ETH TIK/CSG Presentation
Download
Report
Transcript ETH TIK/CSG Presentation
Breaking BGP sessions
March 31, 2016
Udi Ben-Porat
([email protected])
Organization
1. Attack show case
[25 min.]
2. Q+A about attack case
[10 min.]
3. Q+A about exercise
[10 min.]
-2© TIK/CSG (31.03.2016)
Motivation
• What if a normal user could bring down major
internet connections within minutes?
• Attacks to the routing control plane can cripple
large parts of the Internet!
BGP
-3© TIK/CSG (31.03.2016)
BGP Introduction (I)
• Internet is a network of different autonomous
networks (AS)
• Within an AS, routing information
is readily available
border
router
(IGP, e.g. OSPF)
internal
router
AS sketch
-4© TIK/CSG (31.03.2016)
BGP Introduction (II)
• To get data from A to B, routers need to know
how to route between different ASes
B
A
-5© TIK/CSG (31.03.2016)
BGP Introduction (III)
• BGP = Border Gateway Protocol
• Path-vector protocol
• Routing decisions based on:
– Paths
– Network policies
– Rule-sets
• ASes use it to:
– Exchange reachability information (IP prefixes)
– Enforce their policies (e.g. ISP-customer relationship)
-6© TIK/CSG (31.03.2016)
eBGP and iBGP
• internal BGP (iBGP):
BGP between two peers in the same AS
• external BGP (eBGP ):
BGP between autonomous systems
Routers on the boundary of one AS exchanging
information with another AS = border or edge
routers maintain eBGP sessions
-7© TIK/CSG (31.03.2016)
BGP uses TCP for transport
• To connect two peers : TCP sessions on port
179 (known BGP port)
– eliminates the need to implement explicit data
fragmentation, retransmission, …
• BGP: Unique use of TCP among routing
protocols
Vulnerable to TCP attacks too!
-8© TIK/CSG (31.03.2016)
TCP Reset Attack: intro (I)
• Alice and Bob have a TCP connection
• Eve sends a spoofed TCP reset packet to Bob
with Alice‘s address/port
• Bob will close connection
• (Alice won‘t receive any further data from Bob)
Eve
TCP RST
TCP connection
Alice
Bob
-9© TIK/CSG (31.03.2016)
TCP Reset Attack: intro (II)
Eve needs to:
– know source/destination address/port
– guess the sequence number in the receiving window
of Bob
Forged TCP resets can kill a running TCP session
The more critical it is, the more effective is the attack
- 10 © TIK/CSG (31.03.2016)
TCP Reset Attack on BGP (I)
TCP RST
BGP SESSION (over TCP)
ROUTER #1
ROUTER #2
- 11 © TIK/CSG (31.03.2016)
TCP Reset Attack on BGP (II)
• Destination port: 179
– have to guess the destination and the source IPs
• Source port: should be random but is usually
predictable:
– E.g., we don‘t use ports less than 1024 (well-known)
– Predictable source port selection patterns on OSes
– Port scans… (nmap,etc.)
- 12 © TIK/CSG (31.03.2016)
TCP Reset Attack on BGP (III)
• How to get the IP addresses of the source and
the destination?
• Use combinations of:
– traceroute (from multiple sources)
– Publicly available AS information
• e.g. http://www.ripe.net/data-tools/stats/ris/routinginformation-service
– Other network topology information
• e.g. internet measurement projects
– Social Engineering
– Guessing…
- 13 © TIK/CSG (31.03.2016)
TCP Reset Attack on BGP (IV)
• Given source and destination addresses are
known use brute force…
to guess the source port and sequence
number and effectively spoof the RST!
- 14 © TIK/CSG (31.03.2016)
TCP Reset Attack on BGP (V)
• 32-bit sequence number
• Frequent window size: 16384
• Number of ports to brute force / guess: <90
– (depending on desired success probability)
• Connection: 20 mbps → 62500 RST packets/s
• Connection direction unknown
• E[t] = 2^32 / 16384 * 90 / 62500 * 2 / 2 = 377s
- 15 © TIK/CSG (31.03.2016)
Effects of TCP RST BGP Attack
BGP peers loose connection
Release of associated BGP resources
BGP peers must remove all routes learned from
each other
Recovery takes minutes to hours…
- 16 © TIK/CSG (31.03.2016)
How do we deal with the attack?
