AUTONOMOUS SYSTEM LOOKUP

Previous page
Table of content
Next page

Autonomous System (AS) is Internet (TCP/IP) terminology for a collection of gateways (routers) that fall under one administrative entity.

An Autonomous System Number (ASN) is a numerical identifier for networks participating in Border Gateway Protocol (BGP). BGP is the protocol in which route paths are advertised throughout the world. Without BGP, Internet traffic could not leave local networks.

Normal traceroute

To explain the helpful information that an ASN can provide to a hacker, let's take a look at a couple examples. The first is the traceroute output on a UNIX or Microsoft Windows system (note that the resultant information displays only the TTL response information): 

 root# traceroute www.example.com traceroute to www.example.com (192.168.34.72), 30 hops max, 40 byte packets   1 white_dwarf.cbbtier3.example.com (10.0.1.1) 4 msec 4 msec 0 msec   2 ggr1-p320.n54ny.ip.example.com (10.122.12.54) 4 msec 4 msec 4 msec   3 pos5-3.pr1.lga1.us.example.com (192.168.12.21) 4 msec 0 msec 4 msec   4 so-1-0-0.cr2.dca2.us.example.com (172.16.233.129) 8 msec 8 msec 8 msec   5 so-5-1-0.mpr4.sjc2.us.example.com (172.16.30.30) 7 msec 7 msec 7 msec   6 pos0-0.mpr2.lax2.us.example.com (172.16.156.126) 7 msec 8 msec 8 msec   7 example-t1-demarc.lax.example.com (172.16.82.97) 8 msec 7 msec 8 msec   8 t1-customer-dmarc.example.com (172.16.95.130) 8 msec 8 msec 8 msec root#

traceroute with ASN Information

Now let's take a look at the same traceroute information, except instead of running traceroute from a Windows or UNIX system, we will log into a BGP-participating Cisco router and run their version of traceroute, which includes the listing of each routers' ASN number: 

 C:\telnet route-server.ip.example.com route-server>traceroute www.example.com Type escape sequence to abort. Tracing the route to www.example.com (192.126.34.72)   1 white_dwarf.cbbtier3.example.com (192.168.1.1) [AS 7018] 0 msec 0 msec 0 msec   2 ar3.n54ny.ip.example.com (192.168.0.30) [AS 7018] 0 msec 0 msec 0 msec   3 tbr2-p013801.n54ny.ip.example.com (192.168.11.17) [AS 7018] 4 msec 4 msec 4 msec   4 pos5-3.pr1.lga1.us.example.com (192.168.12.21) [AS 6461] 4 msec 0 msec 4 msec   5 so-1-0-0.cr2.dca2.us.example.com (192.168.233.129) [AS 6461] 6 msec 4 msec 6 msec   6 so-5-1-0.mpr4.sjc2.us.example.com (192.168.30.30) [AS 6461] 7 msec 7 msec 7 msec   7 pos0-0.mpr2.lax2.us.example.com (192.168.156.126) [AS 6461] 7 msec 8 msec 8 msec   8 example-t1-demarc.lax.example.com (192.168.82.97) [AS 6461] 8 msec 7 msec 8 msec   9 www.example.com (192.168.95.130) [AS 6461] 9 msec 9 msec 9 msec route-server>

The traceroute originating from a BGP-participating host shows the ASN information. With this extra information, we can see that our traffic started at AS7018 (Example Network) and jumped to AS6461 (EXMP, owned by Example2). Then it passed through example.com's demarc point and arrived at its destination (the http://example.com web server).

From this output we can assume from the reverse DNS on hop 9 that http://example.com has a T1 circuit. By looking closer, we can see that the ASN doesn't change from hop 4 to hop 9. This is a dependable sign that http://example.com has no other redundant Internet connections. If we trust the reverse DNS, we can assume example.com's maximum bandwidth is 1.544 Mbps with a maximum TCP packet-per-second limit of 4825 (with a packet size of 40 bytes; IP header, TCP header, and no data).

Usually core network paths have redundant paths. To view the other possible paths, we can perform a simple IP BGP path lookup.

show ip bgp

Again, to show you what more information the attacker can acquire, check out our BGP queries from the same Cisco router: 

 route-server>show ip bgp 192.168.0.130 BGP routing table entry for 192.168.0.0/15, version 96265 Paths: (20 available, best #20, table Default-IP-Routing-Table)   Advertised to non peer-group peers:   11.11.11.230   7018 6461, (received & used)     11.11.12.252 from 11.11.12.252 (11.11.12.252)       Origin IGP, localpref 100, valid, external       Community: 7018:5000  7018 6461, (received & used) ...  [ truncated output due to length ]  ...    7018 6461, (received & used)      11.11.13.124 from 11.11.13.124 (11.11.13.124)        Origin IGP, localpref 100, valid, external        Community: 7018:5000    7018 6461, (received & used)      11.11.14.124 from 11.11.14.124 (11.11.14.124)        Origin IGP, localpref 100, valid, external        Community: 7018:5000    7018 6461, (received & used)      11.11.15.236 from 11.11.15.236 (11.11.15.236)        Origin IGP, localpref 100, valid, external, best        Community: 7018:5000 route-server>

AS lookup tools display an overview of network connectivity. As you can see from the preceding output, the Example network and Example2 network have many redundant links and are very well connected.

Many visual lookup tools make this process easier. The following references are recommended:

  • Thomas Kernen's reference page: http://www.traceroute.org

  • FixedOrbit: http://www.fixedorbit.com

  • Merit Networks RADB routing registry: http://www.radb.net


Previous page
Table of content
Next page
Hacking Exposed
Hacking Exposed 5th Edition
ISBN: B0018SYWW0
EAN: N/A
Year: 2003
Pages: 127
Authors: Stuart McClure, Joel Scambray, George Kurtz
BUY ON AMAZON
Professional Java Native Interfaces with SWT/JFace (Programmer to Programmer)
Java for RPG Programmers, 2nd Edition
C++ GUI Programming with Qt 3
MySQL Cookbook
Introducing Microsoft ASP.NET AJAX (Pro - Developer)
Python Programming for the Absolute Beginner, 3rd Edition
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy