1

BGP Security

-- Zhen Wu

2

Schedule

• Tuesday– BGP Background– " Detection of Invalid Routing Announcement

in the Internet"

– Open Discussions

• Thursday– “Secure Border Gateway Protocol (S-BGP)”– “Secure Border Gateway Protocol (S-BGP) -

Real World Performance and Deployment Issues”

3

Outline

• Background

• “Detection of Invalid Routing Announcement in the Internet” Paper

• Related Open Problems

4

BGP Components

– Autonomous System (AS)– BGP speaker– BGP Routing table: Prefix + AS Path

AS4

AS3 AS1

AS2

BGP

5

BGP Routing Table

• Maintain the reachability information (AS path) for each prefix

• Default-free• Incremental updates

Prefix Next-Hop AS-Path TypeBest Route

6

BGP Update

AS566

Prefix AS Path

… …Routing

Table

12.0.0.0/8 : 1221, 34

Prefix : AS Path

Incoming update

12.0.0.0/8 : 1221, 34, 566

Outgoing update

12.0.0.0/8 1221, 34

7

General Operations

• Pick the best path and install it in forwarding table– BGP routing table V.S forwarding table – The definition of “best” depends on local policy

• Policies could influence import, the best path selection, export.

• Each AS only sends its best route for a prefix to its neighbors, append its AS# in the path

8

BGP Table Growth

AS1221 ASN-TELSTRA Telstra Pty Ltd

Source: http://bgp.potaroo.net/

9

Average Prefix Length

10

Average length of AS path

Denser mesh

11

Other Trends

• More multi-homed small networks

• A denser interconnectivity mesh

• Reduction in hierarchical nature

12

Outline

• Background

• “Detection of Invalid Routing Announcement in the Internet” Paper

• Related Open Problems

13

Multiple Origin AS (MOAS)

128.9.0.0/16Path: 226

128.9.0.0/16Path: 4

128.9.0.0/16Path: X, 4

AS XAS Y

128.9.0.0/16Path: Z, 226

AS Z

MOAS case !Is it a valid policy or a fault/attack?

AS 226AS 4

14

Previous work

• How many MOAS cases have happened?

• How long did they last?

• What’s the distribution of prefix length having MOAS conflicts?

• Possible explanations

15

Possible Explanations

• Multi-homing

• Faulty or Malicious Configurations

16

Problem

• How to prevent BGP routers from accepting invalid MOAS

17

Idea: MOAS list– A list of legitimate ASes who are authorized to

announce the prefix– Attached to route announcement

AS4

AS3

AS1AS2 12.0.0.0/8, MOAS list {1,2}

12.0.0.0/8, MOAS list {4} Detect MOAS

lists conflict

12.0.0.0/8, MOAS list {1,2}

18

Assumption• Rich interconnectivity

• It is very difficult, if not impossible, for the attacker to totally block the propagation of valid route announcement with MOAS list

AS1 AS2

AS3 AS4

Prefix: 12.0.0.0/8MOAS list: {1, 2}

Controlled by attack

AS6AS5

19

Limitations in Design

• Only detects invalid MOAS conflicts– Correct origin AS with a false path ???

• Valid path: 4, 231, 55, 1024

• False path: 4, XXX, YYY, 1024

• Rely on other mechanisms to identify the correct origin AS– DNS lookup verification

20

Discussion & Critiques

• Topology Generation – Route Views only has a partial view of Internet

topology– The view is also filtered by best path selection– Is node number reducing process reasonable?

• Selection of the two origin ASes– Is random selection reasonable? Adjacent– Is selection only from stub (NO transit) ASes

reasonable?

21

Outline

• Background

• “Detection of Invalid Routing Announcement in the Internet” Paper

• Related Open Problems

22

Challenge - Abnormal BGP behaviors

• Reasons– Implementation / protocol bugs– Misconfigurations– Attack

• Problems– How to define?– How to detect?– How to distinguish them?– How to trace back?

• What information do we need to collect?

23

Challenge - Opaque Policy

• Some strength and complexity of BGP come from the usage of local policy

• IRR project aims to collect global routing policy knowledge - obsolete and incomplete

• But: – peer policy agreement are often confidential– There is no way to verify whether received updates

abided the intermediate AS’s policies– Are these policies reasonable– Local sound policies may have global conflicts

24

Challenge - Topology

• How to generate realistic Internet topology?– So huge, complicated, dynamic– What are the essential characteristics of Internet

topology? How to model them?

25

BGP Security Problems

• Outsider attacks– TCP session spoofing– BGP session spoofing– DoS attack

• Misbehaved, misconfigured, and compromised legitimate BGP routers are the main threat currently– E.g 1997 AS7007 incident

26

Securing Announcement

• Announcement is not authenticated

• We don’t know who is allowed to advertise a prefix

• Anyone could (almost) announce any prefix– Malicious attacks– Accidentally mistakes

27

Securing Path Attribute

• Each router chooses among multiple routes for a destination

• Need to select the best path• Path attribute is also not authenticated• Path modification could disrupt routing

– Cause suboptimal path to be adopted• Direct to longer path• Bring to path with adversary eavesdrop

– Interfere with policy decisions– Make some destinations unreachable