A Quick and Dirty Guide to BGP attacks Or “How to 0wn the Backbone in your Spare Time”
Outline How BGP works What can be attacked? How is it attacked? Who might be attacking? Common approaches to fixing BGP References
How BGP works 1) An autonomous system (AS) has border routers that “speak” BGP with “BGP peers” at border routers in neighboring AS’s. 2) AS’s that send traffic directly to each other have a “BGP session” using TCP to communicate information in “BGP updates”
How BGP works Creating Global Reachability: 1) An autonomous system will “originate” whatever network blocks it is currently allowed by ICANN to use. 2) AS’s can choose to “advertise” reachability to BGP peers for network blocks it knows its neighbors can reach.
How BGP works BGP Update Format Withdrawn Routes Path Attributes (Origin, AS-Path, etc) NLRI (prefixes)
How BGP works 1) Receive update message 2) Apply in-bound filters for peer 3) Update RIB 4) Run BGP decision process (if not new best route, exit) 5) Update FIB 6) For each peer, apply outbound filters and send new update message.
How BGP Works Business Relationships define Export Filters. 1) “Prov -> Cust” all known best routes 2) “Cust -> Prov” only originated routes or routes from their customers. 3) “Peer -> Peer” originated or customer routes (but with no export).
How BGP works Providers provide connectivity for their customers. Top-level “tier-1” providers peer with each-other to provide global reachability.
What can be attacked? Availability Reachability Degrade link quality Overwhelm communication capacity Data Confidentiality Data Integrity Authentication (impersonation)
How To Attack? (ie: what needs to be secured?) 1) Peer-Peer Attacks (attack exchange of data between two BGP speakers) 2) Protocol Content Attacks (falsify or modify use of BGP Update messages) a) Traffic Attraction b) Traffic Direction 3) Instability Attacks (attempts to destabilize routing)
Peer-Peer Attacks Uses: 1) Create unavailability by tearing down BGP session and causing path withdrawals. 2) Inject information into BGP session to perform traffic-attractor or traffic-director attacks. Note: Assumes no possession of a BGP speaking router
Peer-Peer Attacks BGP sessions have no required protections. 1) Attackers my DoS the link bandwidth 2) TCP injection attacks may insert data into the session, or reset the connection. 3) Authenticating Peers 4) Eaves-dropping on session (who cares?) 5) Attack on CPU resources
Peer-Peer Solutions Integrity: TCP MD5 Option (requires pre- configured secret) Integrity, Confidentiality, Authentication: IPSec (negotiates shared secret) CPU protections (drop packets that use CPU time) TTL Hack (filters non single-hop packets)
Protocol Content Attacks What we normally think about when considering BGP attacks These attacks can be the result of malicious behavior or misconfiguration.
Traffic Attractor Attacks Uses: 1) Drop, degrade traffic. 2) Inspect traffic, communication analysis 3) Modify Traffic 4) Impersonation Attacks 1) Man-in-the-Middle Attacks 2) Send from un-owned prefix.
Traffic Attractor: MOAS – Multiple Origin AS Occurs when multiple AS’s originate (ie: are the first AS to advertise) a particular prefix. Also referred to as a prefix-hijack. 1) This may be legitimate, e.g., multi-homing with a private ASN. 2) Roughly speaking, a simple MOAS can trick “half” of the Internet
Traffic Attractor: De-aggregation An AS illegitimately originates the “sub-prefix” of another AS’s address space. 1) More powerful than MOAS, as it does not conflict with a legitimate prefix, but is preferred routing decision. Can trick the entire Internet. 2) Prefixes larger than 24 bits often filtered by large ISPs.
Traffic Attractor: AS-Path Shortening Instead of claiming to originate a prefix, an adversary can keep the correct originator, but shorten the remainder of the path to make it look more attractive. 1) This attack is more stealthy than simple origination. 2) Unlikely to occur as misconfig.
Traffic Direction Attacks Uses: 1) Send larger amounts of traffic to a particular AS, potentially overwhelming them. 2) Force use of alternate paths, which may be more expensive, or vulnerable to snooping, physical attack.
Traffic Direction: False AS-Path Padding (make path look unattractive) Dropping an announcement Creating a “fake withdrawal” Placing another AS’s number in the path, so that it’s loop detection will drop the announcement. Note: These are weakly labeled “attacks”, as they could simply result from legitimate policy decisions.
Instability Attacks: Uses: 1) Cause temporary unavailability for certain regions of the Internet. 2) Create “cascading failures” across many routing domains. Such attacks often target the limited resources on a router.
Instability Attacks How? 1) Intentional Route-flapping 2) Route leaks (advertise many /24’s, overwhelm RIB, FIB memory) 3) BGP connection resets (CPU exhaustion, congestion, etc).
Data Plane attacks Can also compromise availability, confidentiality, integrity and authentication. Strictly weaker than control plane attacks (local impact) Not handled by s-BGP, so-BGP. Very difficult to detect!
Who might be attacking? Network operator has a typo or other misconfiguration. Malicious party gains control of a BGP speaking router on the black-market Spammers with shady or clue-less upstream hijack address space Terrorists pay-off ISP insider or own and operate a portion of the infrastructure
Fixing BGP: Origin Authentication Who is allowed to originate a particular prefix? 1) Needed to detect illegitimate MOAS 2) Seems to require a complete registry of address space allocations, and an associated PKI (complicated!)
Fixing BGP: Path Attestation Roughly attempts to verify that the AS- Path included in an update is a valid AS-level path to the destination. 1) Different approaches to solving this problem: s-BGP uses signed attestations, so-BGP has a data-base of signed “links” 2) “Worm-hole” attacks still possible.
Fixing BGP: Needs Both! Origin Authentication (OA) AND Path Attestation (PA) are required to provide security benefits. 1) OA without PA would allow any malicious AS to claim to be directly connected to the originating AS. 2) PA without OA would allow any AS to originate a prefix, as long as the path to the malicious AS was correct.
References Beware of BGP Attacks (Nordstrom, et. al.) BGP Security Vulnerabilities Analysis (draft-ietf-idr-bgp-vuln-01.txt, Murphy) BGP Security Requirements (draft-ietf- rpsec-bgpsecrec-05.txt, Christian) A Survey of BGP Security (Butler, et. al.)