Border Gateway Protocol (BGP) Security, LKNOG 8

apnic 268 views 42 slides Aug 30, 2024

Slide 1 of 42

About This Presentation

Md. Zobair Khan, Network Analyst / Technical Trainer at APNIC, presented on BGP security at LKNOG 8 held in Colombo, Sri Lanka from 12 to 16 August 2024.

Size: 2.32 MB

Language: en

Added: Aug 30, 2024

Slides: 42 pages

Slide Content

1
Securing BGP: Operational Strategies and
Best Practices for Network Defenders

22
•Network engineer and enthusiast for a long time
•Working as a Trainer/Analyst @ APNIC
•Have an exposer with multi-vendor multi-platform different technologies
•A security minded person
•Would love to contribute to the community
[email protected]
$ whois MD ZOBAIR KHAN

33
BGP – Border Gateway Protocol
• Routing protocol for different network connection
• Path vector protocol
• Runs on TCP 179
• Lots of policy implement scope
• Majorly used for Internet Networks
• AS Number is a must
• e-BGP & i-BGP

44
BGP – A TCP Protocol
https://www.geeksforgeeks.org/what-is-transmission-control-protocol-tcp/
https://medium.com/@R00tendo/tcp-connection-hijacking-deep-dive-9bbe03fce9a9

55
BGP Vulnerabilities
TCP SYN Floods
Man-in-the-Middle Attacks
TCP Sequence Number Prediction
TCP Session Hijacking
TCP Connection Teardown Attacks
TCP ACK Storms
Route Hijacking
Route Leaks
BGP Session Hijacking
BGP Session Reset Attacks
BGP Attribute Manipulation
Resource Exhaustion Attacks

66
TCP SYN Flood
https://www.cloudflare.com/img/learning/ddos/syn-flood-ddos-attack/syn-flood-attack-ddos-attack-diagram-2.png

77
MiTM
https://www.apriorit.com/wp-content/uploads/2021/04/scheme-of-an-mitm-attack.jpg

88
TCP Sequence Number Prediction
https://www.kareemccie.com/2018/01/what-is-tcp-session-hijacking.html

99
TCP Session Hijack
https://www.kareemccie.com/2018/01/what-is-tcp-session-hijacking.html

1010
TCP Connection Tear Down
https://www.google.com/url?sa=i&url=https%3A%2F%2Flearningnetwork.cisco.com%2Fs%2Fquestion%2F0D53i00000KswSeCAJ%2Ftcp -connection-termination-is-the-diagram-
correct&psig=AOvVaw31fN48L66D8FzJ1JBapdFr&ust=1716015638995000&source= images&cd=vfe&opi=89978449&ved=0CBQQjhxqGAoTCKChy8aOlIYDFQAAAAAdAAAAABD
qBA

1111
TCP ACK Storms
https://kb.mazebolt.com/knowledgebase/ack-flood/

12
Route Hijacking

1313
Route Leaks

1414
BGP Session Reset
https://slideplayer.com/slide/9598472/

1515
BGP Session Hijacking
https://slideplayer.com/slide/9598472/

1616
BGP Attribute Manipulation
https://www.kwtrain.com/blog/bgp-pt2

1717
Resource Exhaustion
https://www.cloudflare.com/learning/ddos/syn-flood-ddos-attack/

1818
BGP Security Measures

1919
RPKI – Resource Public Keying
Infrastructure
ROAs
ROAs
VALIDATOR SOFTWARE
Verification
Validated
Cache
RPKI-RTR
ROUTERS
RIR REPOSITORIES
•Create ROA for owned resources for RPKI
•Implementing Validator relying software
for ROV
•RIR Repositories send ROA information to
Validator software
•Software builds a validated cache and
feed it to router infrastructure over RTR
session
•Routers enforces policies based on
Validated Cache

2020
IRR Database

2121
Filtering – BCP 194 – RFC 7454
Discard Special Case, Bogons, Prefixes
Longer than /24(v4) & /48(v6), Own
Prefixes, LAN Prefixes, Default Routes
Special-Purpose Prefixes
Unallocated Prefixes
Prefixes That Are Too Specific
Filtering Prefixes Belonging to the Local AS and Downstreams
IXP LAN Prefixes
The Default Route
Filters with Internet Peers
Filters with Customers
Filters with Upstream Providers
Inbound Filtering
Outbound Filtering

2222
Tools for Filtering
https://github.com/snar/bgpq3
IRRPT
BGPQ4

2323
RTBH
https://www.cisco.com/c/dam/en_us/about/security/i
ntelligence/blackhole.pdf

2424
URPF
https://www.cisco.com/c/dam/en_us/about/security/i
ntelligence/blackhole.pdf

2525
GTSM
•Prevent 3
rd
party attack on eBGP peers. Works best with MD5 Authentication. Must be configured on both peers.
•(neighbor <ipv4-ptp> ttl-security hops 1)
https://www.researchgate.net/figure/The-Generalized-TTL-
Security-Mechanism-GTSM-in-operation-Routers-set-the-TTL-
on-a_fig4_228910855

2626
MD5 Authentication
•Must be configured on both peers with same password. (neighbor <ipv4 -ptp> password CISCO)
https://costiser.ro/uploads/tcp-options-
calculating-bgp-md5-digest.png

2727
Community Scrubbing
Ingress BGP peering policy
applied to transit/public/private
and downstream peers should
remove all inbound communities
with SP’s number in the high-
order bits, except for the ones
used for signaling (e.g. setting
BGP Local Preference)
https://bgphelp.com/2017/02/02/bgp-best-practices-or-dissecting-rfc-7454/

