Presentation is loading. Please wait.

Presentation is loading. Please wait.

Breaking BGP sessions February 14, 2016 Udi Ben-Porat

Published byFlora Cross Modified over 9 years ago

Similar presentations

Presentation on theme: "Breaking BGP sessions February 14, 2016 Udi Ben-Porat"— Presentation transcript:

1 Breaking BGP sessions February 14, 2016 Udi Ben-Porat (ehudb@tik.ee.ethz.ch)ehudb@tik.ee.ethz.ch

2 Organization 1.Attack show case[25 min.] 2.Q+A about attack case[10 min.] 3.Q+A about exercise[10 min.] - 2 - © TIK/CSG (14.02.2016)

3 What if a normal user could bring down major internet connections within minutes? Attacks to the routing control plane can cripple large parts of the Internet! Motivation - 3 - © TIK/CSG (14.02.2016) BGP

4 Internet is a network of different autonomous networks (AS) Within an AS, routing information is readily available (IGP, e.g. OSPF) BGP Introduction (I) - 4 - © TIK/CSG (14.02.2016) AS sketch border router internal router

5 To get data from A to B, routers need to know how to route between different ASes BGP Introduction (II) - 5 - © TIK/CSG (14.02.2016) A B

6 BGP = Border Gateway Protocol Path-vector protocol Routing decisions based on: –Paths –Network policies –Rule-sets ASes use it to: – Exchange reachability information (IP prefixes) – Enforce their policies (e.g. ISP-customer relationship) BGP Introduction (III) - 6 - © TIK/CSG (14.02.2016)

7 eBGP and iBGP internal BGP (iBGP): BGP between two peers in the same AS external BGP (eBGP ): BGP between autonomous systems  Routers on the boundary of one AS exchanging information with another AS = border or edge routers  maintain eBGP sessions - 7 - © TIK/CSG (14.02.2016)

8 BGP uses TCP for transport To connect two peers : TCP sessions on port 179 (known BGP port) –eliminates the need to implement explicit data fragmentation, retransmission, … BGP: Unique use of TCP among routing protocols  Vulnerable to TCP attacks too! - 8 - © TIK/CSG (14.02.2016)

9 TCP Reset Attack: intro (I) Alice and Bob have a TCP connection Eve sends a spoofed TCP reset packet to Bob with Alice‘s address/port Bob will close connection (Alice won‘t receive any further data from Bob) - 9 - © TIK/CSG (14.02.2016) TCP RST TCP connection AliceBob Eve

10 TCP Reset Attack: intro (II) Eve needs to: –know source/destination address/port –guess the sequence number in the receiving window of Bob Forged TCP resets can kill a running TCP session  The more critical it is, the more effective is the attack - 10 - © TIK/CSG (14.02.2016)

11 TCP Reset Attack on BGP (I) - 11 - © TIK/CSG (14.02.2016) TCP RST BGP SESSION (over TCP) ROUTER #1ROUTER #2

12 TCP Reset Attack on BGP (II) Destination port: 179 –have to guess the destination and the source IPs Source port: should be random but is usually predictable: –E.g., we don‘t use ports less than 1024 (well-known) –Predictable source port selection patterns on OSes –Port scans… (nmap,etc.) - 12 - © TIK/CSG (14.02.2016)

13 TCP Reset Attack on BGP (III) How to get the IP addresses of the source and the destination? Use combinations of: –traceroute (from multiple sources) –Publicly available AS information e.g. http://www.ripe.net/data-tools/stats/ris/routing- information-servicehttp://www.ripe.net/data-tools/stats/ris/routing- information-service –Other network topology information e.g. internet measurement projects –Social Engineering –Guessing… - 13 - © TIK/CSG (14.02.2016)

14 TCP Reset Attack on BGP (IV) Given source and destination addresses are known use brute force…  to guess the source port and sequence number and effectively spoof the RST! - 14 - © TIK/CSG (14.02.2016)

15 TCP Reset Attack on BGP (V) 32-bit sequence number Frequent window size: 16384 Number of ports to brute force / guess: <90 –(depending on desired success probability) Connection: 20 mbps → 62500 RST packets/s Connection direction unknown E[t] = 2^32 / 16384 * 90 / 62500 * 2 / 2 = 377s - 15 - © TIK/CSG (14.02.2016)