• Caveat: ASes won‘t tell if anyone ever
succeeded… (private information, competitive
advantage!)
• But vulnerability existed for several years
• Sample Solution: TCP MD5 Signature Option
• There are other solutions as well…
– SEQ, ACK verification in RST pkts
– Filtering
– Window size tuning (least effective)
- 17 © TIK/CSG (31.03.2016)
TCP MD5 signature option
details
• Well-advertised method to authenticate the
identity of the remote BGP neighbor
• Makes it difficult for the attacker:
– Use of password included in MD5 digest
– Password never appears in connection stream
• For each segment: 16-byte MD5 digest by
applying the MD5 algorithm to TCP header,
data, etc.
• Receive signed segment and validate!
- 18 © TIK/CSG (31.03.2016)
TCP MD5 pitfalls (I)
• AS tools required upgrading and human
intervention to enable MD5
• The storing of the password presents its own
security issues! (database security…)
• How do you securely transmit the clear text
password?
• How are you generating the password?
- 19 © TIK/CSG (31.03.2016)
TCP MD5 pitfalls (II)
• Examining a MD5 hash in the TCP header adds
additional work to a router….
• What if an attacker can spoof with incorrect MD5
hashes to make your router work a bit more?
potential Denial of Service (DoS)???
- 20 © TIK/CSG (31.03.2016)
Conclusions from the example
• No solution is panacean in the field of security
But the administrators do their best to lower
the attack risks
• E.g., in the case of TCP MD5, more measures
may be required:
– BGP session over a separate “protected” interface
– Anti-spoofing Access Control Lists (ACLs), filters
- 21 © TIK/CSG (31.03.2016)
BGP Attacks in general
• BGP has other vulnerabilities as well, e.g:
– 2008: Pakistan Telecom hijacking YouTube traffic
• Link to a video
– 2008: presentation of BGP MitM attack
• A. Pilosov, T. Kapela, Stealing The Internet - An InternetScale Man In The Middle Attack
Link to a video
• Next time: IP prefix hijacking
- 22 © TIK/CSG (31.03.2016)
Bibliography: BGP, TCP RST
• NIST Border Gateway Protocol Security
http://csrc.nist.gov/publications/nistpubs/800-54/SP80054.pdf
• Paul A. Watson, Slipping in the Window: TCP Reset
Attacks, 2003
• RFC 4271, A Border Gateway Protocol 4 (BGP-4)
• RFC 4272, BGP Security Vulnerabilities Analysis
• RFC 793, Transmission Control Protocol
• “Are BGP Routers Open To Attack? An Experiment”
Cavedon L. et. al., iNetSec'10 Proceedings
- 23 © TIK/CSG (31.03.2016)
Bibliography: MD5
• RFC 2385, TCP MD5 Signature Option
• BGP MD5: Good, Bad, Ugly?
http://www.nanog.org/meetings/nanog39/presentations/S
choll.pdf
• MD5 Authentication Between BGP Peers Configuration
Example
http://www.cisco.com/en/US/tech/tk365/technologies_co
nfiguration_example09186a0080b52107.shtml
- 24 © TIK/CSG (31.03.2016)
Questions: Attack Case
TCP RST
BGP SESSION (over TCP)
ROUTER #1
ROUTER #2
- 25 © TIK/CSG (31.03.2016)
Questions: Exercise
• Task 1: Security Advisories and Common
Vulnerabilities and Exposures (CVEs)
• Task 2: Vulnerability Lifecycle
• Task 3: Zero-day vulnerabilities
- 26 © TIK/CSG (31.03.2016)
Thank you for your attention!
- 27 © TIK/CSG (31.03.2016)