Public and Private Autonomous System Numbers (ASNs)
ACM.461 How ASNs and BGP are used and abused in attacks to route traffic on the Internet
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
⚙️ Check out my series on Automating Cybersecurity Metrics | Code
🔒 Related Stories: Network Security | Data Breaches
💻 Free Content on Jobs in Cybersecurity | ✉️ Sign up for the Email List
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
In the last post I explained what Internet Registries are and how they track ownership of IP address ranges. If you are not familiar with those topics you’ll want to read this first:
I mentioned at the end of that post that Internet registries also track ASNs or Autonomous System Numbers. An organization requests an ASN from an IP registry. Then they associate their IP ranges with that ASN. Then they can use that ASN to provide information to other networks to advertise those IP ranges and explain how to route traffic properly to the correct location on their network.
Network Routing
In order for a network packet to get from one network to another it needs to know what route to take. Your network devices have what are called route tables that define what ip addresses should take what routes to get to other networks.
If no route exists for a particular IP range, you will get a “No Route To Host” error. I explained what that is and how to fix it for this particular case where I needed to send traffic between two devices on my network.
These two devices were both on my network and under my control so I could change the route tables to get the traffic to flow correctly.
But what if I need to send some traffic to some other network where I don’t control the routing tables? How do those routing tables get updated when one network makes a change to the way traffic should be routed and they need to let another network know about the change?
This is where a protocol called BGP usually comes into play.
Border Gateway Protocol (BGP)
BGP is a way for routers on the Internet to advertise information to each other. BGP helps routers determine what routes are available and the most efficient routes to take to get a network packet from A to B.
Border Gateway Protocol (BGP) is the postal service of the Internet. When someone drops a letter into a mailbox, the Postal Service processes that piece of mail and chooses a fast, efficient route to deliver that letter to its recipient.
https://www.cloudflare.com/learning/security/glossary/what-is-bgp/
You put the routes you want to advertise in your routing table as explained here for a Cisco device:
The routes above involve IP addresses, but routing policies can also make use of ASNs. Instead of directing traffic to a specific IP range, the routing policy might have information about ASNs — or the devices that belong to a particular AS (Autonomous System) or, in other words, a network of IP ranges with a single owner. The link I posted above shows how organizations create accounts at ARIN and request an ASN to associate with their network, which may consist of multiple non-contiguous IP ranges.
How does BGP use ASNs?
BGP uses ASNs and routing policies to help determine the most efficient path to take on the Internet.
Internet service providers use ASNs to identify their networks and the routes connecting them to the internet. As a result, routers can use ASNs to determine the best path for data packets traveling between networks. ASNs tell routers which network the data is being sent to.
Routing policies help define the path a network packet may take as it traverses the Internet and instead of pointing the traffic to specific IP range, a policy may specify a network using an ASN.
Routing Policy: The set of rules a network administrator implements. Those rules control the paths data takes when it exits to other networks. It can influence but not control the paths incoming data takes.
Also from the above post:
When networks connect to each other, they identify themselves with their ASN and they communicate which IP networks they can reach and the routes they would use to get to distant networks
Abuse of BGP to redirect websites and steal cryptocurrency
I would be remiss on a security blog not to tell you that BGP has been abused in ways that led to major data breaches. It has also caused serious outages due to misconfigurations. And, BGP is difficult to configure and manage securely because it does not have a lot of security controls built into it. Therefore it is critical to monitor it closely.
The attack is called BGP Hijacking and you can read more about how it works here:
Here are a few examples of BGP gone wrong.
Microsoft outage caused by misconfiguration of BGP:
https://www.thousandeyes.com/blog/microsoft-outage-analysis-january-25-2023
Iran suspected of rerouting Google.com:
More on Iranian attacks on BGP:
Chinese attacks on BGP:
Here are some BGP redirections that resulted in stolen bitcoin:
By the way, if you lose Bitcoin due to a BGP attack, good luck getting it back. First of all, the attacks are often outside of the jurisdiction of the victim. I wrote about jurisdictions and cyber law in this post:
Unlike bank accounts in the US insured under certain circumstances by the FDIC, cryptocurrency has no such protections.
