Jason froehlich december 10 2008
Download
1 / 17

BGP Man in the Middle Attack - PowerPoint PPT Presentation


  • 119 Views
  • Uploaded on

Jason Froehlich December 10, 2008. BGP Man in the Middle Attack. What is BGP?. Routing for whole Internet Autonomous Systems (AS) ‏ Classless Interdomain Routing (CIDR) ‏ 190.100.0.0/16 190.100.0.0, 255.255.0.0. How BGP Works. AS Border Router - “BGP Speaker”

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about ' BGP Man in the Middle Attack' - sasha-hanson


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
Jason froehlich december 10 2008

Jason Froehlich

December 10, 2008

BGP Man in the Middle Attack


What is bgp
What is BGP?

  • Routing for whole Internet

  • Autonomous Systems (AS)‏

  • Classless Interdomain Routing (CIDR)‏

    • 190.100.0.0/16 190.100.0.0, 255.255.0.0


How bgp works
How BGP Works

  • AS Border Router - “BGP Speaker”

    • Advertise own routes, redistribute others

  • Update Messages

    • “AS_PATH” field

  • Path Selection

    • Most “Specific” Network

    • 190.100.0.0/17 over 190.100.0.0/16


The man in the middle attack
The Man in the Middle Attack

  • Requirements:

    • Redirect all traffic to Attacker

    • Forward traffic onto Target

  • Relies on trust built into BGP


Attack threats
Attack Threats

  • Confidentiality

    • Capture all packets

  • Integrity

    • Modify packets before delivery

  • Availability

    • Black Hole

    • Filtering selected packets


Implementation
Implementation

  • 190.100.0.0/16 (AS100) is Target

  • AS900 is Attacker


Implementation step 1
Implementation – Step 1

  • Advertise New Routes

  • More specific

    • 190.100.0.0/17, 190.100.128.0/17


Implementation step 11
Implementation – Step 1

router bgp 900

network 190.100.0.0 mask 255.255.128.0

network 190.100.128.0 mask 255.255.128.0

...

neighbor <ip address of AS600 router> remote-as 600

neighbor <ip address of AS700 router> remote-as 700

neighbor <ip address of AS800 router> remote-as 800

no auto-summary


Implementation step 2
Implementation – Step 2

  • Create Route Back to Target

  • Modify “AS_PATH” field of advertisement

    • Add each AS in route to target


Implementation step 21
Implementation – Step 2

ip prefix-list victim permit 190.100.0.0/16

route-map mitm permit 10

match ip address prefix-list victim

set as-path prepend 600 300 100

ip route 190.100.0.0 255.255.128.0 <ip address of AS600 rtr>

ip route 190.100.128.0 255.255.128.0 <ip address of AS600 rtr>


Attack limitations
Attack Limitations

  • Access to BGP Router

    • No script kiddies, but pool still large

  • Half of the Conversation

    • Only sees Inbound traffic

    • Resolve: 2nd BGP MITM, Other MITM (DNS)‏

  • Incomplete Route Distribution

    • AS's in Return Path


Attack limitations cont
Attack Limitations cont.

  • Packet Route Visible

    • Traceroute

    • Resolve: TTL Modification

  • BGP Updates Visible

    • Alert a perceptive Administrator

  • Encrypted Traffic

    • Cannot decrypt payload


Mitigating the attack prevention
Mitigating the Attack - Prevention

  • Filtering

    • Must be done by every ISP

  • Internet Routing Registry

    • Overhead

    • Poor Database Maintenance / Security


Mitigating the attack detection
Mitigating the Attack - Detection

  • Monitor for BGP Updates

  • BGPmon.net


Mitigating the attack response
Mitigating the Attack - Response

  • Counter-Attack

    • Advertise even more specific networks

  • ISP Disconnect Attacker

    • May take hours to days

    • Youtube.com – February 2008


Mitigating the attack securing bgp
Mitigating the Attack – Securing BGP

  • S-BGP

    • 2 Certificates – IP address, AS

  • Secure Origin BGP

    • Topologies

  • Interdomain Route Validation

    • Out of band verification


Conclusion
Conclusion

BGP Man in the Middle

  • Powerful Attack

  • Easy to Implement

  • Difficult to Mitigate


ad