bgp man in the middle attack jason froehlich december 10, 2008
TRANSCRIPT
![Page 1: BGP Man in the Middle Attack Jason Froehlich December 10, 2008](https://reader036.vdocuments.us/reader036/viewer/2022082818/56649ef25503460f94c044d9/html5/thumbnails/1.jpg)
BGP Man in the Middle Attack
Jason Froehlich
December 10, 2008
![Page 2: BGP Man in the Middle Attack Jason Froehlich December 10, 2008](https://reader036.vdocuments.us/reader036/viewer/2022082818/56649ef25503460f94c044d9/html5/thumbnails/2.jpg)
What is BGP?
Routing for whole Internet
Autonomous Systems (AS)
Classless Interdomain Routing (CIDR)
190.100.0.0/16 190.100.0.0, 255.255.0.0
![Page 3: BGP Man in the Middle Attack Jason Froehlich December 10, 2008](https://reader036.vdocuments.us/reader036/viewer/2022082818/56649ef25503460f94c044d9/html5/thumbnails/3.jpg)
How BGP Works
AS Border Router - “BGP Speaker”
Advertise own routes, redistribute others
Update Messages
“AS_PATH” field
Path Selection
Most “Specific” Network
190.100.0.0/17 over 190.100.0.0/16
![Page 4: BGP Man in the Middle Attack Jason Froehlich December 10, 2008](https://reader036.vdocuments.us/reader036/viewer/2022082818/56649ef25503460f94c044d9/html5/thumbnails/4.jpg)
The Man in the Middle Attack
Requirements:
Redirect all traffic to Attacker
Forward traffic onto Target
Relies on trust built into BGP
![Page 5: BGP Man in the Middle Attack Jason Froehlich December 10, 2008](https://reader036.vdocuments.us/reader036/viewer/2022082818/56649ef25503460f94c044d9/html5/thumbnails/5.jpg)
Attack Threats
Confidentiality
Capture all packets
Integrity
Modify packets before delivery
Availability
Black Hole
Filtering selected packets
![Page 6: BGP Man in the Middle Attack Jason Froehlich December 10, 2008](https://reader036.vdocuments.us/reader036/viewer/2022082818/56649ef25503460f94c044d9/html5/thumbnails/6.jpg)
Implementation
190.100.0.0/16 (AS100) is Target
AS900 is Attacker
![Page 7: BGP Man in the Middle Attack Jason Froehlich December 10, 2008](https://reader036.vdocuments.us/reader036/viewer/2022082818/56649ef25503460f94c044d9/html5/thumbnails/7.jpg)
Implementation – Step 1
Advertise New Routes
More specific
190.100.0.0/17, 190.100.128.0/17
![Page 8: BGP Man in the Middle Attack Jason Froehlich December 10, 2008](https://reader036.vdocuments.us/reader036/viewer/2022082818/56649ef25503460f94c044d9/html5/thumbnails/8.jpg)
Implementation – Step 1router bgp 900
network 190.100.0.0 mask 255.255.128.0network 190.100.128.0 mask 255.255.128.0...neighbor <ip address of AS600 router> remote-as 600neighbor <ip address of AS700 router> remote-as 700neighbor <ip address of AS800 router> remote-as 800no auto-summary
![Page 9: BGP Man in the Middle Attack Jason Froehlich December 10, 2008](https://reader036.vdocuments.us/reader036/viewer/2022082818/56649ef25503460f94c044d9/html5/thumbnails/9.jpg)
Implementation – Step 2
Create Route Back to Target
Modify “AS_PATH” field of advertisement
Add each AS in route to target
![Page 10: BGP Man in the Middle Attack Jason Froehlich December 10, 2008](https://reader036.vdocuments.us/reader036/viewer/2022082818/56649ef25503460f94c044d9/html5/thumbnails/10.jpg)
Implementation – Step 2
ip prefix-list victim permit 190.100.0.0/16route-map mitm permit 10 match ip address prefix-list victim set as-path prepend 600 300 100ip route 190.100.0.0 255.255.128.0 <ip address of AS600 rtr>ip route 190.100.128.0 255.255.128.0 <ip address of AS600 rtr>
![Page 11: BGP Man in the Middle Attack Jason Froehlich December 10, 2008](https://reader036.vdocuments.us/reader036/viewer/2022082818/56649ef25503460f94c044d9/html5/thumbnails/11.jpg)
Attack Limitations
Access to BGP Router
No script kiddies, but pool still large
Half of the Conversation
Only sees Inbound traffic
Resolve: 2nd BGP MITM, Other MITM (DNS)
Incomplete Route Distribution
AS's in Return Path
![Page 12: BGP Man in the Middle Attack Jason Froehlich December 10, 2008](https://reader036.vdocuments.us/reader036/viewer/2022082818/56649ef25503460f94c044d9/html5/thumbnails/12.jpg)
Attack Limitations cont.
Packet Route Visible
Traceroute
Resolve: TTL Modification
BGP Updates Visible
Alert a perceptive Administrator
Encrypted Traffic
Cannot decrypt payload
![Page 13: BGP Man in the Middle Attack Jason Froehlich December 10, 2008](https://reader036.vdocuments.us/reader036/viewer/2022082818/56649ef25503460f94c044d9/html5/thumbnails/13.jpg)
Mitigating the Attack - Prevention
Filtering
Must be done by every ISP
Internet Routing Registry
Overhead
Poor Database Maintenance / Security
![Page 14: BGP Man in the Middle Attack Jason Froehlich December 10, 2008](https://reader036.vdocuments.us/reader036/viewer/2022082818/56649ef25503460f94c044d9/html5/thumbnails/14.jpg)
Mitigating the Attack - Detection
Monitor for BGP Updates
BGPmon.net
![Page 15: BGP Man in the Middle Attack Jason Froehlich December 10, 2008](https://reader036.vdocuments.us/reader036/viewer/2022082818/56649ef25503460f94c044d9/html5/thumbnails/15.jpg)
Mitigating the Attack - Response
Counter-Attack
Advertise even more specific networks
ISP Disconnect Attacker
May take hours to days
Youtube.com – February 2008
![Page 16: BGP Man in the Middle Attack Jason Froehlich December 10, 2008](https://reader036.vdocuments.us/reader036/viewer/2022082818/56649ef25503460f94c044d9/html5/thumbnails/16.jpg)
Mitigating the Attack – Securing BGP
S-BGP
2 Certificates – IP address, AS
Secure Origin BGP
Topologies
Interdomain Route Validation
Out of band verification
![Page 17: BGP Man in the Middle Attack Jason Froehlich December 10, 2008](https://reader036.vdocuments.us/reader036/viewer/2022082818/56649ef25503460f94c044d9/html5/thumbnails/17.jpg)
Conclusion
BGP Man in the Middle
Powerful Attack
Easy to Implement
Difficult to Mitigate