16 Effects of TCP RST BGP Attack  BGP peers loose connection  Release of associated BGP resources  BGP peers must remove all routes learned from each other  Recovery takes minutes to hours… - 16 - © TIK/CSG (14.02.2016)

17 How do we deal with the attack? Caveat: ASes won‘t tell if anyone ever succeeded… (private information, competitive advantage!) But vulnerability existed for several years Sample Solution: TCP MD5 Signature Option There are other solutions as well… –SEQ, ACK verification in RST pkts –Filtering –Window size tuning (least effective) - 17 - © TIK/CSG (14.02.2016)

18 TCP MD5 signature option details Well-advertised method to authenticate the identity of the remote BGP neighbor Makes it difficult for the attacker: –Use of password included in MD5 digest –Password never appears in connection stream For each segment: 16-byte MD5 digest by applying the MD5 algorithm to TCP header, data, etc. Receive signed segment and validate! - 18 - © TIK/CSG (14.02.2016)

19 TCP MD5 pitfalls (I) AS tools required upgrading and human intervention to enable MD5 The storing of the password presents its own security issues! (database security…) How do you securely transmit the clear text password? How are you generating the password? - 19 - © TIK/CSG (14.02.2016)

20 TCP MD5 pitfalls (II) Examining a MD5 hash in the TCP header adds additional work to a router…. What if an attacker can spoof with incorrect MD5 hashes to make your router work a bit more?  potential Denial of Service (DoS)??? - 20 - © TIK/CSG (14.02.2016)

21 Conclusions from the example No solution is panacean in the field of security  But the administrators do their best to lower the attack risks E.g., in the case of TCP MD5, more measures may be required: –BGP session over a separate “protected” interface –Anti-spoofing Access Control Lists (ACLs), filters - 21 - © TIK/CSG (14.02.2016)

22 BGP Attacks in general BGP has other vulnerabilities as well, e.g: –2008: Pakistan Telecom hijacking YouTube traffic Link to a video –2008: presentation of BGP MitM attack A. Pilosov, T. Kapela, Stealing The Internet - An Internet- Scale Man In The Middle Attack Link to a video Link to a video Next time: IP prefix hijacking - 22 - © TIK/CSG (14.02.2016)

23 Bibliography: BGP, TCP RST NIST Border Gateway Protocol Security http://csrc.nist.gov/publications/nistpubs/800-54/SP800- 54.pdf http://csrc.nist.gov/publications/nistpubs/800-54/SP800- 54.pdf Paul A. Watson, Slipping in the Window: TCP Reset Attacks, 2003 RFC 4271, A Border Gateway Protocol 4 (BGP-4) RFC 4272, BGP Security Vulnerabilities Analysis RFC 793, Transmission Control Protocol “Are BGP Routers Open To Attack? An Experiment” Cavedon L. et. al., iNetSec'10 Proceedings - 23 - © TIK/CSG (14.02.2016)

24 Bibliography: MD5 RFC 2385, TCP MD5 Signature Option BGP MD5: Good, Bad, Ugly? http://www.nanog.org/meetings/nanog39/presentations/S choll.pdf MD5 Authentication Between BGP Peers Configuration Example http://www.cisco.com/en/US/tech/tk365/technologies_co nfiguration_example09186a0080b52107.shtml - 24 - © TIK/CSG (14.02.2016)

25 Questions: Attack Case - 25 - © TIK/CSG (14.02.2016) TCP RST BGP SESSION (over TCP) ROUTER #1 ROUTER #2

26 Questions: Exercise Task 1: Security Advisories and Common Vulnerabilities and Exposures (CVEs) Task 2: Vulnerability Lifecycle Task 3: Zero-day vulnerabilities - 26 - © TIK/CSG (14.02.2016)

27 Thank you for your attention! - 27 - © TIK/CSG (14.02.2016)

Download ppt "Breaking BGP sessions February 14, 2016 Udi Ben-Porat"

Similar presentations

BGP.

BGP.
CS 672 1 Summer 2003 CS672: MPLS Architecture, Applications and Fault-Tolerance.

CS Summer 2003 CS672: MPLS Architecture, Applications and Fault-Tolerance.
Border Gateway Protocol Ankit Agarwal Dashang Trivedi Kirti Tiwari.