2828
Bogon Filter
https://www.team-cymru.com/bogon-networks
https://rickfreyconsulting.com/mikrotik-router-bgp-peering-with-team-cymru-for-bogons/

2929
Prefix Limit
•neighbor <x.x.x.x> maximum-prefix <max> [restart N] [<threshold>] [warning-only]
https://flylib.com/books/en/4.208.1.66/1/

3030
AS Path Length
https://aboutnetworks.net/bgp-load-sharing/
•router bgp X0
• bgp maxas-limit 5

3131
Customer Route Preference
https://networklessons.com/bgp/bgp-attributes-and-
path-selection

3232
Transit AS Filter

3333
Removing Private AS
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=k
A10g000000ClInCAK
•neighbor <ipv4-ptp> remove-private-as

3434
BGP Admin Distance
BGP Admin Distance Higher than IGP &
making external, internal, local same
distance bgp 200 200 200
https://study-ccna.com/floating-static-route/

3535
MANRS Actions

3636
MANRS Observatory
https://observatory.manrs.org/#/overview

3737
BGP Security Measures
–ROA & RPKI
•Trust Anchor, Validator Software like Routinator 3000/Fort/OctoRPKI/RPKI-Client, RTR Session, Drop Invalids
–Due Diligence Checking with IRR
•Whois query, radb, IRR of RIRs – (whois –h whois.apnic.net –i or AS10075 | grep route:)
–Filtering (Prefix & AS)
•Discard Special Case, Bogons, Prefixes Longer than /24(v4) & /48(v6), Own Prefixes, LAN Prefixes, Default Routes
–Using Tools for Filter Generation (bgpq3, rtconfig etc.)
•bgpq3 -4 –l NAME AS10075
–RTBH
•Black holing unwanted traffic to null
–URPF
•Difficult for multihoming networks. Can be used in feasible mode
–GTSM
•Prevent 3
rd
party attack on eBGP peers. Works best with MD5 Authentication. Must be configured on both peers.
•(neighbor <ipv4-ptp> ttl-security hops 1)
–MD5 Authentication
•Must be configured on both peers with same password. (neighbor <ipv4 -ptp> password CISCO)
–Community Scrubbing
•AS should scrub communities used internally but forward foreign communities.

3838
BGP Security Measures
–Bogon Filtering
•Private and reserved addresses defined by RFC 1918, RFC 5735, and RFC 6598 and unallocated number resources to RIR by the Int ernet
Assigned Numbers Authority. Bogon Route Server Project by Team Cymru is a very helpful way to handle bogons.
–Prefix Limit
•neighbor <x.x.x.x> maximum-prefix <max> [restart N] [<threshold>] [warning-only]
–AS Path Length Limit
•router bgp X0
• bgp maxas-limit 5
–Customer Route Preference
•Setting high local preference on receiving customer routes
–Transit AS Filter
•Carefully making filters on upstream peers so that prefix leaking doesn’t happen.
–Removing Private ASN
•neighbor <ipv4-ptp> remove-private-as
–BGP Admin Distance Higher than IGP & making external, internal, local same
•distance bgp 200 200 200
–MANRS Actions
•Filtering, Global Validation, Co-ordination, Anti-Spoofing

3939
References
RFC-7454 (BGP Operations and Security)
RFC-2827 (Network Ingress Filtering: Defeating Denial of Service Attacks which employ IP Source Address Spoofing)
https://bgp4all.com/pfs/_media/conferences/lknog5-bgp-bcp.pdf
https://nsrc.org/activities/agendas/en/riso-5-days/networking/routing-security/en/labs/securing-bgp.html
https://wq.apnic.net/static/search.html
https://github.com/team-cymru/network-security-templates/tree/master/Secure-Router-Templates
https://www.ietf.org/archive/id/draft-gill-btsh-01.txt
https://datatracker.ietf.org/doc/html/draft-murphy-bgp-vuln-02#section-2
https://www.manrs.org

4040
https://conference.apnic.net/58
APNIC 58 – Save the Date

4141
Acknowledgement
• This material is developed from different R&D, RFCs & APNIC Workshop Slides
& Slides developed by APNIC, NSRC, MANRS, Dr. Philip Smith & Barry Greene.
• This material is open & free to use as long as it is acknowledged and the
notice remains in place
• This material is designed considering that the audience will be predominantly
technical people

Border Gateway Protocol (BGP) Security, LKNOG 8

About This Presentation

Slide Content

Tags

Categories

Download

Quick Actions

Statistics

Related Slideshows

Border Gateway Protocol (BGP) Security, LKNOG 8

About This Presentation

Slide Content

Slide 1

Slide 2

Slide 3

Slide 4

Slide 5

Slide 6

Slide 7

Slide 8

Slide 9

Slide 10

Slide 11

Slide 12

Slide 13

Slide 14

Slide 15

Slide 16

Slide 17

Slide 18

Slide 19

Slide 20

Slide 21

Slide 22

Slide 23

Slide 24

Slide 25

Slide 26

Slide 27

Slide 28

Slide 29

Slide 30

Slide 31

Slide 32

Slide 33

Slide 34

Slide 35

Slide 36

Slide 37

Slide 38

Slide 39

Slide 40

Slide 41

Slide 42

Tags

Categories

Download

Quick Actions

Statistics

Related Slideshows

Pray For The Peace Of Jerusalem and You Will Prosper

Don_t_Waste_Your_Life_God.....powerpoint

VILLASUR_FACTORS_TO_CONSIDER_IN_PLATING_SALAD_10-13.pdf

Fertility awareness methods for women in the society

Chapter 5 Arithmetic Functions Computer Organisation and Architecture

syakira bhasa inggris (1) (1).pptx.......