BGP: The Protocol of the Internet
The Internet has become an integral part of our daily lives, transforming every aspect of how we live and work. Its significance is so profound that the functioning of many essential services now depends on it. Despite its crucial role, no single entity governs the Internet. Instead, its operation relies on a collective effort, where everyone has a role to play. This shared responsibility underscores the importance of contributing to the security and stability of this indispensable technology that we all depend on.
How Does BGP Work?
The Border Gateway Protocol (BGP) facilitates the exchange of routing information between autonomous systems (AS) using BGP UPDATE messages. Each BGP update contains Network Layer Reachability Information (NLRI) and various path attributes. The NLRI specifies both the prefix and its corresponding length. When a BGP router sends an UPDATE message to a peer, it appends its own Autonomous System Number (ASN) to the AS path, indicating the sequence of ASes the update has passed through.
Routing decisions between ASes are made based on path information. If an AS receives multiple routes for the same prefix, it determines the most optimal route using the BGP route selection process. This chosen route is then propagated to its peers and may be used for forwarding. Ultimately, traffic is directed to its destination by matching the longest prefix.
By default, BGP functions on an inherent trust, meaning that without implementing additional policies, your network would implicitly trust its peers. This trust leads to accepting any information received from a peer and incorporating it into the routing table without any verification.
Without employing additional security mechanisms, there is no way to verify whether the originator of a prefix is indeed the legitimate resource holder and authorized to announce that specific prefix. This raises the question: just how secure is BGP?
Is BGP Secure?
In theory, only legitimate resource holders should announce specific prefixes, ensuring that routing information is accurate and trustworthy. However, in practice, this is not the case. Any autonomous system (AS) has the ability to originate any prefix, including those that belong to other networks. This lack of restriction allows for potential misuse, where an AS can announce prefixes it doesn't own, leading to issues like route hijacking and traffic misdirection. This highlights a significant vulnerability in BGP, underscoring the need for stronger validation mechanisms to ensure the integrity of routing announcements.
Analysing BGP Threats
The Border Gateway Protocol (BGP) has been a cornerstone of Internet operations for nearly 30 years, but it also presents significant security challenges. BGP was initially developed in an era when the Internet was smaller and relied on a trust-based model among network operators. As a result, the protocol lacks inherent security features to protect against accidental misconfigurations or malicious activities.
BGP offers numerous strengths, such as enabling the interconnection of thousands of autonomous systems (ASes) with its scalability, advanced routing policies, and flexible traffic engineering capabilities. However, it also possesses several security vulnerabilities that can potentially cause widespread disruptions across the Internet.
The root of these vulnerabilities lies in BGP’s origins as an older protocol, developed in the early 1990s. At that time, the Internet was in its infancy, with only a few networks in existence, and most network operators were familiar with one another. Routing information was generally trusted to be reliable, and the primary focus was on successfully interconnecting various networks.
Operators knew which entities were responsible for specific IP address blocks and who was authorized to announce them. As a result, BGP was designed without the built-in security features necessary to guard against intentional attacks or accidental misconfiguration.
These vulnerabilities expose BGP to several potential attacks:
1. Exploitation of TCP or BGP messages: Attackers can manipulate TCP or BGP messages to disrupt or hijack communication.
2. Unauthorized prefix announcements: Any AS can illegitimately announce any prefix, leading to routing anomalies.
3. AS path manipulation: An AS can insert any ASN into the AS path, misleading the route selection process.
4. Propagation of fake routing information: Malicious or incorrect routing information can be spread across the Internet, causing widespread disruptions.
Types of BGP incidents
TCP/IP Protocol Attacks : Spoofing and TCP reset, session hijacking or SYN flooding attacks.
BGP Spoofing
To successfully connect to a speaker in a BGP session already established with a legitimate peer, an attacker must first gather specific details about that session.
The attacker needs to know the IP addresses of both peers and the TCP ports used for the source and destination. Additionally, since TCP tracks packet order and Time to Live (TTL), the attacker must use the correct sequence number. With this information, the attacker can spoof the IP addresses and ports, impersonating the legitimate BGP peer.
TCP Reset
If the attacker manages to do all of this, they can establish an unauthorized BGP session with the peer. After gaining access, they can disrupt the existing BGP session by sending forged TCP Reset packets, effectively severing the legitimate connection.
TCP Session Hijacking
Similar to the TCP Reset attack, a TCP Session Hijacking attack requires the attacker to successfully spoof IP addresses, ports, sequence numbers, and TTLs, all while pretending to be the legitimate BGP peer. If the attacker achieves this, they can hijack the session itself, allowing them to alter the routes used by the peer. This capability can be exploited for eavesdropping, blackholing traffic or analyzing data flows.
