs to BGP. We manually examined almost 30% of them, finding clear evidence of misconfigurations.

Most of the “thumbs” typos we found (76%) caused errors in the appendix AS-PATH. When adding, the operator may not separate duplicate ASN instances in transit. On fig. Figure 1 shows two such instances, where S-PATHS with start address AS32026 and AS28730 have a neighbor that is actually their repeat.

*Example:

In the remaining 24% of cases, we observed multi-origin autonomous network (MOAS) collisions, including autonomous network numbers that differ by one digit. Surprisingly, we found that these events can persist for several months. For example, AS419333 appeared in BGP almost 10 months ago (between November 2017 and September 2018), causing MOAS with AS41933. Another example was AS363690 leading to MOAS with AS393690 for almost seven months (between November 2018 and June 2019).

Finding the allocation status of BGP-routed ASNs can be a quick method for identifying “thumb” typographical errors and provide operators with timely warnings of a misconfiguration.

Self-capturing idle ASNs

Fitting the two lenses also makes it possible to identify the ASNs involved in harmful behavior. For example, an attacker who wants to stealthily intercept BGP prefixes might be looking for ASNs that have not been active recently.

We confirmed 76 such cases using collected information from network operator mail lists such as NANOG, Twitter alerts from network security groups such as Spamhaus, routing monitors such as BGPmon (*closed), and past work.

Figure 3 shows the number of prefixes that have come up over time in some of the most prominent cases of dormant ASNs we have found that suddenly become active in BGP. The brown line shows the behavior of AS10512, one of the most illustrative cases of self-capturing a “sleeping” network.

Between December 2017 and January 2018, AS10512 hijacked the prefixes of Spectrum (AS11426), a major US broadband provider. AS10512 was allocated over 17 years before this incident and never advertised BGP prefixes. It was then captured and used to suddenly create 60/16 prefixes.

We also noticed AS7449 (magenta line) waking up in BGP at the same time as AS10512 after years of inactivity. Digging deeper into a strange coincidence, we found that both ASNs had the same direct input data stream, AS203040, the ASN infamously known as BGP Hijack Factory. It is most likely that S203040 created and shared with its neighbors fake BGP advertisements with these (hijacked) ASNs as sources and itself as the first hop, masquerading as their transit.

Read: Shutting down the BGP Hijack Factory

We also identified another similar attack involving AS28071 and AS262916, which shared the same direct input data stream (AS52302)) which was flagged as malicious on the mailing list of Latin American operators.

Recovery of unused ASNs matters

As shown, hijackers are always one step ahead, carefully choosing idle ASNs to make their attacks more subtle. In our research, we found two categories of seemingly dormant (dedicated but not used) ASNs that hijackers can use:

• ASNs with a significant lag between the end of BGP activity and their recovery, typically greater than 10 months.

• ASNs that are owned by organizations that kept their ASN allocations even if they don’t use them in BGP. Examples of such organizations are the US Department of Defense and the Air Force and companies that received large blocks of ASN allocations in the early years of the Internet.

These results show that more fault-tolerant principles for recovering ASNs that have not been used for a long time will benefit the routing ecosystem.

*Now imagine if this could affect you directly… The entire Internet is made up of thousands of interconnected Autonomous Systems (ASes).

And they exist in two dimensions – administrative and operational. RIRs and BGPs.