这是我前段时间做的一个关于BGP 的分析,揭示了BGP存在的一些问题。 BGP Security Analysis
Abstract BGP is one of the most important protocol running on the Internet. Now, it is updated to Version BGP-4 and other versions. But it's also vulnerable to multiple attacks. I'll identify several attack objectives and mechanisms, assuming that one or more BGP routers have been compromised.Then, I review the existing and proposed countermeasures, showing that they are either generally ineffictive (route ltering), or probably too heavyweight to deploy (S-BGP). I also review several recent proposals. 1.Introduction The Internet routing infrastructure is also vulnerable to attacks. The objectives of routing attacks can include blackholing and loss of connectivity, traffic redirection to networks controlled by adversaries, traffic subversion and data interception, or persistent routing instability. BGP protocol provides connectivity between AS. So BGP attacks have the potential to affect a much larger number of users and potentially compromise routing across the global Internet. In the report, I'll explore how an attacker might exploit the BGP protocol to compromise the interdomain routing infrastructure. The presented attacks are relatively easy to perform as long as a hacker manages to compromise one or more BGP speakers. The rest of the report is organised as follow. Section 2 outlines the BGP mechanisms that enable malicous attacks. The effectiveness of the two major countermeasures (ltering and S-BGP) are described in Section 3. I conclude in Section 4. 2.Attack Mechanism A compromised router can modify, drop, or introduce fake BGP updates. The result can be that other routers have incorrect views of the network, leading to blackholing, redirection, or instability. The effectiveness of some attacks depends on the AS topology and on the location of the compromised router relative to the victim network. False UPDATEs and prefix hijacking are probably the most straightforward type of BGP attack. They occur when an AS announces a route that it does not have, or when an AS originates a prefix that it does not own. The effectiveness of false UPDATEs is limited by the location and connectivity of the hijacked BGP speaker. De-Aggregation, when used as an attack, breaks up an address block into a number of more specific (i.e., longer) prefixes. Since the BGP route selection process gives higher preference to the longest matching prefix for a given destination, the attacker can use de-aggregation to announce fake routes that will be preferred throughout the Internet over the legitimate routes to that network. Contradictory advertisements, meaning diefferent routing announcements sent by the same AS to different BGP peers, is a legitimate technique for interdomain traffic engineering. Update modications can be used by a compromised router to redirect traffic in a way that hurts the origin AS. Advertent link flapping can be used to trigger route dampening for a victim network at an upstream router. A malicious router can advertently flap a route to a victim address block(s). This can be done by withdrawing and re-announcing the target routes at a sufficiently high rate that the neighboring BGP speakers dampen those routes. A dampened route would force the traffic to the victim AS to take a diefferent path, enabling traffic redirection. Route dampening occurs even if the router cannot find an alternate path to the corresponding destination. The victim network, in that case, remains unreachable for the duration of the route dampening. Instability, in the form of wide-scale cascading failures, can occur when a number of BGP sessions repeatedly timeout due to router reboots, link congestion, or physical link intermittent failures. Instability, in the form of delayed convergence (up to several minutes), can also occur upon routing or policy changes, due to the MinRouteAdver timer and the way BGP explores alternate paths. Congestion-induced BGP session failures. An indirect way to attack the interdomain routing infrastructure is by causing heavy congestion in links that carry BGP peering sessions. 