detecting route announcements of unassigned ip address...lcompared ipv4 full route with ipv4 address...
TRANSCRIPT
![Page 1: Detecting route announcements of unassigned IP address...lCompared IPv4 full route with IPv4 address pool in JPNIC lFound 3different route announcements--3separate /24 networks Background](https://reader035.vdocuments.us/reader035/viewer/2022062608/60b1365d8b4d0d053d7baae4/html5/thumbnails/1.jpg)
Kentaro GotoWaseda univ. Uchida lab
Route Research Expert Team
Detecting route announcements of unassigned IP address
![Page 2: Detecting route announcements of unassigned IP address...lCompared IPv4 full route with IPv4 address pool in JPNIC lFound 3different route announcements--3separate /24 networks Background](https://reader035.vdocuments.us/reader035/viewer/2022062608/60b1365d8b4d0d053d7baae4/html5/thumbnails/2.jpg)
1Brief summary
20/02/2020 APRICOT 2020
l Our purposeTo better understand the reality of
“unexpected” route announcements
l Compared IPv4 full routewith IPv4 address pool in JPNIC
l Found 3 different route announcements
-- 3 separate /24 networks
![Page 3: Detecting route announcements of unassigned IP address...lCompared IPv4 full route with IPv4 address pool in JPNIC lFound 3different route announcements--3separate /24 networks Background](https://reader035.vdocuments.us/reader035/viewer/2022062608/60b1365d8b4d0d053d7baae4/html5/thumbnails/3.jpg)
2Background info – Related works (1/2)
20/02/2020 APRICOT 2020
allocate
Research about unallocated prefixes from RIRs exists
RIR-pooled
Not supposed to appearin any actual routes
ISPs EUsNIRs or
= unallocated
![Page 4: Detecting route announcements of unassigned IP address...lCompared IPv4 full route with IPv4 address pool in JPNIC lFound 3different route announcements--3separate /24 networks Background](https://reader035.vdocuments.us/reader035/viewer/2022062608/60b1365d8b4d0d053d7baae4/html5/thumbnails/4.jpg)
3
l RIR-allocation progresses• FTP sites by APNIC
http://ftp.apnic.net/stats/apnic/
l Mis-announced address space/AS numbers• For “bad” address
http://thyme.apnic.net/current/data-add-IANA
• For “bad” AShttp://thyme.apnic.net/current/data-badAS
Background info – Related works (2/2)
20/02/2020 APRICOT 2020
![Page 5: Detecting route announcements of unassigned IP address...lCompared IPv4 full route with IPv4 address pool in JPNIC lFound 3different route announcements--3separate /24 networks Background](https://reader035.vdocuments.us/reader035/viewer/2022062608/60b1365d8b4d0d053d7baae4/html5/thumbnails/5.jpg)
What aboutNIR-pooled addresses?
![Page 6: Detecting route announcements of unassigned IP address...lCompared IPv4 full route with IPv4 address pool in JPNIC lFound 3different route announcements--3separate /24 networks Background](https://reader035.vdocuments.us/reader035/viewer/2022062608/60b1365d8b4d0d053d7baae4/html5/thumbnails/6.jpg)
5Background info - stakeholders
20/02/2020 APRICOT 2020
Unexpected/illegitimate origin AS
= unassigned
pooled
allocate
ISPs
EU
assign
allocate
assign
announcesa.b.c.d/24
Step2.
