28
A Quick and Dirty Guide to BGP attacks Or “How to 0wn the Backbone in your Spare Time”

AQuickandDirtyGuidetoBGPattacks.ppt

Tags:

Embed Size (px)

Citation preview

  • A Quick and Dirty Guide to BGP attacksOr How to 0wn the Backbone in your Spare Time

  • OutlineHow BGP worksWhat can be attacked?How is it attacked?Who might be attacking?Common approaches to fixing BGPReferences

  • How BGP worksAn autonomous system (AS) has border routers that speak BGP with BGP peers at border routers in neighboring ASs. ASs that send traffic directly to each other have a BGP session using TCP to communicate information in BGP updates

  • How BGP worksCreating Global Reachability:An autonomous system will originate whatever network blocks it is currently allowed by ICANN to use.ASs can choose to advertise reachability to BGP peers for network blocks it knows its neighbors can reach.

  • How BGP worksBGP Update FormatWithdrawnRoutesPath Attributes(Origin, AS-Path, etc)NLRI(prefixes)

  • How BGP worksReceive update messageApply in-bound filters for peerUpdate RIB Run BGP decision process (if not new best route, exit)Update FIBFor each peer, apply outbound filters and send new update message.

  • How BGP WorksBusiness Relationships define Export Filters.Prov -> Cust all known best routesCust -> Prov only originated routes or routes from their customers.Peer -> Peer originated or customer routes (but with no export).

  • How BGP worksProviders provide connectivity for their customers. Top-level tier-1 providers peer with each-other to provide global reachability.

  • What can be attacked?AvailabilityReachabilityDegrade link qualityOverwhelm communication capacityData ConfidentialityData IntegrityAuthentication (impersonation)

  • How To Attack? (ie: what needs to be secured?)Peer-Peer Attacks (attack exchange of data between two BGP speakers)Protocol Content Attacks (falsify or modify use of BGP Update messages)Traffic AttractionTraffic DirectionInstability Attacks (attempts to destabilize routing)

  • Peer-Peer AttacksUses:Create unavailability by tearing down BGP session and causing path withdrawals. Inject information into BGP session to perform traffic-attractor or traffic-director attacks.Note: Assumes no possession of a BGP speaking router

  • Peer-Peer Attacks BGP sessions have no required protections.Attackers my DoS the link bandwidthTCP injection attacks may insert data into the session, or reset the connection. Authenticating PeersEaves-dropping on session (who cares?)Attack on CPU resources

  • Peer-Peer SolutionsIntegrity: TCP MD5 Option (requires pre-configured secret)Integrity, Confidentiality, Authentication: IPSec (negotiates shared secret)CPU protections (drop packets that use CPU time)TTL Hack (filters non single-hop packets)

  • Protocol Content AttacksWhat we normally think about when considering BGP attacks

    These attacks can be the result of malicious behavior or misconfiguration.

  • Traffic Attractor AttacksUses:Drop, degrade traffic.Inspect traffic, communication analysisModify TrafficImpersonation AttacksMan-in-the-Middle AttacksSend from un-owned prefix.

  • Traffic Attractor:MOAS Multiple Origin ASOccurs when multiple ASs originate (ie: are the first AS to advertise) a particular prefix. Also referred to as a prefix-hijack.

    This may be legitimate, e.g., multi-homing with a private ASN. Roughly speaking, a simple MOAS can trick half of the Internet

  • Traffic Attractor:De-aggregationAn AS illegitimately originates the sub-prefix of another ASs address space.

    More powerful than MOAS, as it does not conflict with a legitimate prefix, but is preferred routing decision. Can trick the entire Internet.Prefixes larger than 24 bits often filtered by large ISPs.

  • Traffic Attractor:AS-Path ShorteningInstead of claiming to originate a prefix, an adversary can keep the correct originator, but shorten the remainder of the path to make it look more attractive.

    This attack is more stealthy than simple origination. Unlikely to occur as misconfig.

  • Traffic Direction AttacksUses:Send larger amounts of traffic to a particular AS, potentially overwhelming them.Force use of alternate paths, which may be more expensive, or vulnerable to snooping, physical attack.

  • Traffic Direction:False AS-Path Padding (make path look unattractive)Dropping an announcementCreating a fake withdrawalPlacing another ASs number in the path, so that its loop detection will drop the announcement.

