1 / 17

BGP Man in the Middle Attack

Jason Froehlich December 10, 2008. BGP Man in the Middle Attack. What is BGP?. Routing for whole Internet Autonomous Systems (AS) ‏ Classless Interdomain Routing (CIDR) ‏ 190.100.0.0/16 190.100.0.0, 255.255.0.0. How BGP Works. AS Border Router - “BGP Speaker”

Download Presentation

BGP Man in the Middle Attack

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Jason Froehlich December 10, 2008 BGP Man in the Middle Attack

  2. What is BGP? • Routing for whole Internet • Autonomous Systems (AS)‏ • Classless Interdomain Routing (CIDR)‏ • 190.100.0.0/16 190.100.0.0, 255.255.0.0

  3. How BGP Works • AS Border Router - “BGP Speaker” • Advertise own routes, redistribute others • Update Messages • “AS_PATH” field • Path Selection • Most “Specific” Network • 190.100.0.0/17 over 190.100.0.0/16

  4. The Man in the Middle Attack • Requirements: • Redirect all traffic to Attacker • Forward traffic onto Target • Relies on trust built into BGP

  5. Attack Threats • Confidentiality • Capture all packets • Integrity • Modify packets before delivery • Availability • Black Hole • Filtering selected packets

  6. Implementation • 190.100.0.0/16 (AS100) is Target • AS900 is Attacker

  7. Implementation – Step 1 • Advertise New Routes • More specific • 190.100.0.0/17, 190.100.128.0/17

  8. Implementation – Step 1 router bgp 900 network 190.100.0.0 mask 255.255.128.0 network 190.100.128.0 mask 255.255.128.0 ... neighbor <ip address of AS600 router> remote-as 600 neighbor <ip address of AS700 router> remote-as 700 neighbor <ip address of AS800 router> remote-as 800 no auto-summary

  9. Implementation – Step 2 • Create Route Back to Target • Modify “AS_PATH” field of advertisement • Add each AS in route to target

  10. Implementation – Step 2 ip prefix-list victim permit 190.100.0.0/16 route-map mitm permit 10 match ip address prefix-list victim set as-path prepend 600 300 100 ip route 190.100.0.0 255.255.128.0 <ip address of AS600 rtr> ip route 190.100.128.0 255.255.128.0 <ip address of AS600 rtr>

  11. Attack Limitations • Access to BGP Router • No script kiddies, but pool still large • Half of the Conversation • Only sees Inbound traffic • Resolve: 2nd BGP MITM, Other MITM (DNS)‏ • Incomplete Route Distribution • AS's in Return Path

  12. Attack Limitations cont. • Packet Route Visible • Traceroute • Resolve: TTL Modification • BGP Updates Visible • Alert a perceptive Administrator • Encrypted Traffic • Cannot decrypt payload

  13. Mitigating the Attack - Prevention • Filtering • Must be done by every ISP • Internet Routing Registry • Overhead • Poor Database Maintenance / Security

  14. Mitigating the Attack - Detection • Monitor for BGP Updates • BGPmon.net

  15. Mitigating the Attack - Response • Counter-Attack • Advertise even more specific networks • ISP Disconnect Attacker • May take hours to days • Youtube.com – February 2008

  16. Mitigating the Attack – Securing BGP • S-BGP • 2 Certificates – IP address, AS • Secure Origin BGP • Topologies • Interdomain Route Validation • Out of band verification

  17. Conclusion BGP Man in the Middle • Powerful Attack • Easy to Implement • Difficult to Mitigate

More Related