Introduction to BGP and its security #1

 

 

BGP made you capable of reading this article RIGHT NOW! Sounds scary  ??! 😜 Isn't it?? 


The Border Gateway Protocol (BGP) is the routing protocol which makes Internet working , used to route traffic across the Internet. For that reason, it's a pretty important protocol, and it can also be the hardest one to understand.

 

From our overview of Internet routing, you should realize that routing in the Internet is comprised of two parts: the internal fine-grained portions managed by an IGP such as OSPF, and the interconnections of those autonomous systems (AS) via BGP.

 

 

 

Who should understand BGP?

 

BGP is relevant to network administrators of large organizations which connect to two or more ISPs, as well as to Internet Service Providers (ISPs) who connect to other network providers. If you are the administrator of a small corporate network, or an end user, then you probably don't need to know about BGP.

 

Some basic BGP facts:

 

  • The current version of BGP is BGP version 4, based on RFC4271.

  • Peers that have been manually configured to exchange routing information will form a TCP connection and begin speaking BGP. There is no discovery in BGP.

  • Medium-sized businesses usually get into BGP for the purpose of true multi-homing for their entire network.

  • An important aspect of BGP is that the AS-Path itself is an anti-loop mechanism. Routers will not import any routes that contain themselves in the AS-Path.

  • BGP is the path-vector protocol that provides routing information for autonomous systems on the Internet via its AS-Path attribute.

  • BGP is a Layer 4 protocol that sits on top of TCP. It is much simpler than OSPF, because it doesn’t have to worry about the things TCP will handle.

 

 

Routes and Autonomous Systems
 

To fully understand BGP we’ll first get familiar with a couple of underlying concepts, starting with what it actually means to be connected to the Internet. For a host to be connected there must be a path or “route” over which it is possible for you to send a packet that will ultimately wind up at that host, and for that host to have a path over which to send a packet back to you. That means that the provider of Internet connectivity to that host has to know of a route to you; they must have a way to see routes in the section of the IP space that you are using. For reasons of enforced obfuscation by RFC writers, routes are also called Network Layer Reachability Information (NLRI). As of December 2015, there are over 580,000 IPv4 routes and nearly 26,000 IPv6 routes.

 

Another foundational concept is the Autonomous System (AS), which is a way of referring to a network. That network could be yours, or belong to any other enterprise, service provider, or nerd with her own network. Each network on the Internet is referred to as an AS, and each AS has at least one Autonomous System Number (ASN). There are tens of thousands of ASNs in use on the Internet. Normally the following elements are associated with each AS:

  • An entity (a point of contact, typically called a NOC, or Network Operations Center) that is responsible for the AS.

  • One or multiple border routers. A border router is a router that is configured to peer with a router in a different AS, meaning that it creates a TCP session on port 179 and maintains the connection by sending a keep-alive message every 60 seconds. This peering connection is used by border routers in one AS to “advertise” routes to border routers in a different AS (more on this below).

  • An internal routing scheme so that every router in a given AS knows how to get to every other router and destination within the same AS. This would typically be accomplished with an interior gateway protocol (IGP) such as Open Shortest Path First (OSPF) or Intermediate System to Intermediate System (IS-IS).

 

Introducing BGP
 

As explained above, the interconnections that are created to carry traffic from and between Autonomous Systems result in the creation of “routes” (paths from one host to another). Each route is made up of the ASN of every AS in the path to a given destination AS. BGP (more explicitly, BGPv4) is the routing protocol that is used by your border routers to “advertise” these routes to and from your AS to the other systems that need them in order to deliver traffic to your network:

  • Upstream or transit networks, which are the providers that connect you to other networks.

  • Peer networks, which are the ASs with which you’ve established a direct reciprocal connection;

Actually, your border routers advertise routes to the portions of the IPv4 and IPv6 address space that you and your customers are responsible for and know how to get to, either on or through your network.

 

Advertising routes that “cover” (include) your network is what enables other networks to “hear” a route to the hosts within your network. In other words every IP address that you can get to on the Internet is reachable because someone, somewhere, has advertised a route that covers it. If there is not a generally advertised route to cover an IP address, then at least some hosts on the Internet will not be able to reach it.

 

The advertising of routes helps a network operator do two very important things. One is to make semi-intelligent routing decisions concerning the best path for a particular route to take outbound from your network. Otherwise you would simply set a default route from your border routers into your providers, which might cause some of your traffic to take a sub-optimal external route to its destination. Second, and more importantly, you can announce your routes to those providers, for them to announce in turn to others (transit) or just use internally (in the case of peers).

 

In addition to their essential role in getting traffic to its destination, advertised routes are used for several other important purposes:

  • To enable policy enforcement and traffic preferences;

  • To avoid creating routing, and thus packet, loops.

  • To help track the origin and path of network traffic;

In addition to the routing functionality of BGP, BGP is also used to listen to the routes from other networks. The sum of all of the route advertisements from all of the networks on the Internet contributes to the “global routing table” that is the Internet’s packet directory system. If you have one or more transit provider, you will usually be able to hear that full list of routes.

One further complication: BGP actually comes in two flavors depending on what it’s used for:

  • Internal BGP (iBGP) is used between routers within the same AS.

  • External BGP (eBGP) is the form used when routers that aren’t in the same AS advertise routes to one another. From here on out you can assume that, unless otherwise stated, we’re talking about eBGP.

 

The AS_PATH attribute
 

There are dozens and dozens of attributes for BGP, the most important of which is AS_PATH. Every time a route is advertised by one BGP router to another over a peering session, the receiving router adds the remote ASN to this attribute.

