Questions about this topic? Sign up to ask in the talk tab.


From NetSec
Revision as of 10:29, 4 September 2011 by DerrickWKM (Talk | contribs) (Network Discovery with BGP)

(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search

Lesson 1

Network Discovery with BGP

So now we're going to discuss BGP. BGP stands for Border Gateway protocol, it's the underlying routing protocol of the internet. Routers on the internet run BGP and they peer between each other. Each ISP/company has an ASN which is assigned by ARIN or their local registry (APNIC, LACNIC, AFRINIC, RIPE) .

Routes are transferred between hosts with the gateway set on the router which is able to reach the destination. Often routes aren't direct and require going through multiple routers, which leads to something called an AS-path which is basically a list of the ISPs/routers you will be taking to get to the destination.

For example entirely belongs to MIT and MIT has an ASN of 3 (AS3). So a route to MIT would look like this:

*>                           0 12714 3549 1239 3 i

12614 3549 1239 and 3 are the ASNs taken to get to MIT from that router. Those are what are called transit asn's meaning traffic can go through them to reach other networks they are attached to. Most ISP routers receive and broadcast what are known as full tables, a full list of all IP prefixes on the public internet. There's currently around 350,000 routes in the public internet .

Due to the "public" nature of the routing tables, they can come in use for looking up what networks belong to a certain ASN. If you have the ASN of the company or organization you are trying to find out more about, then you can easily find out what netblocks they are announcing.

To get this information, lets use this list: That list is updated every 8 hours by apnic. This is basically a mapping of ASN to organisation, you can usually grep -i for a big organisation to find it's asn. Asn is the number, anything after that is the description of the asn.


372 National Aeronautics and Space Administration 
377 Sandia National Laboratories 
523 Army Information Systems Command 
825 Canadian Forces Weather Services

You can find a list of what netblocks each asn is announcing here. Another useful resource is: Once you find the asn of an organization, you can take the other file and: grep -w ASNHERE$ data-raw-table.

Lesson 2


1.0 - Introduction

Basically you have a group of routers you are in charge of and you assign them an ASN by your local ANS registrar. The ASN is used to configure the BGP which is used to announce their ASN numbers along with what IP address blocks they own to your BGP peers. You then use the BGP numbers to configure your router peer list. In otherwords, they are telling other routers on the internet to rotue all packets destined to a certain IP address block to.

Example BGP Configuration

router bgp 65111
bgp log-neighbor-changes
network mask
network mask
network mask
network mask
neighbor remote-as 64667
neighbor remote-as 64666
neighbor remote-as 65222
no auto-summary

Basically i am announcing all 4 of those routes to the 3 neighbors i have. Some of those neighbors have other neighbors that I am not directly connected to. The neighbor that I know will pass the route I announced to him and then he will pass that route along to the neighbors that I am not directly connected to.

Let's say, we have 3 routers, A, B and C. A is connected to B and then B is connected to C (A<->B<->C). For C to reach A, it has to know the route to A, which is given by the B router. The B router tells the C router, "I can talk to the network, route all packets destined to this network to me."

When the c router gets a packet to, it knows, "b router knows the route to this address, i should give this packet to him". C router then gives the packet to b router and b router sees that it needs to go to a router because a router knows where to send it next.

Thus, the point of BGP is to basically look at every path the packet can take and deliver it down the shortest path. The separation of the different networks is controlled by the use of an ASN.

Usually every ASN has a couple of routers under it, a couple to millions of router per ASN. For routing of the packet internally inside of an asn, an IGP is used, interior gate protocol.

2.0 - Example

You are an ASN owner, you have 100 routers, only 10 will provide access to the internet, the other 90 route data between sites. Every router controls a certin ip block or even a group of ip blocks. This is where the IGP comes in.

It's cool and all that you have and routing in your router but you also want to let the rest of your network know about them. So lets take RIP as an interior gateway protocol as it is similar to BGP in many ways.

With RIP, every router has an ID assigned between 1 and 255, the reason why RIP isn't suitable on large networks. With this ID, they tell all of the other routers what IP blocks they can route packets to.

Now, every other router(99) knows that any packets destined to are destined to router id 1 because it is inside the netblock that router 1 was announcing over RIP. RIP is also vulnerable to downgrade attacks or at least some implementations are. You can even make it send you the ripv1 2 way hash in some cases.

Every router cannot be connected to every other router because that would mean that every router would have 99 connections. Other reasons include physical connections and cost. Instead, you just lay fibre to a few buildings from each building. So that when you announce a route via RIP, it only goes to the directly attached routers.

Router 1 is telling other routers on the network to route packets destined to to it since it is connected to only 5 networks directly. It only announces that route to thos networks. Then those networks let the networks they are attached to know that it knows to send packets to to router id 1.

Every router looks at every packets ip, and looks for it on it's routing table. So lets say router 99 is connected to router 5, and router 5 is connected to router 1. Router 99 owns, router 5 owns and router 1 owns

The ip address, which is in which belongs to router 99, makes a request to The router checks it's routing table and sees that it cannot route the packet internally within the router so it checks to see if it can route it using an IGP.

It sees that is announced from router 5 because router 5 sees that router 1 is announcing it. Router 5 then checks its local routing tables, sees that it cannot locally route it, and then sends it it to router 1 because router 1 is direecty connected to router 5.

3.0 - RIP

RIP is the micro routing protocol. RIP routes packets between individual router in a group. BGP routes packets between all of the different groups of routers on the internet. You configure it to redisrtribute the routes in it's RIP table to the BGP table and vice versa.