如何检测这些 Wireshark 数据包中的 BGP 攻击

tag-icon tag-icon wireshark bgp attack-vector
如何检测这些 Wireshark 数据包中的 BGP 攻击

我收到一个Wireshark捕获文件作为任务。其中有3个TCP数据包用于建立连接的TCP三次握手和4个BGP数据包。

我收到了更多信息,现在我必须使用这 7 个数据包来找出发生了哪些 BGP 攻击以及哪些前缀受到了攻击。我已经研究并发现了很多,但我仍然需要一点帮助。

附加信息:这是关于 Bob (1.1.1.1 | AS 65100) 和 Alice (2.2.2.2 | AS 65200) 之间的 BGP 会话。Bob 的前缀为 10.30.0.0/16 和 10.10.0.0/16。

Wireshark .cap 文件导出为文本:

No.     Time           Source                Destination           Protocol Length Info
      1 0.000000       1.1.1.1               2.2.2.2               TCP      60     46612 → 179 [SYN] Seq=0 Win=16384 Len=0 MSS=536

Frame 1: 60 bytes on wire (480 bits), 60 bytes captured (480 bits) on interface unknown, id 0
Ethernet II, Src: c2:00:1e:8c:00:00 (c2:00:1e:8c:00:00), Dst: c2:01:1e:8c:00:00 (c2:01:1e:8c:00:00)
Internet Protocol Version 4, Src: 1.1.1.1, Dst: 2.2.2.2
Transmission Control Protocol, Src Port: 46612, Dst Port: 179, Seq: 0, Len: 0

No.     Time           Source                Destination           Protocol Length Info
      2 2.016208       2.2.2.2               1.1.1.1               TCP      60     179 → 46612 [SYN, ACK] Seq=0 Ack=1 Win=16384 Len=0 MSS=536

Frame 2: 60 bytes on wire (480 bits), 60 bytes captured (480 bits) on interface unknown, id 0
Ethernet II, Src: c2:01:1e:8c:00:00 (c2:01:1e:8c:00:00), Dst: c2:00:1e:8c:00:00 (c2:00:1e:8c:00:00)
Internet Protocol Version 4, Src: 2.2.2.2, Dst: 1.1.1.1
Transmission Control Protocol, Src Port: 179, Dst Port: 46612, Seq: 0, Ack: 1, Len: 0

No.     Time           Source                Destination           Protocol Length Info
      3 2.024158       1.1.1.1               2.2.2.2               TCP      60     46612 → 179 [ACK] Seq=1 Ack=1 Win=16384 Len=0

Frame 3: 60 bytes on wire (480 bits), 60 bytes captured (480 bits) on interface unknown, id 0
Ethernet II, Src: c2:00:1e:8c:00:00 (c2:00:1e:8c:00:00), Dst: c2:01:1e:8c:00:00 (c2:01:1e:8c:00:00)
Internet Protocol Version 4, Src: 1.1.1.1, Dst: 2.2.2.2
Transmission Control Protocol, Src Port: 46612, Dst Port: 179, Seq: 1, Ack: 1, Len: 0

No.     Time           Source                Destination           Protocol Length Info
      4 2.032159       1.1.1.1               2.2.2.2               BGP      99     OPEN Message

Frame 4: 99 bytes on wire (792 bits), 99 bytes captured (792 bits) on interface unknown, id 0
Ethernet II, Src: c2:00:1e:8c:00:00 (c2:00:1e:8c:00:00), Dst: c2:01:1e:8c:00:00 (c2:01:1e:8c:00:00)
Internet Protocol Version 4, Src: 1.1.1.1, Dst: 2.2.2.2
Transmission Control Protocol, Src Port: 46612, Dst Port: 179, Seq: 1, Ack: 1, Len: 45
Border Gateway Protocol - OPEN Message

No.     Time           Source                Destination           Protocol Length Info
      5 2.040180       2.2.2.2               1.1.1.1               BGP      118    OPEN Message, KEEPALIVE Message

