BAD ASN - A BGP Hijack Research / 高春輝、YU GUO === 非資安公司，但同時做了很多研究 對於台灣有數據做了很多收集 在大陸這個領域，互聯網公司都是利用敝司的資料做大數據分析，公司有各種領域，IP 都一直在變化的。 BGP Hijack >> 設計缺陷，裝成中華電信的網站，但在台灣，而是另外一個位置。 沒有被披露，所以在HITCON 報告出來。 立志做全世界最好的資料分析公司。 BGP Hijack History IRR,RPKI,MANRS: Not enough Prefix Hijacking Common Techniques in BGP Hijacking - Human Typo - Feb2008 -Profit - Apr 2018 , Hijack Amazon DNS to take over Crypto MyEtherWallet -Long Term Hijacking (aka, BAD ASN By IPIP.net ) -Extremely Hidden -SPAM/DDOS/Web Scrping /Proxy **ASN/BGP Data is very important to make IP data correct** Own BGP Data & tools to monitor IP Prefix Theft -Announce prefixes that not in use -Usually Withdrawn in days -Mixed With normal prefix ro avoid detection Downstream BAD ASN Almost 100% BAD Why using BAD ASN (Spam / Proxy / Spider/Crawler Farm/ Other Abuse ?) 偷ASN的目的： 1.散佈垃圾郵件(占大宗) 2.提供代理伺服器服務 3.爬蟲 4.其他 Case Study https://mailman.nanog.org/pipermail/nanog/2018-June/096034.html https://dyn.com/blog/shutting-down-the-bgp-hijack-factory/ https://mailman.nanog.org/pipermail/nanog/2018-July/096437.html Up/Downstream of AS197426 -Please focus on downStream About the ASN 3266 -Many California Prefixes announced / Hijacked In DE ASN -Origin preix owner to announce / 24 to mitigate Hijacking Try to check the IP source, destination and location More Case study AS205869 -Universal IP Solution AS7827 -American Business Information -As19529 -Razor AS11717 -Solarus , US -AS10800 - Internet Arena,US BAD ASN in IPV6 -AS57166 in Switzerland **BAD ASN -Summary** * IP Preix Theft * ANnounce prefixes that not in use **asndrop.txt** of Spamhaus.org * ASN list will bring false postives * Not perfect solution to block the all prefixes in same ASN * ASN Theft issues Suggestion * Announce & Monitor all your IP prefixes :) * Abuse Detected (We can announce the prefix with/24 or smaller ) *Contact abuse@ISP or its upstream providers. ###### tags: `HITCONCMT2019`,`HITCONCMT`,`HITCON`