A Quick and Dirty Guide to BGP attacks Or “How to 0wn the Backbone in your Spare Time”

Slides:



Advertisements
Similar presentations
Martin Suchara in collaboration with I. Avramopoulos and J. Rexford How Small Groups Can Secure Interdomain Routing.
Advertisements

BGP.
Border Gateway Protocol Ankit Agarwal Dashang Trivedi Kirti Tiwari.
© J. Liebeherr, All rights reserved 1 Border Gateway Protocol This lecture is largely based on a BGP tutorial by T. Griffin from AT&T Research.
Availability Centric Routing (ACR) Robust Interdomain Routing Without BGP Security July 25 th, 2006.
Fundamentals of Computer Networks ECE 478/578 Lecture #18: Policy-Based Routing Instructor: Loukas Lazos Dept of Electrical and Computer Engineering University.
Information-Centric Networks04c-1 Week 4 / Paper 3 A Survey of BGP Security Issues and Solutions –Kevin Butler, Toni Farley, Patrick McDaniel, and Jennifer.
1 Interdomain Routing Protocols. 2 Autonomous Systems An autonomous system (AS) is a region of the Internet that is administered by a single entity and.
1 Towards Secure Interdomain Routing For Dr. Aggarwal Win 2004.
Securing the Border Gateway Protocol (S-BGP) Dr. Stephen Kent Chief Scientist - Information Security.
An Operational Perspective on BGP Security Geoff Huston GROW WG IETF 63 August 2005.
Practical and Configuration issues of BGP and Policy routing Cameron Harvey Simon Fraser University.
1 BGP Security -- Zhen Wu. 2 Schedule Tuesday –BGP Background –" Detection of Invalid Routing Announcement in the Internet" –Open Discussions Thursday.
Stable Internet Routing Without Global Coordination Jennifer Rexford Princeton University Joint work with Lixin Gao (UMass-Amherst)
Interdomain Routing Security Jennifer Rexford Advanced Computer Networks Tuesdays/Thursdays.
Economic Incentives in Internet Routing Jennifer Rexford Princeton University
Inter-domain Routing security Problems Solutions.
© 2009 Cisco Systems, Inc. All rights reserved. ROUTE v1.0—6-1 Connecting an Enterprise Network to an ISP Network Considering the Advantages of Using BGP.
Computer Networks Layering and Routing Dina Katabi
Inter-domain Routing Outline Border Gateway Protocol.
APNIC eLearning: Intro to RPKI 10 December :30 PM AEST Brisbane (UTC+10)
© Janice Regan, CMPT 128, CMPT 371 Data Communications and Networking BGP, Flooding, Multicast routing.
1 Interdomain Routing (BGP) By Behzad Akbari Fall 2008 These slides are based on the slides of Ion Stoica (UCB) and Shivkumar (RPI)
CS 3700 Networks and Distributed Systems Inter Domain Routing (It’s all about the Money) Revised 8/20/15.
Control Plane Protection 111. BGP Attack Vectors Understanding BGP Attack Vectors will help you plan and prioritize the techniques deployed to build greater.
Lecture 4: BGP Presentations Lab information H/W update.
Jennifer Rexford Fall 2014 (TTh 3:00-4:20 in CS 105) COS 561: Advanced Computer Networks BGP.
Border Gateway Protocol
Border Gateway Protocol (BGP) W.lilakiatsakun. BGP Basics (1) BGP is the protocol which is used to make core routing decisions on the Internet It involves.
Interdomain Routing Security. How Secure are BGP Security Protocols? Some strange assumptions? – Focused on attracting traffic from as many Ases as possible.
A Firewall for Routers: Protecting Against Routing Misbehavior1 June 26, A Firewall for Routers: Protecting Against Routing Misbehavior Jia Wang.
More on Internet Routing A large portion of this lecture material comes from BGP tutorial given by Philip Smith from Cisco (ftp://ftp- eng.cisco.com/pfs/seminars/APRICOT2004.
T. S. Eugene Ngeugeneng at cs.rice.edu Rice University1 COMP/ELEC 429/556 Introduction to Computer Networks Inter-domain routing Some slides used with.
Secure Origin BGP: What is (and isn't) in a name? Dan Wendlandt Princeton Routing Security Reading Group.
Detecting Selective Dropping Attacks in BGP Mooi Chuah Kun Huang November 2006.
An internet is a combination of networks connected by routers. When a datagram goes from a source to a destination, it will probably pass through many.
Information-Centric Networks Section # 4.3: Routing Issues Instructor: George Xylomenos Department: Informatics.
Routing in the Inernet Outcomes: –What are routing protocols used for Intra-ASs Routing in the Internet? –The Working Principle of RIP and OSPF –What is.
CSE 592 INTERNET CENSORSHIP (FALL 2015) LECTURE 16 PHILLIPA GILL - STONY BROOK U.
Securing BGP Bruce Maggs. BGP Primer AT&T /8 Sprint /16 CMU /16 bmm.pc.cs.cmu.edu Autonomous System Number Prefix.
Interdomain Routing Security Jennifer Rexford COS 461: Computer Networks Lectures: MW 10-10:50am in Architecture N101
© 2005 Cisco Systems, Inc. All rights reserved. BGP v3.2—5-1 Customer-to-Provider Connectivity with BGP Connecting a Multihomed Customer to a Single Service.
1 Border Gateway Protocol (BGP) and BGP Security Jeff Gribschaw Sai Thwin ECE 4112 Final Project April 28, 2005.
© 2005 Cisco Systems, Inc. All rights reserved. BGP v3.2—3-1 Route Selection Using Policy Controls Using Multihomed BGP Networks.
Michael Schapira, Princeton University Fall 2010 (TTh 1:30-2:50 in COS 302) COS 561: Advanced Computer Networks
Inter-domain Routing Outline Border Gateway Protocol.
BGP security some slides borrowed from Jen Rexford (Princeton U)
BGP Validation Russ White Rule11.us.
CS 3700 Networks and Distributed Systems
Connecting an Enterprise Network to an ISP Network
CS 3700 Networks and Distributed Systems
Border Gateway Protocol
Goals of soBGP Verify the origin of advertisements
COS 561: Advanced Computer Networks
BGP supplement Abhigyan Sharma.
Interdomain Traffic Engineering with BGP
Net 323 D: Networks Protocols
Net 323 D: Networks Protocols
COS 561: Advanced Computer Networks
COS 561: Advanced Computer Networks
Interdomain Routing Security
COS 561: Advanced Computer Networks
COS 561: Advanced Computer Networks
COMP/ELEC 429/556 Introduction to Computer Networks
BGP Security Jennifer Rexford Fall 2018 (TTh 1:30-2:50 in Friend 006)
COS 461: Computer Networks
BGP Instability Jennifer Rexford
Computer Networks Protocols
Presentation transcript:

A Quick and Dirty Guide to BGP attacks Or “How to 0wn the Backbone in your Spare Time”

Outline How BGP works What can be attacked? How is it attacked? Who might be attacking? Common approaches to fixing BGP References

How BGP works 1) An autonomous system (AS) has border routers that “speak” BGP with “BGP peers” at border routers in neighboring AS’s. 2) AS’s that send traffic directly to each other have a “BGP session” using TCP to communicate information in “BGP updates”

How BGP works Creating Global Reachability: 1) An autonomous system will “originate” whatever network blocks it is currently allowed by ICANN to use. 2) AS’s can choose to “advertise” reachability to BGP peers for network blocks it knows its neighbors can reach.

How BGP works BGP Update Format Withdrawn Routes Path Attributes (Origin, AS-Path, etc) NLRI (prefixes)

How BGP works 1) Receive update message 2) Apply in-bound filters for peer 3) Update RIB 4) Run BGP decision process (if not new best route, exit) 5) Update FIB 6) For each peer, apply outbound filters and send new update message.

How BGP Works Business Relationships define Export Filters. 1) “Prov -> Cust” all known best routes 2) “Cust -> Prov” only originated routes or routes from their customers. 3) “Peer -> Peer” originated or customer routes (but with no export).

How BGP works Providers provide connectivity for their customers. Top-level “tier-1” providers peer with each-other to provide global reachability.

