• Choose a category
• All
• Classic-Fiction

E-BGP

External Border Gateway Protocol; used to communicate routing information between separate autonomous systems

BGP data is a very powerful tool for attribution analysis. Using this information, it is possible for an investigator to identify the “source” network of an attack, as you’ll read about in the upcoming case studies.

There are a number of ways to query BGP information that do not require access to an ISP router or knowledge of very specialized routing specifics. For example, using the Team Cymru IP to ASN service it is possible to retrieve global routing information, as shown in Figure 9-1.

Figure 9-1. Screenshot of a data request using Team Cymru’s IP to ASN service

The screenshot shows that IP address 4.2.2.1 is routed by autonomous system (AS) 3356, which is administered by Level 3 Communications. Another excellent resource is offered by RIPE.

The domain name system is another example of open source Internet data that can greatly aid an investigation into suspected intrusion IP addresses. DNS is a global hierarchal system, which allows a user to translate a common name (www.foo.com, for example) into an IP address. Based on its DNS name, it may be possible to uncover information that would help reveal the attacking IP address. For example, is the attacking machine a mail server or a web server? Could it be a router or a client machine located on a dial-up service? This information is very useful in determining technical attack attribution. There exist several online tools to assist in this search, including DomainTools.

It is also possible to leverage “black lists” to determine whether the suspect IP address has been associated with any previous malfeasance, such as spamming, scanning, or malware infection. Several organizations offer these services, including Spamhaus and the SANS Internet Storm Center.

Background

On January 18, 2009, a large-scale distributed denial of service (DDoS) attack began against Kyrgyzstan Internet service providers (ISPs). Key national web server site Asiainfo.kg and the Kyrgyzstan official domain registration service Domain.kg have been available only intermittently since that date.

Russian-based servers primarily known for cyber crime activity have been identified through IP analysis of the attacks on Kyrgyzstan. Figure 9-2 shows the Internet routing during the later stages of the Kyrgyzstan DDoS attacks.

Figure 9-2. Internet routing diagram for a set of autonomous systems in the KG attacks

Figure 9-3 provides a BGP Internet traffic routing for the period of January 15, 2009, with a primary focus on highlighting the DDoS traffic against AS8511 Asiainfo of Kyrgyzstan. The BGP represents a route map for how Internet traffic should move from one ISP to another in the most efficient way.

Figure 9-3. BGP routing map

What Is an Autonomous System Network?

Figure 9-3 is a diagram of packet flow through various autonomous system (AS) networks. If you look closely you’ll recognize a few that are mentioned in the table that supports the diagram. Packets don’t necessarily follow the maxim that says the shortest distance between two points is a straight line. In fact, that rarely happens. A traceroute is a sometimes complex path that packets take to move from the source to the destination. AS numbers act like intersections that help investigators discover the server networks that were used.

An AS number is linked to a block of IP addresses. These in turn are owned by a large Internet services company, such as The Planet, or a utility such as Qwest or ComCor TV, a Russian cable company.

When AS networks agree to carry one another’s traffic, it’s known as “peering.” Peering can occur in a few different ways, but typically it is either through swaps or some form of payment arrangement.

It’s important to note that just because these packets traveled through a Russian network, it doesn’t convey any geopolitical responsibility or “evidence.” The StopGeorgia.ru