Breaking BGP sessions February 14, 2016 Udi Ben-Porat

Breaking BGP sessions

May 4, 2023

Udi Ben-Porat(ehudb@tik.ee.ethz.ch)

Organization

1. Attack show case [25 min.]

2. Q+A about attack case [10 min.]

3. Q+A about exercise [10 min.]

• What if a normal user could bring down major internet connections within minutes?

• Attacks to the routing control plane can cripple large parts of the Internet!

Motivation

• Internet is a network of different autonomous networks (AS)

• Within an AS, routing informationis readily available

(IGP, e.g. OSPF)

BGP Introduction (I)

AS sketch

border router

internal router

• To get data from A to B, routers need to know how to route between different ASes

BGP Introduction (II)

• BGP = Border Gateway Protocol• Path-vector protocol • Routing decisions based on:

– Paths – Network policies – Rule-sets

• ASes use it to:– Exchange reachability information (IP prefixes)– Enforce their policies (e.g. ISP-customer relationship)

BGP Introduction (III)

eBGP and iBGP

• internal BGP (iBGP):BGP between two peers in the same AS

• external BGP (eBGP ):BGP between autonomous systems

Routers on the boundary of one AS exchanging information with another AS = border or edge routers maintain eBGP sessions

BGP uses TCP for transport

• To connect two peers : TCP sessions on port 179 (known BGP port)– eliminates the need to implement explicit data

fragmentation, retransmission, …

• BGP: Unique use of TCP among routing protocols

Vulnerable to TCP attacks too!

TCP Reset Attack: intro (I)

• Alice and Bob have a TCP connection• Eve sends a spoofed TCP reset packet to Bob

with Alice‘s address/port• Bob will close connection• (Alice won‘t receive any further data from Bob)

TCP RST

TCP connectionAlice Bob

TCP Reset Attack: intro (II)

Eve needs to:– know source/destination address/port– guess the sequence number in the receiving window

of Bob

Forged TCP resets can kill a running TCP session

The more critical it is, the more effective is the attack

- 10 -

TCP Reset Attack on BGP (I)

- 11 -

TCP RST

BGP SESSION (over TCP)

ROUTER #1 ROUTER #2

TCP Reset Attack on BGP (II)

• Destination port: 179– have to guess the destination and the source IPs

• Source port: should be random but is usually predictable:– E.g., we don‘t use ports less than 1024 (well-known)– Predictable source port selection patterns on OSes– Port scans… (nmap,etc.)

- 12 -

TCP Reset Attack on BGP (III)

• How to get the IP addresses of the source and the destination?

• Use combinations of:– traceroute (from multiple sources)– Publicly available AS information

• e.g. http://www.ripe.net/data-tools/stats/ris/routing-information-service

– Other network topology information• e.g. internet measurement projects

– Social Engineering– Guessing…

- 13 -

TCP Reset Attack on BGP (IV)

• Given source and destination addresses are known use brute force…

to guess the source port and sequence number and effectively spoof the RST!

- 14 -

TCP Reset Attack on BGP (V)

• 32-bit sequence number• Frequent window size: 16384• Number of ports to brute force / guess: <90

– (depending on desired success probability)• Connection: 20 mbps → 62500 RST packets/s• Connection direction unknown

• E[t] = 2^32 / 16384 * 90 / 62500 * 2 / 2 = 377s

- 15 -

Effects of TCP RST BGP Attack BGP peers loose connection

Release of associated BGP resources

BGP peers must remove all routes learned from each other

Recovery takes minutes to hours…

- 16 -

How do we deal with the attack?• Caveat: ASes won‘t tell if anyone ever

succeeded… (private information, competitive advantage!)

• But vulnerability existed for several years

• Sample Solution: TCP MD5 Signature Option• There are other solutions as well…

– SEQ, ACK verification in RST pkts– Filtering– Window size tuning (least effective)

- 17 -

TCP MD5 signature option details• Well-advertised method to authenticate the

identity of the remote BGP neighbor• Makes it difficult for the attacker:

– Use of password included in MD5 digest– Password never appears in connection stream

• For each segment: 16-byte MD5 digest by applying the MD5 algorithm to TCP header, data, etc.

• Receive signed segment and validate!

- 18 -

TCP MD5 pitfalls (I)

• AS tools required upgrading and human intervention to enable MD5

• The storing of the password presents its own security issues! (database security…)

• How do you securely transmit the clear text password?

