This is a continuation of Internet Address Hijacking, Spoofing, and Squatting Attacks.
In this scenario, the attacker does not attack the RIR or attempt to break into a registration account but instead, assumes the use of an AS number that is registered and is actively in use by an authorized, registered party and uses it without regard to whether it is actively in use by the registered party. An important difference between this attack and those previously discussed is that this attack can result in conflicting advertisements (in addition to all of the consequences mentioned earlier): what the attacker inserts into the routing system and where this insertion takes place are different from what the legitimate registrant advertises, and where. In this scenario, the registrant is the victim.
The attacker injects BGP advertisements into the global routing system using one of the same methods described under items (1)-(3) in ASN Squatting Attacks (direct injection through an ISP that’s not screening, social engineering/coercion of an ISP, or ISP collaboration/bribery). The attacker expects that routing peers that are duped by the deception will (i) incorporate the updates into their routing database, (ii) forward data from sources enumerated in the AS and (iii) deliver traffic to destinations enumerated in his AS. However, peers that are not duped may (i) block traffic to/from that AS, or (ii) ignore updates, and use routing advertisements they consider complete and accurate. This is very possibly a noisy, disruptive and a shorter-lived attack than ASN hijacking or ASN squatting attacks.
1 | 2 | 3 | 4 | 5 |
6 | 7 | 8 | 9 | 10 | 11 |
Comments
You can follow this conversation by subscribing to the comment feed for this post.