 

For instance, when Vodafone hears a route from AT&T, Vodafone “stamps” the incoming route with AT&T's ASN, thereby building the route in AS_PATH. (Note that when a route is advertised between routers in the same AS, using iBGP, the ASN for both routers is the same and thus AS_PATH is left unchanged.)

 

In the case when multiple routes are available, remote routers will generally decide which is the best route by picking the route with the shortest AS_PATH, meaning the route that will traverse the fewest ASes to get traffic to a given destination AS. That may or may not be the fastest route, however, because there’s no information about the network represented by a given AS: nothing about that network’s bandwidth, the number of internal routers and hop-count, or how congested it is. From the standpoint of BGP, every AS is pretty much the same.

 

Additional uses for AS_PATH include:

  • Setting policy: BGP is designed to allow providers to express “policy” decisions such as preferring Vodafone over AT&T to get to Comcast.

  • Visibility: AS_PATH provides a way to understand where your traffic is going and how it gets there.

  • Loop detection: When a border router receives a BGP update (path advertisement) from its peers it scans the AS_PATH attribute for its own ASN; if found the router will ignore the update and will not advertise it further to its iBGP neighbors. This precaution prevents the creation of routing loops.

 

Possible BGP attacks

 

One of the possible BGP attack is route hijacking, caused by someone using BGP to announce illegitimate routes.
When hijacking occurs, it disrupts the Internet and can lead to #Cyberattacks, shutting down services, or creating reliability issues.

One use of hijacking is to block social media sites.

 

Let me explain it to you with a simple exmaple:

Let's go back to the early 2014:
 

 


Turkish service providers hijacked Google’s DNS servers to prevent citizens from accessing their social media accounts . 

In another high-profile attack, Pakistani service providers  *NAME IS SENSORED

complying with government wishes to block YouTube -- Therefore, they injected a BGP route for YouTube that directed its traffic to nowhere Hahaha!🤣 .

 

And jump then to 2018:

 

A snapshot of BGP routing announcements that led to Cloudflare traffic being routed in a roundabout

 

When this route inexplicably leaked outside of Pakistan, service providers across the Internet carried it and caused YouTube’s removal from the Internet. 

 

Recently, a new kind of BGP route hijack attack has come to the fore: a man-in-the-middle (MITM) attack. In this specific type of attack, traffic is redirected first, giving criminals access to it before it goes to its final destination.
Just in 2015 , researchers at Dell SecureWorks uncovered multiple man-in-the-middle BGP attacks used to steal bitcoins. The thief earned about $83,000 in profits in more than four months, compromising 51 networks from 19 different ISPs.

 

According to The Washington Post, Internet monitoring company Renesys says man-in-the-middle attacks began surfacing in 2013. In February 2013, traffic from major financial institutions, governments, and network service providers  was diverted from its usual paths and went through Belarus before it was sent back through to the normal destinations.

 

In another case, all traffic between Europe and North America was rerouted through a service provider in Iceland. The culprits probably carefully crafted this so that the additional delays created little to no performance degradation. The victims of man-in-the-middle attacks may never realize that their traffic was diverted.

 

More nastier still is that malicious attacks are becoming more widespread. A 2014 study by Andrei Robachevsky of the Internet Society found that at least 10% of routing incidents are real threats. There are a few malicious attacks every month. 

 

A couple of ways to secure BGP

 

What can be done to thwart these attacks? The Internet Engineering Task Force (IETF) has undertaken two efforts to fix BGP security issues over the years, RPSL and SIDR, but both have problems that have impeded their success.

 

Anyway there are many ways to trick and misuse BGP. But we will can discuss it in upcoming articles.

Let's jump into the summary!

 
 
Summary
 
 

Up to now, we’ve just scratched the surface of BGP, but we’ve learned a few core concepts and security concerns related to this HUGE routing protocol that will serve as a foundation for future exploration:

  • Internet connectivity: the ability of a given host to send packets across the Internet to a different host and to receive packets back from that host.

  • Peering: a direct connection between the border routers of two different ASs in which each router advertises the routes of its AS.

  • eBGP: the protocol used by border routers to advertise routes.

  • ASPATH:_ the BGP attribute used to specify routes.

  • Autonomous system (AS): a network that is connected to other networks on the Internet and has unique AS number (ASN).

  • Route: the path travelled by traffic between Autonomous Systems.

  • Border router: a router that is at the edge of an AS and connects to at least one router from a different AS.

In upcoming articles we’ll of course go deeper into the uses and implications of the above concepts. We’ll also take a look at single-homed and multi-homed networks, how using BGP changes the connectivity between a network and the Internet, and who can benefit from using BGP.

When we’ve got those topics down we can then look at the ins and outs of BGP configuration in real world scenarios.

 

 

 

TRADEMARK LEGAL NOTICE
All product names, logos, and brands are property of their respective owners in the Austria or other countries.All company, product and service names used on this website are for identification purposes only. Pheniix is notaffiliated with or an official partner of Cisco, CompTIA,Dimension Data, VMware, Amazon, Microsoft, Certified Ethical Hacker, (ISC)², Juniper, Wireshark, Offensive Security,Google, GNS3, F5, Python, Linux, Java, Openstack, Vagrant, Ansible, Docker, GIT, , Blockchain or other companies.Use of these names, logos, and brands does not imply endorsement.The opinions expressed on pheniix are personal perspectives and not those of Cisco , Dimension Data or any other company. Pheniix runs as an independent blog.
Please reload

Follow us:

  • Google play
  • Twitter
  • Pheniix bootique

©2020 Pheniix All Rights Reserved – Privacy Policy- Terms of Service , TRADEMARK LEGAL NOTICE