This is a continuation of Internet Address Hijacking, Spoofing, and Squatting Attacks.
There are two forms of ASN squatting attacks. In the first scenario, the attacker determines that an ASN is not registered at an RIR. The attacker ignores the customary registration channels and uses this ASN to announce IP Prefix it intends to use for malicious purposes. The victim is thus the RIR, whose resource is used without authorization. From a registration (resource holder) perspective, no registrant is victimized. The attacker just chooses an unused resource and configures his router to utilize it.
In the second scenario, a criminal attempts to add a veil of legitimacy to the squatting attack. He does research in search of a dormant ASN, i.e., the resource has a registrant but the resource is not in use (no advertisements currently inserted into the Internet routing system). The criminal uses some form of the registrant's point of contact information to impersonate the registrant and requests that the RIR reset or allow access to the account through which the target ASN is managed and thus gains control of the ASN. Here, the registrant and the RIR are victims.
In circumstances where RIRs will accept requests from point-of-contact (POC) email addresses, the criminal looks for a dormant AS that has a POC email address that is assigned from an available domain name (specifically, a domain name that was once registered by the organization that "owns" this ASN, according to the RIR's registration data). He registers the domain name, creates the POC email address, and uses this to impersonate the AS registrant of record. Alternatively, the criminal could attempt to hijack the domain name registration account to gain control of the domain in which the POC email address is assigned.
In circumstances where RIRs require other/additional forms of verification before granting access to the RIR account, the criminal can resort to social engineering of RIR staff or would use other fraudulently produced credentials in the impersonation attempt.
Once in control, the criminal has a veil of legitimacy and can go to an ISP and ask to have its resource advertised. There are several ways the attacker may “use” the ASN following either form of squatting attack:
- Insert advertisements directly into the global routing system by establishing a BGP connection and peering with a network operator that he has monitored and targeted for the insertion. Prior to the insertion, the attacker has observed that the operator is lax with respect to screening advertisements and so expects to avoid detection by the autonomous system he’s peered with while the routing information propagates through the global routing system. More operators are lax with routing policy than you’d expect, particularly when associating both ASNs and IP prefixes to a given routing import policy set.
- Convince an access or transit provider to connect with the attacker as a BGP peer through social engineering or coercion, or peer with his own or another AS and simply append the hijacked origin to the prefix in question as well. Here, the access or transit provider becomes an unwitting or unwilling participant when it propagates advertisements it receives from the attacker into the global routing system.
(1) and (2) are illustrated in Figure 1. The color red is depicts the criminal actor and fraudulent information and green depicts unwitting participants:
Figure 1. ASN Squatting via unwitting parties
- Convince an access or transit provider to connect with the attacker as a BGP peer BGP peer through collaboration or bribery. Here, the access or transit provider is a willing and likely a profiting participant. This is illustrated In Figure 2. The color red depicts the criminal actor and willing participants and green again depicts unwitting participants:
Figure 2. ASN Squatting via willing parties.
1 | 2 | 3 |
4 | 5 | 6 | 7 | 8 | 9 | 10 | 11 |
Comments
You can follow this conversation by subscribing to the comment feed for this post.