Step1. somehow steals it
or mis-config
AS-C
AS-BAS-A
a.b.c.d/24
a.b.c.d/24
?a.b.c.d/24
Step3. They spread
unexpected route announcelegitimate route announce
![Page 7: Detecting route announcements of unassigned IP address...lCompared IPv4 full route with IPv4 address pool in JPNIC lFound 3different route announcements--3separate /24 networks Background](https://reader035.vdocuments.us/reader035/viewer/2022062608/60b1365d8b4d0d053d7baae4/html5/thumbnails/7.jpg)
6FYI - JPNIC-pooled addresses
20/02/2020 APRICOT 2020
2003
Any NIRs were able to hold resources allocations for further allocation to ISPs in their economy
JPNIC forwards each allocation request from local ISPs to APNIC
Before 2003
Now
![Page 8: Detecting route announcements of unassigned IP address...lCompared IPv4 full route with IPv4 address pool in JPNIC lFound 3different route announcements--3separate /24 networks Background](https://reader035.vdocuments.us/reader035/viewer/2022062608/60b1365d8b4d0d053d7baae4/html5/thumbnails/8.jpg)
7Background info – DB search
20/02/2020 APRICOT 2020
Not found in JPNIC WHOIS
...but visible in RIPEstat
Unassigned IP addresses announced
![Page 9: Detecting route announcements of unassigned IP address...lCompared IPv4 full route with IPv4 address pool in JPNIC lFound 3different route announcements--3separate /24 networks Background](https://reader035.vdocuments.us/reader035/viewer/2022062608/60b1365d8b4d0d053d7baae4/html5/thumbnails/9.jpg)
8
Unassigned IP networks are announced
in the Internet
Hypothesis
20/02/2020 APRICOT 2020
allocate
allocate ISPs
EU
assign
assign
“Theoretically”not supposed to
appear in any route…
![Page 10: Detecting route announcements of unassigned IP address...lCompared IPv4 full route with IPv4 address pool in JPNIC lFound 3different route announcements--3separate /24 networks Background](https://reader035.vdocuments.us/reader035/viewer/2022062608/60b1365d8b4d0d053d7baae4/html5/thumbnails/10.jpg)
Overview again
![Page 11: Detecting route announcements of unassigned IP address...lCompared IPv4 full route with IPv4 address pool in JPNIC lFound 3different route announcements--3separate /24 networks Background](https://reader035.vdocuments.us/reader035/viewer/2022062608/60b1365d8b4d0d053d7baae4/html5/thumbnails/11.jpg)
10Overview
20/02/2020 APRICOT 2020
Detect unassigned networks announced as routes
Search for details on route monitoring system
Compare IPv4 full route with IPv4 address pool in JPNIC
![Page 12: Detecting route announcements of unassigned IP address...lCompared IPv4 full route with IPv4 address pool in JPNIC lFound 3different route announcements--3separate /24 networks Background](https://reader035.vdocuments.us/reader035/viewer/2022062608/60b1365d8b4d0d053d7baae4/html5/thumbnails/12.jpg)
11(1) Announced ∩ (2) unassigned
Detecting “Unexpected” by
20/02/2020 APRICOT 2020
aa.bbb.xx.y/21aa.bbb.ss.t/24
Announced ∩ Unassigned
192.0.2.0/24aa.bbb.xx.y/16aa.bbb.ss.t/8203.0.113.0/24…
1 Announced IP prefixes
aa.bbb.xx.y/21aa.bbb.ss.t/24…
2 Unssigned IP Addresses∩ (AND)
![Page 13: Detecting route announcements of unassigned IP address...lCompared IPv4 full route with IPv4 address pool in JPNIC lFound 3different route announcements--3separate /24 networks Background](https://reader035.vdocuments.us/reader035/viewer/2022062608/60b1365d8b4d0d053d7baae4/html5/thumbnails/13.jpg)
12Data details
20/02/2020 APRICOT 2020
1 Announced IP prefixes
rcc06.ripe.netOtemachi, Japan. Collects route updates announced by JPIX members from Aug. 2001
• Downloaded from RIPE RIS**RIS: Routing Information Service
• Around 800,000 announcements• Size equivalent to
around 15,341,353 /24 networks
2 Unassigned IPv4 Addresses
• Calculated from JPNIC database(10th Dec 2019)
• Size equivalent to 14,497 /24 networks• Needless to say ...
Ø NOT open to the public
Ø NO IPv6 included
![Page 14: Detecting route announcements of unassigned IP address...lCompared IPv4 full route with IPv4 address pool in JPNIC lFound 3different route announcements--3separate /24 networks Background](https://reader035.vdocuments.us/reader035/viewer/2022062608/60b1365d8b4d0d053d7baae4/html5/thumbnails/14.jpg)
13Requirements and links
20/02/2020 APRICOT 2020
For network addresses manipulationl netaddr – IPSet()
https://netaddr.readthedocs.io/en/latest/introduction.htmll ipaddress
https://docs.python.org/3/library/ipaddress.html
Reading Route info/JPNIC database csvpandas
Extracting Announced && Unassigned netaddr, ipaddress
![Page 15: Detecting route announcements of unassigned IP address...lCompared IPv4 full route with IPv4 address pool in JPNIC lFound 3different route announcements--3separate /24 networks Background](https://reader035.vdocuments.us/reader035/viewer/2022062608/60b1365d8b4d0d053d7baae4/html5/thumbnails/15.jpg)
14Results verification - flow
20/02/2020 APRICOT 2020
Detected 3 unassigned networks announced in route information
Search them on RIPEstat for details
