Jason froehlich december 10 2008
This presentation is the property of its rightful owner.
Sponsored Links
1 / 17

BGP Man in the Middle Attack PowerPoint PPT Presentation


  • 81 Views
  • Uploaded on
  • Presentation posted in: General

Jason Froehlich December 10, 2008. BGP Man in the Middle Attack. What is BGP?. Routing for whole Internet Autonomous Systems (AS) ‏ Classless Interdomain Routing (CIDR) ‏ 190.100.0.0/16190.100.0.0, 255.255.0.0. How BGP Works. AS Border Router - “BGP Speaker”

Download Presentation

BGP Man in the Middle Attack

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript


Jason froehlich december 10 2008

Jason Froehlich

December 10, 2008

BGP Man in the Middle Attack


What is bgp

What is BGP?

  • Routing for whole Internet

  • Autonomous Systems (AS)‏

  • Classless Interdomain Routing (CIDR)‏

    • 190.100.0.0/16190.100.0.0, 255.255.0.0


How bgp works

How BGP Works

  • AS Border Router - “BGP Speaker”

    • Advertise own routes, redistribute others

  • Update Messages

    • “AS_PATH” field

  • Path Selection

    • Most “Specific” Network

    • 190.100.0.0/17 over 190.100.0.0/16


The man in the middle attack

The Man in the Middle Attack

  • Requirements:

    • Redirect all traffic to Attacker

    • Forward traffic onto Target

  • Relies on trust built into BGP


Attack threats

Attack Threats

  • Confidentiality

    • Capture all packets

  • Integrity

    • Modify packets before delivery

  • Availability

    • Black Hole

    • Filtering selected packets


Implementation

Implementation

  • 190.100.0.0/16 (AS100) is Target

  • AS900 is Attacker


Implementation step 1

Implementation – Step 1

  • Advertise New Routes

  • More specific

    • 190.100.0.0/17, 190.100.128.0/17


Implementation step 11

Implementation – Step 1

router bgp 900

network 190.100.0.0 mask 255.255.128.0

network 190.100.128.0 mask 255.255.128.0

...

neighbor <ip address of AS600 router> remote-as 600

neighbor <ip address of AS700 router> remote-as 700

neighbor <ip address of AS800 router> remote-as 800

no auto-summary


Implementation step 2

Implementation – Step 2

  • Create Route Back to Target

  • Modify “AS_PATH” field of advertisement

    • Add each AS in route to target


Implementation step 21

Implementation – Step 2

ip prefix-list victim permit 190.100.0.0/16

route-map mitm permit 10

match ip address prefix-list victim

set as-path prepend 600 300 100

ip route 190.100.0.0 255.255.128.0 <ip address of AS600 rtr>

ip route 190.100.128.0 255.255.128.0 <ip address of AS600 rtr>


Attack limitations

Attack Limitations

  • Access to BGP Router

    • No script kiddies, but pool still large

  • Half of the Conversation

    • Only sees Inbound traffic

    • Resolve: 2nd BGP MITM, Other MITM (DNS)‏

  • Incomplete Route Distribution

    • AS's in Return Path


Attack limitations cont

Attack Limitations cont.

  • Packet Route Visible

    • Traceroute

    • Resolve: TTL Modification

  • BGP Updates Visible

    • Alert a perceptive Administrator

  • Encrypted Traffic

    • Cannot decrypt payload


Mitigating the attack prevention

Mitigating the Attack - Prevention

  • Filtering

    • Must be done by every ISP

  • Internet Routing Registry

    • Overhead

    • Poor Database Maintenance / Security


Mitigating the attack detection

Mitigating the Attack - Detection

  • Monitor for BGP Updates

  • BGPmon.net


Mitigating the attack response

Mitigating the Attack - Response

  • Counter-Attack

    • Advertise even more specific networks

  • ISP Disconnect Attacker

    • May take hours to days

    • Youtube.com – February 2008


Mitigating the attack securing bgp

Mitigating the Attack – Securing BGP

  • S-BGP

    • 2 Certificates – IP address, AS

  • Secure Origin BGP

    • Topologies

  • Interdomain Route Validation

    • Out of band verification


Conclusion

Conclusion

BGP Man in the Middle

  • Powerful Attack

  • Easy to Implement

  • Difficult to Mitigate


  • Login