    Note: These are weakly labeled attacks, as they could simply result from legitimate policy decisions.

  • Instability Attacks:Uses:Cause temporary unavailability for certain regions of the Internet. Create cascading failures across many routing domains.

    Such attacks often target the limited resources on a router.

  • Instability AttacksHow?Intentional Route-flappingRoute leaks (advertise many /24s, overwhelm RIB, FIB memory)BGP connection resets (CPU exhaustion, congestion, etc).

  • Data Plane attacksCan also compromise availability, confidentiality, integrity and authentication.Strictly weaker than control plane attacks (local impact)Not handled by s-BGP, so-BGP.Very difficult to detect!

  • Who might be attacking?Network operator has a typo or other misconfiguration. Malicious party gains control of a BGP speaking router on the black-marketSpammers with shady or clue-less upstream hijack address spaceTerrorists pay-off ISP insider or own and operate a portion of the infrastructure

  • Fixing BGP: Origin AuthenticationWho is allowed to originate a particular prefix?

    Needed to detect illegitimate MOASSeems to require a complete registry of address space allocations, and an associated PKI (complicated!)

  • Fixing BGP: Path AttestationRoughly attempts to verify that the AS-Path included in an update is a valid AS-level path to the destination. Different approaches to solving this problem: s-BGP uses signed attestations, so-BGP has a data-base of signed linksWorm-hole attacks still possible.

  • Fixing BGP: Needs Both!Origin Authentication (OA) AND Path Attestation (PA) are required to provide security benefits. OA without PA would allow any malicious AS to claim to be directly connected to the originating AS.PA without OA would allow any AS to originate a prefix, as long as the path to the malicious AS was correct.

  • ReferencesBeware of BGP Attacks (Nordstrom, et. al.)BGP Security Vulnerabilities Analysis (draft-ietf-idr-bgp-vuln-01.txt, Murphy)BGP Security Requirements (draft-ietf-rpsec-bgpsecrec-05.txt, Christian)A Survey of BGP Security (Butler, et. al.)


How Computer Monitors Work

How Computer Monitors Work

Documents
Chapter 24

Chapter 24

Documents
Aesops Fables

Aesops Fables

Documents
Life Is Just A Dream - Or Is It?

Life Is Just A Dream - Or Is It?

Documents
Minne hävisivät soneran rahat

Minne hävisivät soneran rahat

Documents
Chapter 23

Chapter 23

Documents
Plato - Symposium

Plato - Symposium

Documents
Rubik's cube solution

Rubik's cube solution

Documents
Venture Capital

Venture Capital

Documents
Bhagavad Gita

Bhagavad Gita

Documents
(Tesla) - The Tesla Magnetic Car Engine

(Tesla) - The Tesla Magnetic Car Engine

Documents
Compressing And Decompressing Folders

Compressing And Decompressing Folders

Documents
Chapter-01

Chapter-01

Documents
Fortran

Fortran

Documents
Explore The Levels of Creation

Explore The Levels of Creation

Documents
Star Wars Original Trilogy Trivia (Episodes IV-VI)

Star Wars Original Trilogy Trivia (Episodes IV-VI)

Documents
United States Constitution

United States Constitution

Documents
The Dutch Republic In International Trade

The Dutch Republic In International Trade

Documents
The Last Carnival I Ever Saw

The Last Carnival I Ever Saw

Documents
Basic Buffer Overflows Explained

Basic Buffer Overflows Explained

Documents
Keyboard Shortcuts for the Opera Browser for Mac OS X

Keyboard Shortcuts for the Opera Browser for Mac OS X

Documents
Star Wars Prequel Trilogy Trivia (Episodes I-III)

Star Wars Prequel Trilogy Trivia (Episodes I-III)

Documents
xCDC14a

xCDC14a

Documents
European Colinization of Latin America

European Colinization of Latin America

Documents
Jan Van Eyck and the Man In A Red Turban

Jan Van Eyck and the Man In A Red Turban

Documents
Steve Jobs' Commencement Speech at Stanford

Steve Jobs' Commencement Speech at Stanford

Documents
Tragic Heroes

Tragic Heroes

Documents
The Best American Humorous Short Stories

The Best American Humorous Short Stories

Documents
Acetone Peroxide

Acetone Peroxide

Documents
Effective Parenting: Establishing Boundaries

Effective Parenting: Establishing Boundaries

Documents