Border Gateway Protocol Ankit Agarwal Dashang Trivedi Kirti Tiwari.
CS540/TE630 Computer Network Architecture Spring 2009 Tu/Th 10:30am-Noon Sue Moon.

CS540/TE630 Computer Network Architecture Spring 2009 Tu/Th 10:30am-Noon Sue Moon.
Lecture 9 Overview. Hierarchical Routing scale – with 200 million destinations – can’t store all dests in routing tables! – routing table exchange would.

Lecture 9 Overview. Hierarchical Routing scale – with 200 million destinations – can’t store all dests in routing tables! – routing table exchange would.
Fundamentals of Computer Networks ECE 478/578 Lecture #18: Policy-Based Routing Instructor: Loukas Lazos Dept of Electrical and Computer Engineering University.

Fundamentals of Computer Networks ECE 478/578 Lecture #18: Policy-Based Routing Instructor: Loukas Lazos Dept of Electrical and Computer Engineering University.
Local Wireless Network - An wireless Access Point (AP) which is the bridge the ethernet network and the wireless network -The AP protect its wireless network.

Local Wireless Network - An wireless Access Point (AP) which is the bridge the ethernet network and the wireless network -The AP protect its wireless network.
1 Interdomain Routing Protocols. 2 Autonomous Systems An autonomous system (AS) is a region of the Internet that is administered by a single entity and.

1 Interdomain Routing Protocols. 2 Autonomous Systems An autonomous system (AS) is a region of the Internet that is administered by a single entity and.
1 Network Architecture and Design Routing: Exterior Gateway Protocols and Autonomous Systems Border Gateway Protocol (BGP) Reference D. E. Comer, Internetworking.

1 Network Architecture and Design Routing: Exterior Gateway Protocols and Autonomous Systems Border Gateway Protocol (BGP) Reference D. E. Comer, Internetworking.
Practical and Configuration issues of BGP and Policy routing Cameron Harvey Simon Fraser University.

Practical and Configuration issues of BGP and Policy routing Cameron Harvey Simon Fraser University.
1 ELEN 602 Lecture 20 More on Routing RIP, OSPF, BGP.

1 ELEN 602 Lecture 20 More on Routing RIP, OSPF, BGP.
1 Relates to Lab 4. This module covers link state routing and the Open Shortest Path First (OSPF) routing protocol. Dynamic Routing Protocols II OSPF.

1 Relates to Lab 4. This module covers link state routing and the Open Shortest Path First (OSPF) routing protocol. Dynamic Routing Protocols II OSPF.
CSEE W4140 Networking Laboratory Lecture 5: IP Routing (OSPF and BGP) Jong Yul Kim 02.18.2009.

CSEE W4140 Networking Laboratory Lecture 5: IP Routing (OSPF and BGP) Jong Yul Kim
14 – Inter/Intra-AS Routing

14 – Inter/Intra-AS Routing
© 2009 Cisco Systems, Inc. All rights reserved.ROUTE v1.0—6-1 Connecting an Enterprise Network to an ISP Network Configuring and Verifying Basic BGP Operations.

© 2009 Cisco Systems, Inc. All rights reserved.ROUTE v1.0—6-1 Connecting an Enterprise Network to an ISP Network Configuring and Verifying Basic BGP Operations.
© 2009 Cisco Systems, Inc. All rights reserved. ROUTE v1.0—6-1 Connecting an Enterprise Network to an ISP Network Considering the Advantages of Using BGP.

© 2009 Cisco Systems, Inc. All rights reserved. ROUTE v1.0—6-1 Connecting an Enterprise Network to an ISP Network Considering the Advantages of Using BGP.
COEN 252: Computer Forensics Router Investigation.

COEN 252: Computer Forensics Router Investigation.
Border Gateway Protocol (BGP4) Rizwan Rehman, CCS, DU.

Border Gateway Protocol (BGP4) Rizwan Rehman, CCS, DU.
1 Lecture 20: Firewalls motivation ingredients –packet filters –application gateways –bastion hosts and DMZ example firewall design using firewalls – virtual.

1 Lecture 20: Firewalls motivation ingredients –packet filters –application gateways –bastion hosts and DMZ example firewall design using firewalls – virtual.
Gursharan Singh Tatla Transport Layer 16-May-2011 1

Gursharan Singh Tatla Transport Layer 16-May

Similar presentations

Ads by Google