![Page 1: A Quick and Dirty Guide to BGP attacks Or “How to 0wn the Backbone in your Spare Time”](https://reader036.vdocuments.site/reader036/viewer/2022081513/56649cae5503460f949722c6/html5/thumbnails/1.jpg)
A Quick and Dirty Guide to BGP attacks
Or
“How to 0wn the Backbone in your Spare Time”
![Page 2: A Quick and Dirty Guide to BGP attacks Or “How to 0wn the Backbone in your Spare Time”](https://reader036.vdocuments.site/reader036/viewer/2022081513/56649cae5503460f949722c6/html5/thumbnails/2.jpg)
Outline
How BGP works What can be attacked? How is it attacked? Who might be attacking? Common approaches to fixing BGP References
![Page 3: A Quick and Dirty Guide to BGP attacks Or “How to 0wn the Backbone in your Spare Time”](https://reader036.vdocuments.site/reader036/viewer/2022081513/56649cae5503460f949722c6/html5/thumbnails/3.jpg)
How BGP works
1) An autonomous system (AS) has border routers that “speak” BGP with “BGP peers” at border routers in neighboring AS’s.
2) AS’s that send traffic directly to each other have a “BGP session” using TCP to communicate information in “BGP updates”
![Page 4: A Quick and Dirty Guide to BGP attacks Or “How to 0wn the Backbone in your Spare Time”](https://reader036.vdocuments.site/reader036/viewer/2022081513/56649cae5503460f949722c6/html5/thumbnails/4.jpg)
How BGP works
Creating Global Reachability:1) An autonomous system will “originate”
whatever network blocks it is currently allowed by ICANN to use.
2) AS’s can choose to “advertise” reachability to BGP peers for network blocks it knows its neighbors can reach.
![Page 5: A Quick and Dirty Guide to BGP attacks Or “How to 0wn the Backbone in your Spare Time”](https://reader036.vdocuments.site/reader036/viewer/2022081513/56649cae5503460f949722c6/html5/thumbnails/5.jpg)
How BGP works
BGP Update Format
WithdrawnRoutes
Path Attributes(Origin, AS-Path, etc)
NLRI(prefixes)
![Page 6: A Quick and Dirty Guide to BGP attacks Or “How to 0wn the Backbone in your Spare Time”](https://reader036.vdocuments.site/reader036/viewer/2022081513/56649cae5503460f949722c6/html5/thumbnails/6.jpg)
How BGP works
1) Receive update message2) Apply in-bound filters for peer3) Update RIB 4) Run BGP decision process (if not new
best route, exit)5) Update FIB6) For each peer, apply outbound filters
and send new update message.
![Page 7: A Quick and Dirty Guide to BGP attacks Or “How to 0wn the Backbone in your Spare Time”](https://reader036.vdocuments.site/reader036/viewer/2022081513/56649cae5503460f949722c6/html5/thumbnails/7.jpg)
How BGP Works
Business Relationships define Export Filters.
1) “Prov -> Cust” all known best routes
2) “Cust -> Prov” only originated routes or routes from their customers.
3) “Peer -> Peer” originated or customer routes (but with no export).
![Page 8: A Quick and Dirty Guide to BGP attacks Or “How to 0wn the Backbone in your Spare Time”](https://reader036.vdocuments.site/reader036/viewer/2022081513/56649cae5503460f949722c6/html5/thumbnails/8.jpg)
How BGP works
Providers provide connectivity for their customers. Top-level “tier-1” providers peer with each-other to provide global reachability.
![Page 9: A Quick and Dirty Guide to BGP attacks Or “How to 0wn the Backbone in your Spare Time”](https://reader036.vdocuments.site/reader036/viewer/2022081513/56649cae5503460f949722c6/html5/thumbnails/9.jpg)
What can be attacked?
Availability• Reachability
• Degrade link quality
• Overwhelm communication capacity
Data Confidentiality Data Integrity Authentication (impersonation)
![Page 10: A Quick and Dirty Guide to BGP attacks Or “How to 0wn the Backbone in your Spare Time”](https://reader036.vdocuments.site/reader036/viewer/2022081513/56649cae5503460f949722c6/html5/thumbnails/10.jpg)
How To Attack? (ie: what needs to be secured?)
1) Peer-Peer Attacks (attack exchange of data between two BGP speakers)
2) Protocol Content Attacks (falsify or modify use of BGP Update messages)a)Traffic Attractionb)Traffic Direction
3) Instability Attacks (attempts to destabilize routing)
![Page 11: A Quick and Dirty Guide to BGP attacks Or “How to 0wn the Backbone in your Spare Time”](https://reader036.vdocuments.site/reader036/viewer/2022081513/56649cae5503460f949722c6/html5/thumbnails/11.jpg)
Peer-Peer Attacks
Uses:
1) Create unavailability by tearing down BGP session and causing path withdrawals.
