The Internet comprises thousands of interconnected Autonomous Systems (ASes).
These ASes exist in two dimensions — the administrative and the operational. Regional Internet Registries (RIRs) rule the former, and the Border Gateway Protocol (BGP) the latter.
These two dimensions live in parallel. Nonetheless, each affects the other:
- To announce prefixes in BGP (operational), ASes need to obtain an AS number (ASN), which uniquely identifies them (administrative).
- If an ASN is not used for a long time (operational), for example, a few months, RIRs can reclaim it (administrative).
- When an RIR reclaims an ASN (administrative), it should not be used in BGP (operational).
Although these interactions between ASN delegation and BGP may seem straightforward, the reality is more complicated.
In our recent research paper, we at the Sapienza University of Rome, in collaboration with CAIDA (UC San Diego) and MIT, provided a first of a kind examination at how ASes appear and behave in these two dimensions. We sought to determine the relation of these two dimensions over time and the unusual behaviours of ASNs in both dimensions.
Building the parallel lives
As part of this study, we processed all delegation files published by all the RIRs since 2003 to build the administrative dimension. These files are a snapshot of the status of the Internet number resources, including ASNs.
We considered an ASN administratively ‘alive’ on a given day if it appeared as ‘allocated’ or ‘assigned’ in the respective delegation file, which means that the ASN was delegated to an organization on that day. Since we found some inconsistencies in these files (for example, ASNs allocated by two registries at the same time, missing or duplicated records and others), we undertook a careful restoration process, contacting RIRs to better understand their practices and disambiguate the most peculiar cases.
For the operational dimension, we processed BGP data from RIPE RIS and Routeviews BGP collectors using the CAIDA BGPStream, collecting more than 930 billion RIB dump records and 2.3 trillion updates. We considered an ASN active in BGP if it appeared in an AS-PATH.
With these two dimensions, we developed two lenses that we could use individually or in conjunction.
Used individually we could analyse the status of ASNs — when they were alive, how many lives they had — as well as historical trends, including describing the evolution of the Internet on a geographical basis (check our paper for further details).
When used in conjunction though, these lenses become extremely powerful as they allow us to find interesting results by looking for inconsistencies between the two dimensions. For example, ‘fat finger errors’, are configuration errors due to typos or prepending mistakes by operators.
Be aware of fat fingres… fat fringes… fat fingers!
From our study, we found 868 ASNs in BGP that had never been allocated by RIRs to an organization. We manually investigated almost 30% of these, finding evident cases of misconfiguration.
Most fat finger errors that we found (76%) are caused by mistakes in AS-PATH prepending. While prepending, an operator may not separate repeated instances of an ASN in the path. Figure 1 shows two such instances where AS-PATHS with origins AS32026 and AS28730 have a neighbor that is its exact repetition.
In the remaining 24% of the cases, we observed Multiple Origin AS (MOAS) conflicts involving ASNs that differ by one digit. Surprisingly, we found that these events can survive several months. For instance, AS419333 has appeared in BGP for almost 10 months (between Nov 2017 and Sep 2018), causing a MOAS with AS41933. Another example was AS363690 causing a MOAS with AS393690 for nearly seven months (between Nov 2018 and Jun 2019).
Looking for the allocation status of ASNs routed in BGP can be a fast method to detect fat-finger errors and provide timely warnings to operators that there is an ongoing misconfiguration.
Squatting of dormant ASNs
By aligning the two lenses, it is also possible to identify ASNs involved in malicious behaviour. For example, a malicious actor that wants to stealthily hijack BGP prefixes can look for ASNs that have not been recently active.
We confirmed 76 such cases using information collected from network operators’ mailing lists such as NANOG, Twitter alerts by network security groups such as Spamhaus, routing monitors such as BGPmon, and previous work.
Figure 3 shows the number of prefixes that originated over time for some of the most striking cases we found of dormant ASNs suddenly becoming active in BGP. The brown line shows the behaviour of AS10512, one of the most illustrative cases of squatting of a dormant ASN.
Between December 2017 and January 2018, AS10512 hijacked the prefixes of Spectrum (AS11426), a major broadband provider in the USA. AS10512 had been allocated for more than 17 years prior to this incident and had never announced BGP prefixes. Then, it was squatted and used to suddenly originate 60 /16 prefixes.
We also notice AS7449 (purple line) waking in BGP at the same time as AS10512 after sleeping for years. Digging deeper into this strange coincidence, we found that both ASNs had the same direct upstream, AS203040, an ASN notoriously known as a BGP Hijack Factory. It is most likely that AS203040 generated and shared with its neighbors forged BGP announcements with these (squatted) ASNs as origins and itself as the first hop, disguising itself as their transit.
We also identified another similar attack involving AS28071 and AS262916, which shared the same direct upstream (AS52302) that had been reported as malicious on the Latin America operator mailing list.
Recovering unused ASNs matters
As shown, hijackers are always one step ahead; they carefully pick dormant ASNs to make their attacks stealthier. During our study, we found two categories of ASNs appearing dormant (allocated but not in use) that hijackers can leverage.
- ASNs with a significant delay between the end of the BGP activity and their reclamation, usually more than 10 months.
- ASNs that belong to organizations that have kept their ASN allocations even if they do not use them in BGP. Examples of these organizations are the US Department of Defense and Air Force, and companies that received large blocks of ASN allocations in the early years of the Internet.
These findings suggest that more robust policies to recover ASNs left unused for long periods would benefit the routing ecosystem.
Contributors: Massimo La Morgia (Sapienza University of Rome), Alessandro Mei (Sapienza University of Rome), Eugenio Nerio Nemmi (Sapienza University of Rome), Cecilia Testart (MIT).
Francesco Sassi is a PhD student in the Systems Lab group at the Sapienza University of Rome.
The views expressed by the authors of this blog are their own and do not necessarily reflect the views of APNIC. Please note a Code of Conduct applies to this blog.