SYN Flooding Attack
TCP relies on a three-way handshake to establish connections between two devices (a client and a server). The process begins with the client sending a SYN packet to the server. The server then responds with a SYN/ACK packet, which the client acknowledges by sending a final ACK packet. Once the server receives this ACK, the TCP connection is successfully established.
In a SYN flooding attack, also known as a TCP half-open attack, the attacker exploits this handshake process. The attacker continuously sends SYN packets from random source IP addresses. The server responds with SYN/ACK packets, but the attacker never completes the handshake by sending the final ACK. As a result, the server’s resources are consumed by these incomplete connections, leading to a denial-of-service (DoS) attack that can render the server unavailable to legitimate traffic.
BGP Route Manipulation Attacks : BGP origin hijacks, or BGP path hijacks.
These attacks involve the intentional alteration of route attributes within a BGP UPDATE message. By injecting bogus routing information into BGP tables, attackers can reroute traffic or block it from reaching its intended destination. The primary objectives of such attacks are often to eavesdrop, blackhole, or analyze the intercepted traffic.
BGP Origin Hijacks
In these attacks, a malicious AS exploits the mutual trust between ASes by originating a prefix that it is not authorized to announce. This can lead to a portion of the traffic being diverted to the hijacker’s network. The nature of this attack makes it difficult to determine whether the incident was intentional or the result of an accidental misconfiguration.
BGP Path Hijacks
A path hijack occurs when an attacker intentionally manipulates the AS_PATH attribute in BGP. For instance, an attacker might insert fake AS numbers into the AS path to artificially lengthen it, making the path less desirable and less likely to be chosen. Alternatively, the attacker could shorten the path by removing AS numbers, making it more appealing and redirecting traffic to their network.
Another tactic involves the attacker sending a falsified path with a different origin and inserting their ASN somewhere in the middle, effectively rerouting traffic through their network.
Protocol Manipulation Attacks:?Modifying?BGP attributes and exploiting RFD/MRAI timers.
This is considered a relatively new type of attack, where a malicious AS attempts to manipulate the BGP protocol by altering specific parts of BGP messages or non-path attributes, such as the Multi-Exit Discriminator (MED). Additionally, attackers might exploit mechanisms like Route Flap Damping (RFD) or the Minimum Route Advertisement Interval (MRAI) timer to disrupt network operations.
Manipulating BGP Attributes
BGP attributes play a crucial role in the path selection process, often serving as tiebreakers when multiple routes are available.
A malicious AS can influence another AS’s routing decisions by altering attributes like the Multi-Exit Discriminator (MED), which can give preference to illegitimate routes. In the context of modern traffic engineering and routing policies, manipulating these attributes can significantly impact how a victim AS routes traffic.
This manipulation can lead to a “route leak,” where paths are propagated beyond their intended scope. Route leaks can degrade network performance or, in some cases, be exploited by attackers to intercept traffic.
RFD/MRAI timers
When Autonomous Systems (ASes) exchange routing and reachability information, they announce or withdraw routes based on availability. If routes are frequently announced and then withdrawn, this behavior is called “route flapping,” which can lead to performance issues in routers. To maintain network stability and prevent such problems, network operators can configure specific timers.
? Route Flap Damping (RFD): This timer helps mitigate the impact of route flapping by temporarily suppressing the affected routes until they stabilize.
? Minimum Route Advertisement Interval (MRAI): This timer enforces a waiting period before a router can re-advertise the same prefix, reducing the likelihood of repeated announcements.
These timers are crucial for ensuring the stability of the routing protocol and minimizing unnecessary message overhead. However, malicious ASes can exploit these mechanisms by repeatedly sending announcements and withdrawals, causing a stable route to be indefinitely suppressed. This can result in the targeted network becoming unreachable. Although there have not been significant reports of such attacks causing widespread issues, the potential threat exists and warrants attention.
Denial of Service Attacks:?Attackers can flood BGP speakers with too many BGP messages, affecting their ability to process legitimate BGP packets.
领英推荐
Congestion-Induced BGP Session Failure
Attackers can intentionally create congestion on routers or links that carry BGP messages, leading to failures in BGP sessions.
When these sessions eventually recover, the routers involved must exchange their full routing tables again, which significantly increases their processing load and causes notable delays in network convergence.
Deliberate Route Flapping
An attacker can cause route flapping by destabilizing a router, for instance, by overloading its memory. This instability results in intermittent connections, causing the routes associated with the targeted AS to be repeatedly withdrawn and re-advertised. Consequently, these routes will continuously appear and disappear in the routing tables of connected peers.