2) Inject information into BGP session to perform traffic-attractor or traffic-director attacks.
Note: Assumes no possession of a BGP speaking router
![Page 12: A Quick and Dirty Guide to BGP attacks Or “How to 0wn the Backbone in your Spare Time”](https://reader036.vdocuments.site/reader036/viewer/2022081513/56649cae5503460f949722c6/html5/thumbnails/12.jpg)
Peer-Peer Attacks
BGP sessions have no required protections.
1) Attackers my DoS the link bandwidth
2) TCP injection attacks may insert data into the session, or reset the connection.
3) Authenticating Peers
4) Eaves-dropping on session (who cares?)
5) Attack on CPU resources
![Page 13: A Quick and Dirty Guide to BGP attacks Or “How to 0wn the Backbone in your Spare Time”](https://reader036.vdocuments.site/reader036/viewer/2022081513/56649cae5503460f949722c6/html5/thumbnails/13.jpg)
Peer-Peer Solutions
Integrity: TCP MD5 Option (requires pre-configured secret)
Integrity, Confidentiality, Authentication: IPSec (negotiates shared secret)
CPU protections (drop packets that use CPU time)
TTL Hack (filters non single-hop packets)
![Page 14: A Quick and Dirty Guide to BGP attacks Or “How to 0wn the Backbone in your Spare Time”](https://reader036.vdocuments.site/reader036/viewer/2022081513/56649cae5503460f949722c6/html5/thumbnails/14.jpg)
Protocol Content Attacks
What we normally think about when considering BGP attacks
These attacks can be the result of malicious behavior or misconfiguration.
![Page 15: A Quick and Dirty Guide to BGP attacks Or “How to 0wn the Backbone in your Spare Time”](https://reader036.vdocuments.site/reader036/viewer/2022081513/56649cae5503460f949722c6/html5/thumbnails/15.jpg)
Traffic Attractor Attacks
Uses:
1) Drop, degrade traffic.
2) Inspect traffic, communication analysis
3) Modify Traffic
4) Impersonation Attacks1)Man-in-the-Middle Attacks
2)Send from un-owned prefix.
![Page 16: A Quick and Dirty Guide to BGP attacks Or “How to 0wn the Backbone in your Spare Time”](https://reader036.vdocuments.site/reader036/viewer/2022081513/56649cae5503460f949722c6/html5/thumbnails/16.jpg)
Traffic Attractor:MOAS – Multiple Origin AS
Occurs when multiple AS’s originate (ie: are the first AS to advertise) a particular prefix. Also referred to as a prefix-hijack.
1) This may be legitimate, e.g., multi-homing with a private ASN.
2) Roughly speaking, a simple MOAS can trick “half” of the Internet
![Page 17: A Quick and Dirty Guide to BGP attacks Or “How to 0wn the Backbone in your Spare Time”](https://reader036.vdocuments.site/reader036/viewer/2022081513/56649cae5503460f949722c6/html5/thumbnails/17.jpg)
Traffic Attractor:De-aggregation
An AS illegitimately originates the “sub-prefix” of another AS’s address space.
1) More powerful than MOAS, as it does not conflict with a legitimate prefix, but is preferred routing decision. Can trick the entire Internet.
2) Prefixes larger than 24 bits often filtered by large ISPs.
![Page 18: A Quick and Dirty Guide to BGP attacks Or “How to 0wn the Backbone in your Spare Time”](https://reader036.vdocuments.site/reader036/viewer/2022081513/56649cae5503460f949722c6/html5/thumbnails/18.jpg)
Traffic Attractor:AS-Path Shortening
Instead of claiming to originate a prefix, an adversary can keep the correct originator, but shorten the remainder of the path to make it look more attractive.
1) This attack is more stealthy than simple origination.
2) Unlikely to occur as misconfig.
![Page 19: A Quick and Dirty Guide to BGP attacks Or “How to 0wn the Backbone in your Spare Time”](https://reader036.vdocuments.site/reader036/viewer/2022081513/56649cae5503460f949722c6/html5/thumbnails/19.jpg)
Traffic Direction Attacks
Uses:
1) Send larger amounts of traffic to a particular AS, potentially overwhelming them.
2) Force use of alternate paths, which may be more expensive, or vulnerable to snooping, physical attack.