What can be attacked? Availability Reachability Degrade link quality Overwhelm communication capacity Data Confidentiality Data Integrity Authentication (impersonation)

How To Attack? (ie: what needs to be secured?) 1) Peer-Peer Attacks (attack exchange of data between two BGP speakers) 2) Protocol Content Attacks (falsify or modify use of BGP Update messages) a) Traffic Attraction b) Traffic Direction 3) Instability Attacks (attempts to destabilize routing)

Peer-Peer Attacks Uses: 1) Create unavailability by tearing down BGP session and causing path withdrawals. 2) Inject information into BGP session to perform traffic-attractor or traffic-director attacks. Note: Assumes no possession of a BGP speaking router

Peer-Peer Attacks BGP sessions have no required protections. 1) Attackers my DoS the link bandwidth 2) TCP injection attacks may insert data into the session, or reset the connection. 3) Authenticating Peers 4) Eaves-dropping on session (who cares?) 5) Attack on CPU resources

Peer-Peer Solutions Integrity: TCP MD5 Option (requires pre- configured secret) Integrity, Confidentiality, Authentication: IPSec (negotiates shared secret) CPU protections (drop packets that use CPU time) TTL Hack (filters non single-hop packets)

Protocol Content Attacks What we normally think about when considering BGP attacks These attacks can be the result of malicious behavior or misconfiguration.

Traffic Attractor Attacks Uses: 1) Drop, degrade traffic. 2) Inspect traffic, communication analysis 3) Modify Traffic 4) Impersonation Attacks 1) Man-in-the-Middle Attacks 2) Send from un-owned prefix.

Traffic Attractor: MOAS – Multiple Origin AS Occurs when multiple AS’s originate (ie: are the first AS to advertise) a particular prefix. Also referred to as a prefix-hijack. 1) This may be legitimate, e.g., multi-homing with a private ASN. 2) Roughly speaking, a simple MOAS can trick “half” of the Internet

Traffic Attractor: De-aggregation An AS illegitimately originates the “sub-prefix” of another AS’s address space. 1) More powerful than MOAS, as it does not conflict with a legitimate prefix, but is preferred routing decision. Can trick the entire Internet. 2) Prefixes larger than 24 bits often filtered by large ISPs.

Traffic Attractor: AS-Path Shortening Instead of claiming to originate a prefix, an adversary can keep the correct originator, but shorten the remainder of the path to make it look more attractive. 1) This attack is more stealthy than simple origination. 2) Unlikely to occur as misconfig.

Traffic Direction Attacks Uses: 1) Send larger amounts of traffic to a particular AS, potentially overwhelming them. 2) Force use of alternate paths, which may be more expensive, or vulnerable to snooping, physical attack.

Traffic Direction: False AS-Path Padding (make path look unattractive) Dropping an announcement Creating a “fake withdrawal” Placing another AS’s number in the path, so that it’s loop detection will drop the announcement. Note: These are weakly labeled “attacks”, as they could simply result from legitimate policy decisions.

Instability Attacks: Uses: 1) Cause temporary unavailability for certain regions of the Internet. 2) Create “cascading failures” across many routing domains. Such attacks often target the limited resources on a router.

Instability Attacks How? 1) Intentional Route-flapping 2) Route leaks (advertise many /24’s, overwhelm RIB, FIB memory) 3) BGP connection resets (CPU exhaustion, congestion, etc).

Data Plane attacks Can also compromise availability, confidentiality, integrity and authentication. Strictly weaker than control plane attacks (local impact) Not handled by s-BGP, so-BGP. Very difficult to detect!

Who might be attacking? Network operator has a typo or other misconfiguration. Malicious party gains control of a BGP speaking router on the black-market Spammers with shady or clue-less upstream hijack address space Terrorists pay-off ISP insider or own and operate a portion of the infrastructure

Fixing BGP: Origin Authentication Who is allowed to originate a particular prefix? 1) Needed to detect illegitimate MOAS 2) Seems to require a complete registry of address space allocations, and an associated PKI (complicated!)

Fixing BGP: Path Attestation Roughly attempts to verify that the AS- Path included in an update is a valid AS-level path to the destination. 1) Different approaches to solving this problem: s-BGP uses signed attestations, so-BGP has a data-base of signed “links” 2) “Worm-hole” attacks still possible.

Fixing BGP: Needs Both! Origin Authentication (OA) AND Path Attestation (PA) are required to provide security benefits. 1) OA without PA would allow any malicious AS to claim to be directly connected to the originating AS. 2) PA without OA would allow any AS to originate a prefix, as long as the path to the malicious AS was correct.

References Beware of BGP Attacks (Nordstrom, et. al.) BGP Security Vulnerabilities Analysis (draft-ietf-idr-bgp-vuln-01.txt, Murphy) BGP Security Requirements (draft-ietf- rpsec-bgpsecrec-05.txt, Christian) A Survey of BGP Security (Butler, et. al.)