ETH TIK/CSG Presentation

Download Report

Transcript ETH TIK/CSG Presentation 

Breaking BGP sessions
March 31, 2016
Udi Ben-Porat
([email protected])
Organization
1. Attack show case
[25 min.]
2. Q+A about attack case
[10 min.]
3. Q+A about exercise
[10 min.]
-2© TIK/CSG (31.03.2016)
Motivation
• What if a normal user could bring down major
internet connections within minutes?
• Attacks to the routing control plane can cripple
large parts of the Internet!
BGP
-3© TIK/CSG (31.03.2016)
BGP Introduction (I)
• Internet is a network of different autonomous
networks (AS)
• Within an AS, routing information
is readily available
border
router
(IGP, e.g. OSPF)
internal
router
AS sketch
-4© TIK/CSG (31.03.2016)
BGP Introduction (II)
• To get data from A to B, routers need to know
how to route between different ASes
B
A
-5© TIK/CSG (31.03.2016)
BGP Introduction (III)
• BGP = Border Gateway Protocol
• Path-vector protocol
• Routing decisions based on:
– Paths
– Network policies
– Rule-sets
• ASes use it to:
– Exchange reachability information (IP prefixes)
– Enforce their policies (e.g. ISP-customer relationship)
-6© TIK/CSG (31.03.2016)
eBGP and iBGP
• internal BGP (iBGP):
BGP between two peers in the same AS
• external BGP (eBGP ):
BGP between autonomous systems
 Routers on the boundary of one AS exchanging
information with another AS = border or edge
routers  maintain eBGP sessions
-7© TIK/CSG (31.03.2016)
BGP uses TCP for transport
• To connect two peers : TCP sessions on port
179 (known BGP port)
– eliminates the need to implement explicit data
fragmentation, retransmission, …
• BGP: Unique use of TCP among routing
protocols
 Vulnerable to TCP attacks too!
-8© TIK/CSG (31.03.2016)
TCP Reset Attack: intro (I)
• Alice and Bob have a TCP connection
• Eve sends a spoofed TCP reset packet to Bob
with Alice‘s address/port
• Bob will close connection
• (Alice won‘t receive any further data from Bob)
Eve
TCP RST
TCP connection
Alice
Bob
-9© TIK/CSG (31.03.2016)
TCP Reset Attack: intro (II)
Eve needs to:
– know source/destination address/port
– guess the sequence number in the receiving window
of Bob
Forged TCP resets can kill a running TCP session
The more critical it is, the more effective is the attack
- 10 © TIK/CSG (31.03.2016)
TCP Reset Attack on BGP (I)
TCP RST
BGP SESSION (over TCP)
ROUTER #1
ROUTER #2
- 11 © TIK/CSG (31.03.2016)
TCP Reset Attack on BGP (II)
• Destination port: 179
– have to guess the destination and the source IPs
• Source port: should be random but is usually
predictable:
– E.g., we don‘t use ports less than 1024 (well-known)
– Predictable source port selection patterns on OSes
– Port scans… (nmap,etc.)
- 12 © TIK/CSG (31.03.2016)
TCP Reset Attack on BGP (III)
• How to get the IP addresses of the source and
the destination?
• Use combinations of:
– traceroute (from multiple sources)
– Publicly available AS information
• e.g. http://www.ripe.net/data-tools/stats/ris/routinginformation-service
– Other network topology information
• e.g. internet measurement projects
– Social Engineering
– Guessing…
- 13 © TIK/CSG (31.03.2016)
TCP Reset Attack on BGP (IV)
• Given source and destination addresses are
known use brute force…
to guess the source port and sequence
number and effectively spoof the RST!
- 14 © TIK/CSG (31.03.2016)
TCP Reset Attack on BGP (V)
• 32-bit sequence number
• Frequent window size: 16384
• Number of ports to brute force / guess: <90
– (depending on desired success probability)
• Connection: 20 mbps → 62500 RST packets/s
