Breaking BGP sessions

May 4, 2023

Udi Ben-Porat(ehudb@tik.ee.ethz.ch)

Organization

1. Attack show case [25 min.]

2. Q+A about attack case [10 min.]

3. Q+A about exercise [10 min.]

- 2 -

© TIK/CSG (04.05.23)

• What if a normal user could bring down major internet connections within minutes?

• Attacks to the routing control plane can cripple large parts of the Internet!

Motivation

- 3 -

© TIK/CSG (04.05.23)

BGP

• Internet is a network of different autonomous networks (AS)

• Within an AS, routing informationis readily available

(IGP, e.g. OSPF)

BGP Introduction (I)

- 4 -

© TIK/CSG (04.05.23)

AS sketch

border router

internal router

• To get data from A to B, routers need to know how to route between different ASes

BGP Introduction (II)

- 5 -

© TIK/CSG (04.05.23)

A B

• BGP = Border Gateway Protocol• Path-vector protocol • Routing decisions based on:

– Paths – Network policies – Rule-sets

• ASes use it to:– Exchange reachability information (IP prefixes)– Enforce their policies (e.g. ISP-customer relationship)

BGP Introduction (III)

- 6 -

© TIK/CSG (04.05.23)

eBGP and iBGP

• internal BGP (iBGP):BGP between two peers in the same AS

• external BGP (eBGP ):BGP between autonomous systems

Routers on the boundary of one AS exchanging information with another AS = border or edge routers maintain eBGP sessions

- 7 -

© TIK/CSG (04.05.23)

BGP uses TCP for transport

• To connect two peers : TCP sessions on port 179 (known BGP port)– eliminates the need to implement explicit data

fragmentation, retransmission, …

• BGP: Unique use of TCP among routing protocols

Vulnerable to TCP attacks too!

- 8 -

© TIK/CSG (04.05.23)

TCP Reset Attack: intro (I)

• Alice and Bob have a TCP connection• Eve sends a spoofed TCP reset packet to Bob

with Alice‘s address/port• Bob will close connection• (Alice won‘t receive any further data from Bob)

- 9 -

© TIK/CSG (04.05.23)

TCP RST

TCP connectionAlice Bob

Eve

TCP Reset Attack: intro (II)

Eve needs to:– know source/destination address/port– guess the sequence number in the receiving window

of Bob

Forged TCP resets can kill a running TCP session

The more critical it is, the more effective is the attack

- 10 -

© TIK/CSG (04.05.23)

TCP Reset Attack on BGP (I)

- 11 -

© TIK/CSG (04.05.23)

TCP RST

BGP SESSION (over TCP)

ROUTER #1 ROUTER #2

TCP Reset Attack on BGP (II)

• Destination port: 179– have to guess the destination and the source IPs

• Source port: should be random but is usually predictable:– E.g., we don‘t use ports less than 1024 (well-known)– Predictable source port selection patterns on OSes– Port scans… (nmap,etc.)

- 12 -

© TIK/CSG (04.05.23)

TCP Reset Attack on BGP (III)

• How to get the IP addresses of the source and the destination?

• Use combinations of:– traceroute (from multiple sources)– Publicly available AS information

• e.g. http://www.ripe.net/data-tools/stats/ris/routing-information-service

– Other network topology information• e.g. internet measurement projects

– Social Engineering– Guessing…

- 13 -

© TIK/CSG (04.05.23)

TCP Reset Attack on BGP (IV)

• Given source and destination addresses are known use brute force…

to guess the source port and sequence number and effectively spoof the RST!