3. Countermeasures In the current Internet, the possibility of BGP attacks and misconfigurations has been so far mostly dealt with “BestCommon Practice”(BCP) documents from router vendors. BCPs typically recommend practical measures to prevent a router from being hijacked, and to avoid fake or incorrect advertisements from being accepted by a router. 3.1 BGP Session Security BGP TTL Security Hack(BTSH) protects against hackers that attempt to hijack a BGP session without controlling either of the two speakers. The basic idea is to set the IP header TTL field to a value that allows those BGP packets to reach the receiving router only if the latter is exactly one hop away from the sender. TCP MD5 encryption protects against spoofed messages and TCP connection hijacking. Unicast Reverse Path Filtering (Unicast-RPF) examining whether the received BGP messages have the source address of the peering BGP speaker. 3.2 Route Filtering Currently, the main use of route filtering is to enforce business relationships between ASs. Filtering works by creating Access Control Lists of prefixes or ASs which are then used by a router when it sends or receives UPDATEs. Outgoing UPDATEs pass through egress filters allowing operators to control which routes are announced to peers. Ingress filters, on the other hand, are applied to incoming UPDATEs and they can be used to check the validity of the received routes. 3.3 S-BGP Secure BGP (S-BGP) was designed by researchers at BBN as an extension to BGP with the objective to protect BGP from erroneous or malicious UPDATEs. S-BGP adds strong authorization and authentication capabilities to BGP based on public-key cryptography. A deployment obstacle, however, is that it requires the presence of a hierarchical PKI infrastructure and distribution system, trusted by all participating ISPs. Another obstacle is that S-BGP is quite cryptographically intensive, requiring each UPDATE to be verified and signed by each S-BGP router (or by each participating AS) it goes through. Aggregation is an additional problem for S-BGP. 3.4 Secure Origin BGP soBGP is a lightweight alternative to S-BGP, mostly proposed by researchers at Cisco Systems. soBGP aims to authenticate two aspects of routing information. First, soBGP validates that an AS is authorized to originate a given prefix. Second, soBGP attempts to verify that an AS advertising a prefix has at least one valid (in terms of policy and topology) path to that destination. soBGP is based on the use of three certificate types: Entity Certificate, Authorization Certificate, Policy Certificate. Instead of relying on a hierarchical PKI infrastructure, soBGP uses a Web-of-Trust model to validate certificate, relying on the existing relations between ISPs. 4. Conclusion In this report, I identified several attacking mechanisms, assuming that one or more BGP routers have been compromised. Then, I provides some countermeasures to protect BGP against attacks. But for now, there are only a few attacks reported. For our company, I think it may be not worth of bringing in some effective mechanisms to our products. crack 2008-08-29 发件人: 四不象 发送时间: 2008-08-28 14:37:37 收件人: [email protected] 抄送: 主题: [Ph4nt0m] 这个漏洞谁了解?《Internet另一超级漏洞被公布 》 Internet 另一超级漏洞被公布 作者: its|发布: 2008-8-27 (15:13)|阅读: 262|评论: 0 两名安全研究专家最近演示了一种新技术,可以截获 Internet 上的数据包,这种截获方式以前曾被认为不可能实现。 该技术利用 Internet 路由协议 BGP(Border Gateway Protocol),让入侵者监视世界上任何地方的 Internet 数据流,甚至可以对数据包进行篡改。 该演示只是为了显示 Internet 核心协议在安全方面的不足,Internet 核心协议多数开发于70年代,基于当时初生的网络,人们假设网络上的节点都是可信的。这些假设正被一一击破,7月份,Dan Kaminsky 公布了 DNS 系统一个严重漏洞(参见:DNS 漏洞细节被泄露,攻击即将开始。以及DNS 漏洞发现者 Dan Kaminsky 访谈录。),安全专家称,新发现的漏洞的受害范围将更广泛。 这是一个非常严重的问题,甚至比 DNS 漏洞更严重,著名安全专家,L0pht 黑客组织前成员 Peiter "Mudge" Zatko 说,Peiter 1998 年在国会作证的时候曾表示,他可以使用类似 BGP 攻击技术,在30分钟之内将 Internet 干掉,他还私下向政府机构透露如何使用 BGP 进行窃听。Peiter 说,他研究这个问题已经十几二十年,并向情报局,以及国家安全局讲述过这个问题。 该攻击利用 BGP 协议欺骗路由器将数据转发到窃听网络上。 任何拥有 BGP 路由器的人(ISP 以及在运营商租赁了机房的公司)都可以截获数据,但本攻击只能截获流向目标地址的数据,并不能在网络间自由穿行。 --~--~---------~--~----~------------~-------~--~----~ 要向邮件组发送邮件,请发到 [email protected] 要退订此邮件,请发邮件至 [EMAIL PROTECTED] -~----------~----~----~----~------~----~------~--~---
