nerdexam
GIAC

GCIH · Question #453

The target company's IP range is 151.113.0.0/16 and their border router's ASN (autonomous system numbers) includes their entire IP range. An attacker stands up their own border router with a unique AS

The correct answer is D. BGP hijacking. The attacker is advertising a route for a specific IP within the target's block via a rogue ASN, causing BGP peers to route traffic to the attacker instead of the legitimate owner.

Reconnaissance, Scanning, and Enumeration

Question

The target company's IP range is 151.113.0.0/16 and their border router's ASN (autonomous system numbers) includes their entire IP range. An attacker stands up their own border router with a unique ASN that is associated with 151.113.255.33. What type of attack is this?

Options

  • AACK storm
  • BDenial of service
  • CARP cache poisoning
  • DBGP hijacking

How the community answered

(16 responses)
  • B
    13% (2)
  • C
    6% (1)
  • D
    81% (13)

Why each option

The attacker is advertising a route for a specific IP within the target's block via a rogue ASN, causing BGP peers to route traffic to the attacker instead of the legitimate owner.

AACK storm

An ACK storm is a TCP-layer denial-of-service condition caused by forged ACK packets in a session, unrelated to BGP route announcements.

BDenial of service

While BGP hijacking can cause a denial-of-service effect, the specific attack described - standing up a rogue ASN and advertising a stolen prefix - is definitionally BGP hijacking, not a generic DoS attack.

CARP cache poisoning

ARP cache poisoning is a Layer 2 attack that manipulates the ARP table on a local network segment; it has no relation to BGP or inter-domain routing.

DBGP hijackingCorrect

BGP hijacking occurs when a malicious actor announces an IP prefix via BGP that they do not legitimately own, causing other autonomous systems to update their routing tables and forward traffic to the attacker's router. By advertising a more specific prefix (a /32 host route within the target's /16), the rogue route is preferred over the legitimate announcement due to BGP's longest-prefix-match rule, effectively intercepting or blackholing traffic destined for that IP.

Concept tested: BGP prefix hijacking via rogue ASN announcement

Source: https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/iproute_bgp/configuration/xe-16/irg-xe-16-book/bgp-route-security.html

Topics

#BGP hijacking#ASN spoofing#routing attacks#IP prefix hijack

Community Discussion

No community discussion yet for this question.

Full GCIH Practice