converge detroit homebrew censorship detection by analysis of bgp data-16july2015
TRANSCRIPT
-
7/25/2019 Converge Detroit Homebrew Censorship Detection by Analysis of BGP Data-16July2015
1/26
HomebrewCensorshipDetectionBY BGP ANALYSIS
July 16, 2015
-
7/25/2019 Converge Detroit Homebrew Censorship Detection by Analysis of BGP Data-16July2015
2/26
22
Sr. Security Analyst @ Bishop Fox
Enterprise Security team
Clarkston, MI -> Phoenix, AZ
ZACHARY JULIAN
About Me
-
7/25/2019 Converge Detroit Homebrew Censorship Detection by Analysis of BGP Data-16July2015
3/26
33
Interest in the digital aspect of the Syrian Civil War
State-sponsored malware
Internet censorship
Internet censorship via BGP manipulation duringthe Arab Spring
Egypt
Libya
How can I alert myself to Syrian BGP changes?
WHY MONITOR BGP DATA?
Background & Motivation
-
7/25/2019 Converge Detroit Homebrew Censorship Detection by Analysis of BGP Data-16July2015
4/26
44
VISUALIZE AND REPORT SYRIAN BGP CHANGES OVER TIME
www.syriabgp.net
-
7/25/2019 Converge Detroit Homebrew Censorship Detection by Analysis of BGP Data-16July2015
5/26
BORDER GATEWAYPROTOCOLA BRIEF OVERVIEW
-
7/25/2019 Converge Detroit Homebrew Censorship Detection by Analysis of BGP Data-16July2015
6/26
66
Critical to the operation of the Internet
Used to exchange routing information between
Autonomous Systems (AS)
Commonly used to determine a path between
ISPs
Announces IP prefixes
WHAT IS IT?
Border Gateway Protocol (BGP)
-
7/25/2019 Converge Detroit Homebrew Censorship Detection by Analysis of BGP Data-16July2015
7/26
77
A collection of IP prefixes(ranges) under controlof one network operator
Each AS is assigned an ASN by IANA
For instance, in Phoenix:
WHAT ARE THEY?
Autonomous Systems
AS Number Operator IP Prefixes
AS209 Qwest Communications Company,LLC
198.185.174.0/24198.185.175.0/24198.185.176.0/24198.185.177.0/24
-
7/25/2019 Converge Detroit Homebrew Censorship Detection by Analysis of BGP Data-16July2015
8/26
88
Each prefix is advertised by one or more edgerouters.
These routers broadcast BGP advertisements topeers.
If all edge routers stop advertising, prefixes arenot routable to the Internet.
ONE MORE DEFINITION
Prefixes
-
7/25/2019 Converge Detroit Homebrew Censorship Detection by Analysis of BGP Data-16July2015
9/26
99
AT A HIGH LEVEL
Border Gateway Protocol
-
7/25/2019 Converge Detroit Homebrew Censorship Detection by Analysis of BGP Data-16July2015
10/26
1010
AT A HIGH LEVEL
Border Gateway Protocol
?
-
7/25/2019 Converge Detroit Homebrew Censorship Detection by Analysis of BGP Data-16July2015
11/26
1111
Many countries have state-ownedtelecommunications infrastructure
They operate only a few Autonomous Systems
Trivial to order Internet shutdown by ceasing BGP
route advertisements
EASIER THAN YOU THINK
Internet Censorship via BGP
-
7/25/2019 Converge Detroit Homebrew Censorship Detection by Analysis of BGP Data-16July2015
12/26
MONITORING BGPDATAHOMEBREW INTERNET ANALYSIS
-
7/25/2019 Converge Detroit Homebrew Censorship Detection by Analysis of BGP Data-16July2015
13/26
1313
University of Oregon -Advanced NetworkTechnology Center
Aggregates BGP datafrom participating AS
Provides updated BGPdata every two hours
~50MB .bz2 archive
Available over HTTP, FTP,telnet
WWW.ROUTEVIEWS.ORG
The Route Views Project
http://www.routeviews.org/
-
7/25/2019 Converge Detroit Homebrew Censorship Detection by Analysis of BGP Data-16July2015
14/26
1414
A LOOK AT THE FORMAT
How Can We Use Route Views Data?
