A Forensic Case Study on AS Hijacking
In March, 2011, a malicious case of AS hijacking was carried out in order to conduct illegal network activities. In contrast to well-known IP prefix hijacking attacks, no such incident has been studied in detail so far. We conduct a case study on the incident, which yields unique insights into how an attacker proceeded in order to covertly hijack an abandoned AS, how he misled an upstream provider, and how he abused unallocated address space. Based on a thorough investigation of the attack using data from both the control plane and the data plane, we show that taking over whole ASes is in fact feasible with little effort.
Following a series of routing attacks against the Russian ISP Link Telecom that were reported on a public mailing list, we conducted a forensic analysis to study the attacker's proceeding. We refer to this attack as the LinkTel incident. With the evaluation of BGP control plane data and additional meta data, we were able to disclose the attacker’s activities and to reconstruct the full sequence of events during the attack. We saw that the attack was carried out in a professional manner in order to send spam from the hijacked networks. Detailed studies of data plane information revealed further objectives. The attacker hosted services in the hijacked prefixes, scanned for client vulnerabilities, and placed adverts for questionable products on web sites and possibly in chat rooms. We assume that suitable preconditions including the attacker’s ability to pass FCrDNS checks supported the abusive use of the hijacked networks.
An ideal AS for long-term abuse while effectively hiding the attacker's identify, we conclude that Link Telecom has been carefully selected. This was unlikely a manual operation: Various data sources had to be combined to assess the victim’s eligibility. By reflecting on the technical insights we gained from studying the LinkTel Incident, we further profiled the attacker and understood that he must have had access to automated tools for spotting potential victims.
Our evaluation shows that there is a real threat emerging from inattentive AS operators. It further proves that an early warning system can be derived to pre-empt future attackers. Such a system can protect Internet resources by informing vulnerable ISPs to deploy countermeasures in time. We will shortly add this detection capability into our routing analytics suite.
J. Schlamp, G. Carle, and E. W. Biersack
"A Forensic Case Study on AS Hijacking: The Attacker's Perspective"
ACM SIGCOMM Computer Communication Review
Volume 43, Issue 2, pp. 5-12, April 2013.