Bitcoin is not very regulated by the US government like banks and other financial institutions. If the exchanges are outside the jurisdiction of the country where you live, good luck getting your money back. Besides that fact that investing in cryptocurrency is investing and propping up the value of the currency used by criminals attacking hospitals with ransomware, people avoiding sanctions, and money laundering. Although there are some use cases where crypto can help they are generally not related to issues faced by the average US citizens, so my my motto until more regulation and safety exists: Crypto is for criminals.
BGP attacks are only one of the ways people are losing money in crypto, not to mention the implosion of companies like FTX and others.
The ability to transfer funds to other networks as well as the double spend problem I read about the first time I scanned a book on cryptocurrency is what led me not to get into it. Although it has proven lucrative for some it is primarily based on the fact that it funds organized crime, not because it is used in many legitimate transactions. That’s why I continue to avoid it, on top of the inherent risks mentioned above.
But I digress.
What is a private ASN?
Think of a private ASN like a private IP address. You can use them for routing purposes in policies that reside in your own network. There’s a range of ASNs designated by ARIN as explained here:
A 2-byte ASN is a 16-bit number. This format provides for 65,536 ASNs (0 to 65535). From these ASNs, the Internet Assigned Numbers Authority (IANA) reserved 1,023 of them (64512 to 65534) for private use.
A 4-byte ASN is a 32-bit number. This format provides for 232 or 4,294,967,296 ASNs (0 to 4294967295). IANA reserved a block of 94,967,295 ASNs (4200000000 to 4294967294) for private use.
All ASNs are now 4 bytes, by the way.
Why does this matter? Because if you want to set up private network routing between devices that should not be accessible to the broader Internet you can use these private ASNs.
For example, when you want to set up a site to site VPN between AWS and your own network device you will use an ASN.
When you create a virtual private gateway, you can specify the private Autonomous System Number (ASN) for the Amazon side of the gateway. If you don’t specify an ASN, the virtual private gateway is created with the default ASN (64512).
You can see that 64512 is the first number in the private IP range from the ARIN documentation above.
If you have a public ASN you can use one for the VPN configuration of the customer gateway. If you don’t have a public ASN, you can use a private ASN in the specified ranges below.
Best security practice is to ensure these private ASNs are not advertised to the Internet.
BGP Security Best Practices
Here are some additional resources with security best practices for BGP:
https://www.ncsc.gov.uk/files/border-gateway-protocol-technical-paper.pdf
Now that you know what ASNs are you can use them in conjunction with AWS services that leverage them.
Follow for updates.
Teri Radichel | © 2nd Sight Lab 2024
About Teri Radichel:
~~~~~~~~~~~~~~~~~~~~
⭐️ Author: Cybersecurity Books
⭐️ Presentations: Presentations by Teri Radichel
⭐️ Recognition: SANS Award, AWS Security Hero, IANS Faculty
⭐️ Certifications: SANS ~ GSE 240
⭐️ Education: BA Business, Master of Software Engineering, Master of Infosec
⭐️ Company: Penetration Tests, Assessments, Phone Consulting ~ 2nd Sight LabNeed Help With Cybersecurity, Cloud, or Application Security?
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
🔒 Request a penetration test or security assessment
🔒 Schedule a consulting call
🔒 Cybersecurity Speaker for PresentationFollow for more stories like this:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
❤️ Sign Up my Medium Email List
❤️ Twitter: @teriradichel
❤️ LinkedIn: https://www.linkedin.com/in/teriradichel
❤️ Mastodon: @teriradichel@infosec.exchange
❤️ Facebook: 2nd Sight Lab
❤️ YouTube: @2ndsightlab