![Page 16: Detecting route announcements of unassigned IP address...lCompared IPv4 full route with IPv4 address pool in JPNIC lFound 3different route announcements--3separate /24 networks Background](https://reader035.vdocuments.us/reader035/viewer/2022062608/60b1365d8b4d0d053d7baae4/html5/thumbnails/16.jpg)
15Results verification - example
20/02/2020 APRICOT 2020
JPNIC office IP prefix 192.41.192.0/24less more
Heatmap of an announced route https://stat.ripe.net/
![Page 17: Detecting route announcements of unassigned IP address...lCompared IPv4 full route with IPv4 address pool in JPNIC lFound 3different route announcements--3separate /24 networks Background](https://reader035.vdocuments.us/reader035/viewer/2022062608/60b1365d8b4d0d053d7baae4/html5/thumbnails/17.jpg)
RIPEstat search Results
![Page 18: Detecting route announcements of unassigned IP address...lCompared IPv4 full route with IPv4 address pool in JPNIC lFound 3different route announcements--3separate /24 networks Background](https://reader035.vdocuments.us/reader035/viewer/2022062608/60b1365d8b4d0d053d7baae4/html5/thumbnails/18.jpg)
17Results - from an AS in Japan
20/02/2020 APRICOT 2020
https://stat.ripe.net/
Nov. 2002 -
![Page 19: Detecting route announcements of unassigned IP address...lCompared IPv4 full route with IPv4 address pool in JPNIC lFound 3different route announcements--3separate /24 networks Background](https://reader035.vdocuments.us/reader035/viewer/2022062608/60b1365d8b4d0d053d7baae4/html5/thumbnails/19.jpg)
18Results - from an AS in S.Korea
20/02/2020 APRICOT 2020
Jan. 2008- Jan. 2020
https://stat.ripe.net/
![Page 20: Detecting route announcements of unassigned IP address...lCompared IPv4 full route with IPv4 address pool in JPNIC lFound 3different route announcements--3separate /24 networks Background](https://reader035.vdocuments.us/reader035/viewer/2022062608/60b1365d8b4d0d053d7baae4/html5/thumbnails/20.jpg)
19Results - from an AS in Hong Kong
20/02/2020 APRICOT 2020
https://stat.ripe.net/
Apr. 2005– Jan. 2020
![Page 21: Detecting route announcements of unassigned IP address...lCompared IPv4 full route with IPv4 address pool in JPNIC lFound 3different route announcements--3separate /24 networks Background](https://reader035.vdocuments.us/reader035/viewer/2022062608/60b1365d8b4d0d053d7baae4/html5/thumbnails/21.jpg)
20Consequences of the detected networks
20/02/2020 APRICOT 2020
l from an AS in Japan• Previously was returned to JPNIC
…but announcement settings has not followed
l from an AS in S.Korea• Withdrawn after contact
• Mis-config
l from an AS in Hong Kong• Withdrawn after contact
• Mis-config
![Page 22: Detecting route announcements of unassigned IP address...lCompared IPv4 full route with IPv4 address pool in JPNIC lFound 3different route announcements--3separate /24 networks Background](https://reader035.vdocuments.us/reader035/viewer/2022062608/60b1365d8b4d0d053d7baae4/html5/thumbnails/22.jpg)
21Conclusion
20/02/2020 APRICOT 2020
Found 3 unassigned networks announced in route information
Even unused IP addresses are routed in the Internet… not an organisation dependent problem
![Page 23: Detecting route announcements of unassigned IP address...lCompared IPv4 full route with IPv4 address pool in JPNIC lFound 3different route announcements--3separate /24 networks Background](https://reader035.vdocuments.us/reader035/viewer/2022062608/60b1365d8b4d0d053d7baae4/html5/thumbnails/23.jpg)
22Future work
20/02/2020 APRICOT 2020
l Active monitoring• ping them all
l Investigate open ports on the hosts in the detected IP networks to see their purposes
l IRR search for more info?
l Further research for other regions
l Further research involving malicious domain names
l Anomaly detection by machine learning
![Page 24: Detecting route announcements of unassigned IP address...lCompared IPv4 full route with IPv4 address pool in JPNIC lFound 3different route announcements--3separate /24 networks Background](https://reader035.vdocuments.us/reader035/viewer/2022062608/60b1365d8b4d0d053d7baae4/html5/thumbnails/24.jpg)
23Appendix
20/02/2020 APRICOT 2020
l Public GitHub repositoryhttps://anonymous.4open.science/r/0d8ee868-194c-48b0-a17d-c58b17837596/• A simple python script
l Applicable to arbitrary IP prefixes pool• So please give it a try
![Page 25: Detecting route announcements of unassigned IP address...lCompared IPv4 full route with IPv4 address pool in JPNIC lFound 3different route announcements--3separate /24 networks Background](https://reader035.vdocuments.us/reader035/viewer/2022062608/60b1365d8b4d0d053d7baae4/html5/thumbnails/25.jpg)
Thank you
![Page 26: Detecting route announcements of unassigned IP address...lCompared IPv4 full route with IPv4 address pool in JPNIC lFound 3different route announcements--3separate /24 networks Background](https://reader035.vdocuments.us/reader035/viewer/2022062608/60b1365d8b4d0d053d7baae4/html5/thumbnails/26.jpg)
RIPEstat search resultsfor RIR/RPKI info
https://stat.ripe.net/