A Quick and Dirty Guide to BGP attacks

Or

“How to 0wn the Backbone in your Spare Time”

Outline

How BGP works What can be attacked? How is it attacked? Who might be attacking? Common approaches to fixing BGP References

How BGP works

1) An autonomous system (AS) has border routers that “speak” BGP with “BGP peers” at border routers in neighboring AS’s.

2) AS’s that send traffic directly to each other have a “BGP session” using TCP to communicate information in “BGP updates”

How BGP works

Creating Global Reachability:1) An autonomous system will “originate”

whatever network blocks it is currently allowed by ICANN to use.

2) AS’s can choose to “advertise” reachability to BGP peers for network blocks it knows its neighbors can reach.

How BGP works

BGP Update Format

WithdrawnRoutes

Path Attributes(Origin, AS-Path, etc)

NLRI(prefixes)

How BGP works

1) Receive update message2) Apply in-bound filters for peer3) Update RIB 4) Run BGP decision process (if not new

best route, exit)5) Update FIB6) For each peer, apply outbound filters

and send new update message.

How BGP Works

Business Relationships define Export Filters.

1) “Prov -> Cust” all known best routes

2) “Cust -> Prov” only originated routes or routes from their customers.

3) “Peer -> Peer” originated or customer routes (but with no export).

How BGP works

Providers provide connectivity for their customers. Top-level “tier-1” providers peer with each-other to provide global reachability.

What can be attacked?

Availability• Reachability

• Degrade link quality

• Overwhelm communication capacity

Data Confidentiality Data Integrity Authentication (impersonation)

How To Attack? (ie: what needs to be secured?)

1) Peer-Peer Attacks (attack exchange of data between two BGP speakers)

2) Protocol Content Attacks (falsify or modify use of BGP Update messages)a)Traffic Attractionb)Traffic Direction

3) Instability Attacks (attempts to destabilize routing)

Peer-Peer Attacks

Uses:

1) Create unavailability by tearing down BGP session and causing path withdrawals.

2) Inject information into BGP session to perform traffic-attractor or traffic-director attacks.

Note: Assumes no possession of a BGP speaking router

Peer-Peer Attacks

BGP sessions have no required protections.

1) Attackers my DoS the link bandwidth

2) TCP injection attacks may insert data into the session, or reset the connection.

3) Authenticating Peers

4) Eaves-dropping on session (who cares?)

5) Attack on CPU resources

Peer-Peer Solutions

Integrity: TCP MD5 Option (requires pre-configured secret)

Integrity, Confidentiality, Authentication: IPSec (negotiates shared secret)

CPU protections (drop packets that use CPU time)

TTL Hack (filters non single-hop packets)

Protocol Content Attacks

What we normally think about when considering BGP attacks

These attacks can be the result of malicious behavior or misconfiguration.

Traffic Attractor Attacks

Uses:

1) Drop, degrade traffic.

2) Inspect traffic, communication analysis

3) Modify Traffic

4) Impersonation Attacks1)Man-in-the-Middle Attacks

2)Send from un-owned prefix.

Traffic Attractor:MOAS – Multiple Origin AS

Occurs when multiple AS’s originate (ie: are the first AS to advertise) a particular prefix. Also referred to as a prefix-hijack.

1) This may be legitimate, e.g., multi-homing with a private ASN.

2) Roughly speaking, a simple MOAS can trick “half” of the Internet

Traffic Attractor:De-aggregation

An AS illegitimately originates the “sub-prefix” of another AS’s address space.

1) More powerful than MOAS, as it does not conflict with a legitimate prefix, but is preferred routing decision. Can trick the entire Internet.

2) Prefixes larger than 24 bits often filtered by large ISPs.

Traffic Attractor:AS-Path Shortening

Instead of claiming to originate a prefix, an adversary can keep the correct originator, but shorten the remainder of the path to make it look more attractive.

1) This attack is more stealthy than simple origination.

2) Unlikely to occur as misconfig.

Traffic Direction Attacks

Uses:

1) Send larger amounts of traffic to a particular AS, potentially overwhelming them.

2) Force use of alternate paths, which may be more expensive, or vulnerable to snooping, physical attack.

Traffic Direction: False AS-Path Padding (make path look

unattractive) Dropping an announcement Creating a “fake withdrawal” Placing another AS’s number in the path, so that it’s

loop detection will drop the announcement.

Note: These are weakly labeled “attacks”, as they could simply result from legitimate policy decisions.

Instability Attacks:

Uses:1) Cause temporary unavailability for

certain regions of the Internet. 2) Create “cascading failures” across

many routing domains.

Such attacks often target the limited resources on a router.

Instability Attacks

How?

1) Intentional Route-flapping

2) Route leaks (advertise many /24’s, overwhelm RIB, FIB memory)

3) BGP connection resets (CPU exhaustion, congestion, etc).

Data Plane attacks

Can also compromise availability, confidentiality, integrity and authentication.

Strictly weaker than control plane attacks (local impact)

Not handled by s-BGP, so-BGP. Very difficult to detect!

Who might be attacking?

Network operator has a typo or other misconfiguration.

Malicious party gains control of a BGP speaking router on the black-market

Spammers with shady or clue-less upstream hijack address space

Terrorists pay-off ISP insider or own and operate a portion of the infrastructure

Fixing BGP: Origin Authentication

Who is allowed to originate a particular prefix?

1) Needed to detect illegitimate MOAS

2) Seems to require a complete registry of address space allocations, and an associated PKI (complicated!)

Fixing BGP: Path Attestation

Roughly attempts to verify that the AS-Path included in an update is a valid AS-level path to the destination.

1) Different approaches to solving this problem: s-BGP uses signed attestations, so-BGP has a data-base of signed “links”

2) “Worm-hole” attacks still possible.

Fixing BGP: Needs Both!

Origin Authentication (OA) AND Path Attestation (PA) are required to provide security benefits.

1) OA without PA would allow any malicious AS to claim to be directly connected to the originating AS.

2) PA without OA would allow any AS to originate a prefix, as long as the path to the malicious AS was correct.

References

Beware of BGP Attacks (Nordstrom, et. al.)

BGP Security Vulnerabilities Analysis (draft-ietf-idr-bgp-vuln-01.txt, Murphy)

BGP Security Requirements (draft-ietf-rpsec-bgpsecrec-05.txt, Christian)

A Survey of BGP Security (Butler, et. al.)