• How are you generating the password?

- 19 -

TCP MD5 pitfalls (II)

• Examining a MD5 hash in the TCP header adds additional work to a router….

• What if an attacker can spoof with incorrect MD5 hashes to make your router work a bit more?

potential Denial of Service (DoS)???

- 20 -

Conclusions from the example

• No solution is panacean in the field of security But the administrators do their best to lower

the attack risks

• E.g., in the case of TCP MD5, more measures may be required:– BGP session over a separate “protected” interface– Anti-spoofing Access Control Lists (ACLs), filters

- 21 -

BGP Attacks in general

• BGP has other vulnerabilities as well, e.g:– 2008: Pakistan Telecom hijacking YouTube traffic

• Link to a video

– 2008: presentation of BGP MitM attack• A. Pilosov, T. Kapela, Stealing The Internet - An Internet-

Scale Man In The Middle AttackLink to a video

• Next time: IP prefix hijacking

- 22 -

Bibliography: BGP, TCP RST• NIST Border Gateway Protocol Security

http://csrc.nist.gov/publications/nistpubs/800-54/SP800-54.pdf

• Paul A. Watson, Slipping in the Window: TCP Reset Attacks, 2003

• RFC 4271, A Border Gateway Protocol 4 (BGP-4)• RFC 4272, BGP Security Vulnerabilities Analysis• RFC 793, Transmission Control Protocol • “Are BGP Routers Open To Attack? An Experiment”

Cavedon L. et. al., iNetSec'10 Proceedings

- 23 -

Bibliography: MD5 • RFC 2385, TCP MD5 Signature Option• BGP MD5: Good, Bad, Ugly?

http://www.nanog.org/meetings/nanog39/presentations/Scholl.pdf

• MD5 Authentication Between BGP Peers Configuration Examplehttp://www.cisco.com/en/US/tech/tk365/technologies_configuration_example09186a0080b52107.shtml

- 24 -

Questions: Attack Case

- 25 -

TCP RST

BGP SESSION (over TCP)

ROUTER #1 ROUTER #2

Questions: Exercise

• Task 1: Security Advisories and Common Vulnerabilities and Exposures (CVEs)

• Task 2: Vulnerability Lifecycle

• Task 3: Zero-day vulnerabilities

- 26 -

Thank you for your attention!

- 27 -

Breaking BGP sessions February 14, 2016 Udi Ben-Porat

Documents

Transcript of Breaking BGP sessions February 14, 2016 Udi Ben-Porat

The Evolving UDI Landscape Update on EU UDI System...1 visit usdm.com The Evolving UDI Landscape Update on EU UDI System. Jay Crowley, VP. UDI Solutions and Services. jcrowley@usdm.com

Udi 2009 Presentation

The Worldwide Melding of Regulatory ... - UDI Conference 2021...Jun 06, 2019 · Harmonization of UDI-DI triggers and other multiple UDI-DI use cases Use of UDI along supply chain

UDI Consolidated

UDI Compliance Service - Welcome - Coridian Technologies, Inc. Documents/Coridian Information/Coridian UDI Project Plan.pdf · FDA UDI UK NHS UDI FDA UDI Unique Device Identification

UDI SCSI Drivers

Catálogo UDI 2015

Implementation of UDI In the Medical Device Industry · UDI Guidance Provided by FDA as a Result of Collaboration and Adjudication Process UDI GUIDANCE DOCUMENTS ISSUED by FDA UDI

Ensure UDI Success!

Naomi Porat Geological Survey of Israel

UDI Regulatory Basics

Udi 200825 A

Diapositivas UDI Virtual

REVISTA UDI INVESTIGA

1 Evaluating the Vulnerability of Network Mechanisms to Sophisticated DDoS Attacks Udi Ben-Porat Tel-Aviv University, Israel Anat Bremler-Barr IDC Herzliya,

UDI 6º Carballal

Canaterra UDI Slides

Eskenazi UDI Capture Case Study - ahrmm.org · Eskenazi UDI Capture Case Study / LUC LEARNING UDI COMMUNITY. LEARNING UDI COMMUNITY CASE STUDY ... recognized programs include a Level

p36.labs UDI Platform Factsheet · Unique Device Identification (UDI) now and in future. The UDI Platform by p36.labs tackles the challenge of global UDI compliance with a unique

Udi comarca