- 14 -

© TIK/CSG (04.05.23)

TCP Reset Attack on BGP (V)

• 32-bit sequence number• Frequent window size: 16384• Number of ports to brute force / guess: <90

– (depending on desired success probability)• Connection: 20 mbps → 62500 RST packets/s• Connection direction unknown

• E[t] = 2^32 / 16384 * 90 / 62500 * 2 / 2 = 377s

- 15 -

© TIK/CSG (04.05.23)

Effects of TCP RST BGP Attack BGP peers loose connection

Release of associated BGP resources

BGP peers must remove all routes learned from each other

Recovery takes minutes to hours…

- 16 -

© TIK/CSG (04.05.23)

How do we deal with the attack?• Caveat: ASes won‘t tell if anyone ever

succeeded… (private information, competitive advantage!)

• But vulnerability existed for several years

• Sample Solution: TCP MD5 Signature Option• There are other solutions as well…

– SEQ, ACK verification in RST pkts– Filtering– Window size tuning (least effective)

- 17 -

© TIK/CSG (04.05.23)

TCP MD5 signature option details• Well-advertised method to authenticate the

identity of the remote BGP neighbor• Makes it difficult for the attacker:

– Use of password included in MD5 digest– Password never appears in connection stream

• For each segment: 16-byte MD5 digest by applying the MD5 algorithm to TCP header, data, etc.

• Receive signed segment and validate!

- 18 -

© TIK/CSG (04.05.23)

TCP MD5 pitfalls (I)

• AS tools required upgrading and human intervention to enable MD5

• The storing of the password presents its own security issues! (database security…)

• How do you securely transmit the clear text password?

• How are you generating the password?

- 19 -

© TIK/CSG (04.05.23)

TCP MD5 pitfalls (II)

• Examining a MD5 hash in the TCP header adds additional work to a router….

• What if an attacker can spoof with incorrect MD5 hashes to make your router work a bit more?

potential Denial of Service (DoS)???

- 20 -

© TIK/CSG (04.05.23)

Conclusions from the example

• No solution is panacean in the field of security But the administrators do their best to lower

the attack risks

• E.g., in the case of TCP MD5, more measures may be required:– BGP session over a separate “protected” interface– Anti-spoofing Access Control Lists (ACLs), filters

- 21 -

© TIK/CSG (04.05.23)

BGP Attacks in general

• BGP has other vulnerabilities as well, e.g:– 2008: Pakistan Telecom hijacking YouTube traffic

• Link to a video

– 2008: presentation of BGP MitM attack• A. Pilosov, T. Kapela, Stealing The Internet - An Internet-

Scale Man In The Middle AttackLink to a video

• Next time: IP prefix hijacking

- 22 -

© TIK/CSG (04.05.23)

Bibliography: BGP, TCP RST• NIST Border Gateway Protocol Security

http://csrc.nist.gov/publications/nistpubs/800-54/SP800-54.pdf

• Paul A. Watson, Slipping in the Window: TCP Reset Attacks, 2003

• RFC 4271, A Border Gateway Protocol 4 (BGP-4)• RFC 4272, BGP Security Vulnerabilities Analysis• RFC 793, Transmission Control Protocol • “Are BGP Routers Open To Attack? An Experiment”

Cavedon L. et. al., iNetSec'10 Proceedings

- 23 -

© TIK/CSG (04.05.23)

Bibliography: MD5 • RFC 2385, TCP MD5 Signature Option• BGP MD5: Good, Bad, Ugly?

http://www.nanog.org/meetings/nanog39/presentations/Scholl.pdf

• MD5 Authentication Between BGP Peers Configuration Examplehttp://www.cisco.com/en/US/tech/tk365/technologies_configuration_example09186a0080b52107.shtml

- 24 -

© TIK/CSG (04.05.23)

Questions: Attack Case

- 25 -

© TIK/CSG (04.05.23)

TCP RST

BGP SESSION (over TCP)

ROUTER #1 ROUTER #2

Questions: Exercise

• Task 1: Security Advisories and Common Vulnerabilities and Exposures (CVEs)

• Task 2: Vulnerability Lifecycle

• Task 3: Zero-day vulnerabilities

- 26 -

© TIK/CSG (04.05.23)

Thank you for your attention!

- 27 -

© TIK/CSG (04.05.23)