![Page 20: A Quick and Dirty Guide to BGP attacks Or “How to 0wn the Backbone in your Spare Time”](https://reader036.vdocuments.site/reader036/viewer/2022081513/56649cae5503460f949722c6/html5/thumbnails/20.jpg)
Traffic Direction: False AS-Path Padding (make path look
unattractive) Dropping an announcement Creating a “fake withdrawal” Placing another AS’s number in the path, so that it’s
loop detection will drop the announcement.
Note: These are weakly labeled “attacks”, as they could simply result from legitimate policy decisions.
![Page 21: A Quick and Dirty Guide to BGP attacks Or “How to 0wn the Backbone in your Spare Time”](https://reader036.vdocuments.site/reader036/viewer/2022081513/56649cae5503460f949722c6/html5/thumbnails/21.jpg)
Instability Attacks:
Uses:1) Cause temporary unavailability for
certain regions of the Internet. 2) Create “cascading failures” across
many routing domains.
Such attacks often target the limited resources on a router.
![Page 22: A Quick and Dirty Guide to BGP attacks Or “How to 0wn the Backbone in your Spare Time”](https://reader036.vdocuments.site/reader036/viewer/2022081513/56649cae5503460f949722c6/html5/thumbnails/22.jpg)
Instability Attacks
How?
1) Intentional Route-flapping
2) Route leaks (advertise many /24’s, overwhelm RIB, FIB memory)
3) BGP connection resets (CPU exhaustion, congestion, etc).
![Page 23: A Quick and Dirty Guide to BGP attacks Or “How to 0wn the Backbone in your Spare Time”](https://reader036.vdocuments.site/reader036/viewer/2022081513/56649cae5503460f949722c6/html5/thumbnails/23.jpg)
Data Plane attacks
Can also compromise availability, confidentiality, integrity and authentication.
Strictly weaker than control plane attacks (local impact)
Not handled by s-BGP, so-BGP. Very difficult to detect!
![Page 24: A Quick and Dirty Guide to BGP attacks Or “How to 0wn the Backbone in your Spare Time”](https://reader036.vdocuments.site/reader036/viewer/2022081513/56649cae5503460f949722c6/html5/thumbnails/24.jpg)
Who might be attacking?
Network operator has a typo or other misconfiguration.
Malicious party gains control of a BGP speaking router on the black-market
Spammers with shady or clue-less upstream hijack address space
Terrorists pay-off ISP insider or own and operate a portion of the infrastructure
![Page 25: A Quick and Dirty Guide to BGP attacks Or “How to 0wn the Backbone in your Spare Time”](https://reader036.vdocuments.site/reader036/viewer/2022081513/56649cae5503460f949722c6/html5/thumbnails/25.jpg)
Fixing BGP: Origin Authentication
Who is allowed to originate a particular prefix?
1) Needed to detect illegitimate MOAS
2) Seems to require a complete registry of address space allocations, and an associated PKI (complicated!)
![Page 26: A Quick and Dirty Guide to BGP attacks Or “How to 0wn the Backbone in your Spare Time”](https://reader036.vdocuments.site/reader036/viewer/2022081513/56649cae5503460f949722c6/html5/thumbnails/26.jpg)
Fixing BGP: Path Attestation
Roughly attempts to verify that the AS-Path included in an update is a valid AS-level path to the destination.
1) Different approaches to solving this problem: s-BGP uses signed attestations, so-BGP has a data-base of signed “links”
2) “Worm-hole” attacks still possible.
![Page 27: A Quick and Dirty Guide to BGP attacks Or “How to 0wn the Backbone in your Spare Time”](https://reader036.vdocuments.site/reader036/viewer/2022081513/56649cae5503460f949722c6/html5/thumbnails/27.jpg)
Fixing BGP: Needs Both!
Origin Authentication (OA) AND Path Attestation (PA) are required to provide security benefits.
1) OA without PA would allow any malicious AS to claim to be directly connected to the originating AS.
2) PA without OA would allow any AS to originate a prefix, as long as the path to the malicious AS was correct.
![Page 28: A Quick and Dirty Guide to BGP attacks Or “How to 0wn the Backbone in your Spare Time”](https://reader036.vdocuments.site/reader036/viewer/2022081513/56649cae5503460f949722c6/html5/thumbnails/28.jpg)
References
Beware of BGP Attacks (Nordstrom, et. al.)
BGP Security Vulnerabilities Analysis (draft-ietf-idr-bgp-vuln-01.txt, Murphy)
BGP Security Requirements (draft-ietf-rpsec-bgpsecrec-05.txt, Christian)
A Survey of BGP Security (Butler, et. al.)