Frame 5: 118 bytes on wire (944 bits), 118 bytes captured (944 bits) on interface unknown, id 0
Ethernet II, Src: c2:01:1e:8c:00:00 (c2:01:1e:8c:00:00), Dst: c2:00:1e:8c:00:00 (c2:00:1e:8c:00:00)
Internet Protocol Version 4, Src: 2.2.2.2, Dst: 1.1.1.1
Transmission Control Protocol, Src Port: 179, Dst Port: 46612, Seq: 1, Ack: 46, Len: 64
Border Gateway Protocol - OPEN Message
Border Gateway Protocol - KEEPALIVE Message

No.     Time           Source                Destination           Protocol Length Info
      6 2.048158       1.1.1.1               2.2.2.2               BGP      73     KEEPALIVE Message

Frame 6: 73 bytes on wire (584 bits), 73 bytes captured (584 bits) on interface unknown, id 0
Ethernet II, Src: c2:00:1e:8c:00:00 (c2:00:1e:8c:00:00), Dst: c2:01:1e:8c:00:00 (c2:01:1e:8c:00:00)
Internet Protocol Version 4, Src: 1.1.1.1, Dst: 2.2.2.2
Transmission Control Protocol, Src Port: 46612, Dst Port: 179, Seq: 46, Ack: 65, Len: 19
Border Gateway Protocol - KEEPALIVE Message

No.     Time           Source                Destination           Protocol Length Info
      7 2.056158       1.1.1.1               2.2.2.2               BGP      323    UPDATE Message, UPDATE Message, UPDATE Message, UPDATE Message, UPDATE Message

Frame 7: 323 bytes on wire (2584 bits), 323 bytes captured (2584 bits) on interface unknown, id 0
Ethernet II, Src: c2:00:1e:8c:00:00 (c2:00:1e:8c:00:00), Dst: c2:01:1e:8c:00:00 (c2:01:1e:8c:00:00)
Internet Protocol Version 4, Src: 1.1.1.1, Dst: 2.2.2.2
Transmission Control Protocol, Src Port: 46612, Dst Port: 179, Seq: 65, Ack: 65, Len: 269
Border Gateway Protocol - UPDATE Message
Border Gateway Protocol - UPDATE Message
Border Gateway Protocol - UPDATE Message
Border Gateway Protocol - UPDATE Message
Border Gateway Protocol - UPDATE Message

我在 3 个 TCP 数据包和 BGP 打开消息以及 BGP 保持活动消息中找不到任何内容。但是,我能够根据 5 个 BGP 更新消息创建一个表,并发现一些差异。

AS PATH     | NEXT HOP | NLRI           | ORIGIN
----------------------------------------------------
65100       | 1.1.1.1  | 10.10.1.0/24   | IGP
            |          | 10.10.2.0/24   |
            |          | 10.10.3.0/24   |
----------------------------------------------------
65100       | 1.1.1.1  | 172.16.0.0/30  | Incomplete
            |          | 172.16.0.4/30  |
----------------------------------------------------
65300 65100 | 1.1.1.1  | 10.30.1.0/24   | IGP
            |          | 10.30.2.0/24   |
            |          | 10.30.3.0/24   |
----------------------------------------------------
65100 65300 | 1.1.1.1  | 172.16.0.8/30  | Incomplete
----------------------------------------------------
65300 65100 | 1.1.1.1  | 172.16.0.12/30 | Incomplete

我觉得第 1 条和第 3 条更新消息很合理,因为 IGP 和 NRLI 归 Bob 所有。因此,我推测其他 3 条更新消息中发生了 BGP 攻击,因为来源不完整,而且 NRLI 不属于 Bob。

如果到目前为止我的回答是正确的,那么我现在的问题是:这里发生了哪些攻击,你怎么知道?我曾经听说过前缀劫持、子前缀劫持和路由泄漏这些术语。但没有人向我解释如何识别它们,而且我在网上也没有真正了解过它们。

相关内容