• Connection direction unknown
• E[t] = 2^32 / 16384 * 90 / 62500 * 2 / 2 = 377s
- 15 © TIK/CSG (31.03.2016)
Effects of TCP RST BGP Attack
 BGP peers loose connection
 Release of associated BGP resources
 BGP peers must remove all routes learned from
each other
 Recovery takes minutes to hours…
- 16 © TIK/CSG (31.03.2016)
How do we deal with the attack?
• Caveat: ASes won‘t tell if anyone ever
succeeded… (private information, competitive
advantage!)
• But vulnerability existed for several years
• Sample Solution: TCP MD5 Signature Option
• There are other solutions as well…
– SEQ, ACK verification in RST pkts
– Filtering
– Window size tuning (least effective)
- 17 © TIK/CSG (31.03.2016)
TCP MD5 signature option
details
• Well-advertised method to authenticate the
identity of the remote BGP neighbor
• Makes it difficult for the attacker:
– Use of password included in MD5 digest
– Password never appears in connection stream
• For each segment: 16-byte MD5 digest by
applying the MD5 algorithm to TCP header,
data, etc.
• Receive signed segment and validate!
- 18 © TIK/CSG (31.03.2016)
TCP MD5 pitfalls (I)
• AS tools required upgrading and human
intervention to enable MD5
• The storing of the password presents its own
security issues! (database security…)
• How do you securely transmit the clear text
password?
• How are you generating the password?
- 19 © TIK/CSG (31.03.2016)
TCP MD5 pitfalls (II)
• Examining a MD5 hash in the TCP header adds
additional work to a router….
• What if an attacker can spoof with incorrect MD5
hashes to make your router work a bit more?
potential Denial of Service (DoS)???
- 20 © TIK/CSG (31.03.2016)
Conclusions from the example
• No solution is panacean in the field of security
 But the administrators do their best to lower
the attack risks
• E.g., in the case of TCP MD5, more measures
may be required:
– BGP session over a separate “protected” interface
– Anti-spoofing Access Control Lists (ACLs), filters
- 21 © TIK/CSG (31.03.2016)
BGP Attacks in general
• BGP has other vulnerabilities as well, e.g:
– 2008: Pakistan Telecom hijacking YouTube traffic
• Link to a video
– 2008: presentation of BGP MitM attack
• A. Pilosov, T. Kapela, Stealing The Internet - An InternetScale Man In The Middle Attack
Link to a video
• Next time: IP prefix hijacking
- 22 © TIK/CSG (31.03.2016)
Bibliography: BGP, TCP RST
• NIST Border Gateway Protocol Security
http://csrc.nist.gov/publications/nistpubs/800-54/SP80054.pdf
• Paul A. Watson, Slipping in the Window: TCP Reset
Attacks, 2003
• RFC 4271, A Border Gateway Protocol 4 (BGP-4)
• RFC 4272, BGP Security Vulnerabilities Analysis
• RFC 793, Transmission Control Protocol
• “Are BGP Routers Open To Attack? An Experiment”
Cavedon L. et. al., iNetSec'10 Proceedings
- 23 © TIK/CSG (31.03.2016)
Bibliography: MD5
• RFC 2385, TCP MD5 Signature Option
• BGP MD5: Good, Bad, Ugly?
http://www.nanog.org/meetings/nanog39/presentations/S
choll.pdf
• MD5 Authentication Between BGP Peers Configuration
Example
http://www.cisco.com/en/US/tech/tk365/technologies_co
nfiguration_example09186a0080b52107.shtml
- 24 © TIK/CSG (31.03.2016)
Questions: Attack Case
TCP RST
BGP SESSION (over TCP)
ROUTER #1
ROUTER #2
- 25 © TIK/CSG (31.03.2016)
Questions: Exercise
• Task 1: Security Advisories and Common
Vulnerabilities and Exposures (CVEs)
• Task 2: Vulnerability Lifecycle
• Task 3: Zero-day vulnerabilities
- 26 © TIK/CSG (31.03.2016)
Thank you for your attention!
- 27 © TIK/CSG (31.03.2016)