170 likes | 188 Views
Jason Froehlich December 10, 2008. BGP Man in the Middle Attack. What is BGP?. Routing for whole Internet Autonomous Systems (AS) Classless Interdomain Routing (CIDR) 190.100.0.0/16 190.100.0.0, 255.255.0.0. How BGP Works. AS Border Router - “BGP Speaker”
E N D
Jason Froehlich December 10, 2008 BGP Man in the Middle Attack
What is BGP? • Routing for whole Internet • Autonomous Systems (AS) • Classless Interdomain Routing (CIDR) • 190.100.0.0/16 190.100.0.0, 255.255.0.0
How BGP Works • AS Border Router - “BGP Speaker” • Advertise own routes, redistribute others • Update Messages • “AS_PATH” field • Path Selection • Most “Specific” Network • 190.100.0.0/17 over 190.100.0.0/16
The Man in the Middle Attack • Requirements: • Redirect all traffic to Attacker • Forward traffic onto Target • Relies on trust built into BGP
Attack Threats • Confidentiality • Capture all packets • Integrity • Modify packets before delivery • Availability • Black Hole • Filtering selected packets
Implementation • 190.100.0.0/16 (AS100) is Target • AS900 is Attacker
Implementation – Step 1 • Advertise New Routes • More specific • 190.100.0.0/17, 190.100.128.0/17
Implementation – Step 1 router bgp 900 network 190.100.0.0 mask 255.255.128.0 network 190.100.128.0 mask 255.255.128.0 ... neighbor <ip address of AS600 router> remote-as 600 neighbor <ip address of AS700 router> remote-as 700 neighbor <ip address of AS800 router> remote-as 800 no auto-summary
Implementation – Step 2 • Create Route Back to Target • Modify “AS_PATH” field of advertisement • Add each AS in route to target
Implementation – Step 2 ip prefix-list victim permit 190.100.0.0/16 route-map mitm permit 10 match ip address prefix-list victim set as-path prepend 600 300 100 ip route 190.100.0.0 255.255.128.0 <ip address of AS600 rtr> ip route 190.100.128.0 255.255.128.0 <ip address of AS600 rtr>
Attack Limitations • Access to BGP Router • No script kiddies, but pool still large • Half of the Conversation • Only sees Inbound traffic • Resolve: 2nd BGP MITM, Other MITM (DNS) • Incomplete Route Distribution • AS's in Return Path
Attack Limitations cont. • Packet Route Visible • Traceroute • Resolve: TTL Modification • BGP Updates Visible • Alert a perceptive Administrator • Encrypted Traffic • Cannot decrypt payload
Mitigating the Attack - Prevention • Filtering • Must be done by every ISP • Internet Routing Registry • Overhead • Poor Database Maintenance / Security
Mitigating the Attack - Detection • Monitor for BGP Updates • BGPmon.net
Mitigating the Attack - Response • Counter-Attack • Advertise even more specific networks • ISP Disconnect Attacker • May take hours to days • Youtube.com – February 2008
Mitigating the Attack – Securing BGP • S-BGP • 2 Certificates – IP address, AS • Secure Origin BGP • Topologies • Interdomain Route Validation • Out of band verification
Conclusion BGP Man in the Middle • Powerful Attack • Easy to Implement • Difficult to Mitigate