IP PREFIX
ANNOUNCEMENT
IP ADDRESS
BROADCASTING
ANNOUNCEMENT
ADVERTISED PATH
TO PREFIX
MULTI EXIT DISCRIMINATOR
LOCAL PREFERENCE
WEIGHT
-
7/25/2019 Converge Detroit Homebrew Censorship Detection by Analysis of BGP Data-16July2015
15/26
1515
A LOOK AT THE FORMAT
How Can We Use Route Views Data?
HOW MANY TIMES IS OUR
TARGET ASN ANNOUNCED
IN A ROUTING PATH?
user@ubuntu:~$ grep '29386' oix-full-snapshot-latest.dat | wc -l3840
-
7/25/2019 Converge Detroit Homebrew Censorship Detection by Analysis of BGP Data-16July2015
16/26
1616
How many times is our target ASN announced in arouting path?
How does that compare to two hours ago?
((Current Total / Total 2 Hours Ago)-1) = Change
((2687/2852)-1) = -0.057 or a 6% decrease
How Can We Use Route Views Data?A LOOK AT THE FORMAT
user@ubuntu:~$ grep '29386' oix-full-snapshot-latest.dat | wc -l3840
-
7/25/2019 Converge Detroit Homebrew Censorship Detection by Analysis of BGP Data-16July2015
17/26
1717
Input comma-separated list of ASNs
Downloads latest Route Views data
Compares changes from last iteration for each ASN
Output to CSV or SQLite
Timestamp, ASN, Count, Change
Available on GitHub:https://github.com/tprime-/routeviews-py
routeviews-pyA PYTHON SCRIPT FOR RECORDING ROUTE VIEWS DATA
-
7/25/2019 Converge Detroit Homebrew Censorship Detection by Analysis of BGP Data-16July2015
18/26
1818
user@ubuntu:~$ ./routeviews-py.py -h
Usage: ./routeviews-py.py -a -o
Example: ./routeviews-py.py -a 100,200,300 -ocsv
Notes: -a flag is required. -o flag isoptional. Default output is SQLite.
routeviews-pyA PYTHON SCRIPT FOR RECORDING ROUTE VIEWS DATA
-
7/25/2019 Converge Detroit Homebrew Censorship Detection by Analysis of BGP Data-16July2015
19/26
1919
An Accurate MetricCOMPARED TO PROFESSIONAL BGP MONITORING SOLUTIONS
ASN24814 GOES OFFLINE
MARCH 24, 2015.
http://bgp.he.net/AS24814
-
7/25/2019 Converge Detroit Homebrew Censorship Detection by Analysis of BGP Data-16July2015
20/26
2020
An Accurate MetricCOMPARED TO PROFESSIONAL BGP MONITORING SOLUTIONS
SYRIAN INTERNET GOES
DOWN July 12, 2014
https://twitter.com/DynResearch/status/488305381765304320
-
7/25/2019 Converge Detroit Homebrew Censorship Detection by Analysis of BGP Data-16July2015
21/26
HOW TO MONITORBGP AT HOMEUSING ROUTEVIEWS-PY
-
7/25/2019 Converge Detroit Homebrew Censorship Detection by Analysis of BGP Data-16July2015
22/26
2222
Cheap ($5/month) VPS, spare machine will workfine
Download routeviews-py from GitHub
Select ASNs
Add to crontab:
Setup Your Own BGP MonitoringUSING ROUTEVIEWS-PY
0 0,2,4,6,8,10,12,14,16,18,20,22 * * * /home/routeviews-py.py a 29386 > /dev/null 2>&1
-
7/25/2019 Converge Detroit Homebrew Censorship Detection by Analysis of BGP Data-16July2015
23/26
2323
Detect & reportcensorship
Visualize data(Highcharts, etc.)
Push updates to
various locations: Twitter
Mailing list
Setup Your Own BGP MonitoringUSING ROUTEVIEWS-PY
-
7/25/2019 Converge Detroit Homebrew Censorship Detection by Analysis of BGP Data-16July2015
24/26
2424
Detect BGP hijacking?
Response to BGP censorship?
Modem bank
Whats Next?BUDGET BGP MONITORING
-
7/25/2019 Converge Detroit Homebrew Censorship Detection by Analysis of BGP Data-16July2015
25/26
@BISHOPFOX
FACEBOOK.COM/BISHOPFOXCONSULTING
LINKEDIN.COM/COMPANY/BISHOP-FOX
GOOGLE.COM/+BISHOPFOX
Contact Us
-
7/25/2019 Converge Detroit Homebrew Censorship Detection by Analysis of BGP Data-16July2015
26/26
Thank You Questions?
https://github.com/tprime-/routeviews-py
@tprime_