1 / 8

BGP Attack Tree

This draft explores potential threats to and using BGP from an adversary's perspective, aiming to enhance BGP security. The document provides a threat profile for evaluating security improvements and a foundation for vulnerability testing. Organized in a modular and reusable manner, the draft utilizes attack trees to explore all adversary possibilities systematically. It allows easy gap identification, selective elaboration, and attributes assignment to nodes for impact assessment, attack ease, cost, countermeasures, and access requirements.

smorrissey
Download Presentation

BGP Attack Tree

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. BGP Attack Tree draft-convery-bgpattack-01.txt http://www.ietf.org/internet-drafts/draft-convery-bgpattack-01.txt Sean Convery David Cook Matt Franz

  2. Motivations • Develop formal analysis of potential threats to and using BGP from the adversary’s perspective • Create threat profile useful for evaluating BGP security improvements • Provide foundation for vulnerability testing of new and existing BGP implementations • Facilitate repeatable testing methodology by third parties • Organize the material in a modular and reusable way

  3. Why Attack Trees? • Provide well documented method of exploring every possibility an adversary has (technical and non-technical). • Data presentation in tree format allows: • Easy gap identification • Selective elaboration based on location in the tree • Ability to assign attributes for nodes of the tree: • Impact of the attack • Ease of attack execution • Cost of the attack • Presence of countermeasures (such as best practices) • Access/trust requirements to conduct attack http://www.ddj.com/documents/s=896/ddj9912a/9912a.htm http://www.cert.org/archive/pdf/01tn001.pdf

  4. Changes Since version 00 • Minor spelling, wording fixes • Merged tree element 2.1.1.3.1 with 2.1.1.3.1.1 • Fixed tree mistake in 2.1.3.2.2 • Clarified definition of permissive router in section 2.1.2 • Fixed ORs in 2.1.5.3 and 2.1.5.4 • Reworked 2.1.5.4.1 (Update flooding) per list comments • Clarified 2.1.3 based on list comments • Added reference to NANOG BGP testing prezo and integrated portions of results into draft • http://www.nanog.org/mtg-0306/pdf/franz.pdf • Switched to mnemonic references instead of numbers

  5. Some Fun from the NANOG Talk • NANOG / BlackHat Talk had numerous tests performed, for more info, check out the whole talk. These next 3 slides are just a quick sample. • One Goal was to non-intrusively assess basic BCP adoption through probes from an arbitrary IP address • Limit scanning to prevent production impact—a single SYN with no retries • Build table of potential BGP speakers by running traceroutes to approx. 120,000 hosts (one for each CIDR block in the Internet’s route table) • Probes: • Send 1 x TCP SYNs to ports 22, 23, 80, 179 • Embed message in payload identifying probes as non-malicious • Measure response (SYN ACK, RST, No Response) • Send BGP OPEN to those that SYN-ACK on port 179 • Sessions used an unused AS # • Record BGP message that is returned

  6. “Active” ISP Survey Results (Summary) • SSH daemons: 6,349 • Telnet daemons: 10,907 • HTTP Servers: 5,565 • 16,815 routers were reachable* on at least one admin interface (14.5% of probed routers) *Based only on receipt of SYN-ACK, so daemons that you can actually connect() to could be lower! • Total non-1918 routers probed: 115,466 • BGP Speakers • SYN-ACK - 4,602 • RST - 3,088 • No Response - 107,777 • BGP Open Test Results • OPEN / NOTIFICATION - 1,666 • AUTH FAIL - 1635 • CEASE - 11 • BAD AS - 20 • NOTIFICATION ONLY - 84 • AUTH FAIL - 1 • CEASE - 83 • RST - 264 • Connect (No Data) - 2,147

  7. Admin Port Reachability (by Country) Several countries had either 100% of their routers accessible or 0% but were not counted since there were less than 10 routers probed in each of these countries. Honorable Mentions: Spain - 878 (5.13%) France - 1820 (6.48%) Great Britain - 4005 (7.72%)

  8. Next Steps • Accept as a working group item? • Doc needs more review Thanks!

More Related