80 likes | 98 Views
BGP Attack Tree. draft-convery-bgpattack-01.txt http://www.ietf.org/internet-drafts/draft-convery-bgpattack-01.txt Sean Convery David Cook Matt Franz. Motivations. Develop formal analysis of potential threats to and using BGP from the adversary’s perspective
E N D
BGP Attack Tree draft-convery-bgpattack-01.txt http://www.ietf.org/internet-drafts/draft-convery-bgpattack-01.txt Sean Convery David Cook Matt Franz
Motivations • Develop formal analysis of potential threats to and using BGP from the adversary’s perspective • Create threat profile useful for evaluating BGP security improvements • Provide foundation for vulnerability testing of new and existing BGP implementations • Facilitate repeatable testing methodology by third parties • Organize the material in a modular and reusable way
Why Attack Trees? • Provide well documented method of exploring every possibility an adversary has (technical and non-technical). • Data presentation in tree format allows: • Easy gap identification • Selective elaboration based on location in the tree • Ability to assign attributes for nodes of the tree: • Impact of the attack • Ease of attack execution • Cost of the attack • Presence of countermeasures (such as best practices) • Access/trust requirements to conduct attack http://www.ddj.com/documents/s=896/ddj9912a/9912a.htm http://www.cert.org/archive/pdf/01tn001.pdf
Changes Since version 00 • Minor spelling, wording fixes • Merged tree element 2.1.1.3.1 with 2.1.1.3.1.1 • Fixed tree mistake in 2.1.3.2.2 • Clarified definition of permissive router in section 2.1.2 • Fixed ORs in 2.1.5.3 and 2.1.5.4 • Reworked 2.1.5.4.1 (Update flooding) per list comments • Clarified 2.1.3 based on list comments • Added reference to NANOG BGP testing prezo and integrated portions of results into draft • http://www.nanog.org/mtg-0306/pdf/franz.pdf • Switched to mnemonic references instead of numbers
Some Fun from the NANOG Talk • NANOG / BlackHat Talk had numerous tests performed, for more info, check out the whole talk. These next 3 slides are just a quick sample. • One Goal was to non-intrusively assess basic BCP adoption through probes from an arbitrary IP address • Limit scanning to prevent production impact—a single SYN with no retries • Build table of potential BGP speakers by running traceroutes to approx. 120,000 hosts (one for each CIDR block in the Internet’s route table) • Probes: • Send 1 x TCP SYNs to ports 22, 23, 80, 179 • Embed message in payload identifying probes as non-malicious • Measure response (SYN ACK, RST, No Response) • Send BGP OPEN to those that SYN-ACK on port 179 • Sessions used an unused AS # • Record BGP message that is returned
“Active” ISP Survey Results (Summary) • SSH daemons: 6,349 • Telnet daemons: 10,907 • HTTP Servers: 5,565 • 16,815 routers were reachable* on at least one admin interface (14.5% of probed routers) *Based only on receipt of SYN-ACK, so daemons that you can actually connect() to could be lower! • Total non-1918 routers probed: 115,466 • BGP Speakers • SYN-ACK - 4,602 • RST - 3,088 • No Response - 107,777 • BGP Open Test Results • OPEN / NOTIFICATION - 1,666 • AUTH FAIL - 1635 • CEASE - 11 • BAD AS - 20 • NOTIFICATION ONLY - 84 • AUTH FAIL - 1 • CEASE - 83 • RST - 264 • Connect (No Data) - 2,147
Admin Port Reachability (by Country) Several countries had either 100% of their routers accessible or 0% but were not counted since there were less than 10 routers probed in each of these countries. Honorable Mentions: Spain - 878 (5.13%) France - 1820 (6.48%) Great Britain - 4005 (7.72%)
Next Steps • Accept as a working group item? • Doc needs more review Thanks!