To mitigate this issue, BGP employs Route Flap Damping (RFD). This mechanism tags unstable, flapping routes and temporarily suppresses them to reduce the number of updates and changes in the routing table. Without this suppression, the continuous flapping could lead to a denial-of-service (DoS) attack, as the affected routers would need to expend significant processing power and bandwidth to handle the repeated updates.
Hijacking the Prefixes of Another AS
When an attacker hijacks the prefix of another Autonomous System (AS), they can execute a denial-of-service (DoS) attack against the legitimate owner of that prefix. By diverting traffic intended for the victim AS to their own network, the attacker can blackhole all traffic to the target prefix, effectively cutting off communication with the legitimate AS.
TCP Attacks
Denial-of-service (DoS) attacks can also be executed through TCP-based methods, such as SYN flood attacks or TCP resets initiated via ICMP.
Also, accidents happen
In addition to malicious activities, mistakes are common. Typos and misconfigurations can result in the dissemination of incorrect routing information, causing traffic to be misrouted. Whether due to accidental errors or intentional attacks, these incidents are exacerbated by the nature of BGP, where information is quickly propagated across the entire Internet. Within minutes, all ASNs could receive and propagate incorrect or malicious routing information, leading to widespread disruptions.
BGP security is not a new concern
Since the inception of the BGP protocol, numerous BGP-related incidents have occurred. As the Internet has grown and become increasingly vital to society, the importance of BGP security has also risen.
Awareness of BGP’s security vulnerabilities has existed for years, with widespread agreement that the trust-based system needs to evolve. Over time, various solutions have been proposed, including registering routing information in databases, verifying BGP route origins through cryptographic methods, and implementing whitelisting techniques. While some of these measures have been partially adopted, others are still awaiting further technological advancements before they can be fully deployed.
Securing BGP is a slow process, requiring collective effort from every network.
BGP operates as a global protocol across thousands of independently managed networks, so enhancing its security demands participation from as many network operators as possible. Since there is no central authority to enforce security measures, it is up to each AS to implement and maintain its own protections.
There is broad consensus that BGP should replace its trust-based model with cryptographic signatures to secure routing. For effective validation, routers must cryptographically sign and verify every BGP message they transmit, even if they are not the originator of the prefix in that message.
However, this shift requires more powerful routers capable of handling the computational load of digital signatures for hundreds of thousands of routes. Updating systems across all networks will take considerable time and resources before comprehensive BGP security is achieved.
How to mitigate BGP threats?
To protect against BGP threats, it is essential to secure the communication between BGP speakers and validate the routing information received from BGP peers. Implementing robust authentication and verification mechanisms is crucial. Additionally, isolating incorrect or malicious routing information and preventing its propagation across the Internet is critical to maintaining network security.
To achieve this, you need to verify the following:
Securing the exchange of BGP messages between BGP speakers involves protecting both the BGP speakers themselves and the sessions established between them. This necessitates authenticating your BGP peers.
Additionally, to safeguard against BGP threats, it is crucial to validate the routing information received from your peers. This includes verifying the origin of the BGP prefix—determining whether it is being originated by the legitimate holder or an authorized AS. Along with origin validation, it’s important to ensure that the AS path attributes are accurate and have not been tampered with.
Protect Your BGP Speaker
BGP speakers are at risk of DoS and DDoS attacks. To safeguard them, operators can implement strict filtering, rate-limiting, and Unicast Reverse Path Forwarding (uRPF) as protective measures.
Protect Your BGP Sessions
BGP sessions are vulnerable to TCP/IP-related attacks. To mitigate these risks, it is advisable to authenticate your BGP sessions and implement Generalized TTL Security Mechanism (GTSM).
Implement Filtering
Restricting the spread of incorrect or malicious routing information is crucial to maintaining Internet stability. Many BGP incidents occur due to improper filtering. Every network must implement and maintain precise filters to strictly control which routes they accept into their network and which routes they announce to their neighbors.
Register Your Routes in the IRR System
Network operators can utilize the information registered in the Internet Routing Registry (IRR) system to automatically generate BGP filters. Additionally, most upstream providers enforce IRR-based strict filtering for the prefixes they accept from their customers. The effectiveness of these filters depends on the accuracy and completeness of the data in the IRR system.
Implement RPKI
It is advisable to create authorized statements in the Resource Public Key Infrastructure (RPKI) system and use RPKI data to validate the origin of BGP routes. RPKI is a security framework that relies on cryptographically signed certificates, helping network operators make more informed and secure routing decisions.