This is a continuation of Internet Address Hijacking, Spoofing, and Squatting Attacks.
As is the case in the domain name registration world (SAC007), an ASN hijacking is an attack against an RIR registration service that results in the attacker seizing control over of a registration account and thus all the resources managed through this account. The attacker may use social engineering to convince an RIR employee to grant access to the account, or may gain control of or impersonate the legitimate registrant’s email to request account access (e.g., a password reset), or he may attempt to exploit a web application vulnerability at the RIR to seize an account.
This scenario is distinguished from ASN squatting because here, the attacker seizes control of an ASN that is registered and actively used by the registered party (registrant). The registrant is thus the victim since, in normal circumstances, an authorized, registered party uses the ASN and other autonomous systems routinely see BGP advertisements mentioning this ASN in the routing system.
If the attacker is successful, he is able to impersonate the authorized registrant by representing his own information using this ASN. Specifically, the attacker’s BGP advertisements will replace the authorized party’s BGP advertisement, and, rather than announcing the IP Prefixes that should be associated with the authorized party’s ASN, the attacker’s advertisements will announce IP Prefix(es) the attacker intends to use for malicious purposes.
1 | 2 | 3 | 4 |
5 | 6 | 7 | 8 | 9 | 10 | 11 |
Comments
You can follow this conversation by subscribing to the comment feed for this post.