Securing BGP: Operational Strategies and Best Practices for Network Defenders, Phoenix Summit 2024

apnic 141 views 42 slides Jun 17, 2024

Slide 1 of 42

About This Presentation

Md. Zobair Khan,
Network Analyst and Technical Trainer at APNIC, presented 'Securing BGP: Operational Strategies and Best Practices for Network Defenders' at the Phoenix Summit held in Dhaka, Bangladesh from 23 to 24 May 2024.

Size: 6.38 MB

Language: en

Added: Jun 17, 2024

Slides: 42 pages

Slide Content

1
Securing BGP: Operational Strategies and
Best Practices for Network Defenders
Md. Zobair Khan
[email protected]

22
•Network engineer and enthusiast for a long time
•Working as a Trainer/Analyst @ APNIC
•Have an exposer with multi-vendor multi-platform different
technologies
•A security minded person
•Would love to contribute to the community
[email protected]
$ whois MD ZOBAIR KHAN

33
Acknowledgement
•This material is developed from different R&D, RFCs & APNIC Workshop Slides
& Slides developed by APNIC, NSRC, MANRS, Dr. Philip Smith & Barry Greene.
•This material is open & free to use as long as it is acknowledged and the
notice remains in place
•This material is designed considering that the audience will be predominantly
technical people

44
BGP – Border Gateway Protocol
•Routing protocol for different network connection
•Path vector protocol
•Runs on TCP 179
•Lots of policy implement scope
•Majorly used for Internet Networks
•AS Number is a must
•e-BGP & i-BGP

55
BGP – A TCP Protocol
https://www.geeksforgeeks.org/what-is-transmission-control-protocol-tcp/
https://medium.com/@R00tendo/tcp-connection-hijacking-deep-dive-9bbe03fce9a9

66
BGP Vulnerabilities
TCP Session Hijacking
TCP SYN Floods
Man-in-the-Middle Attacks
TCP Sequence Number Prediction
TCP Connection Teardown Attacks
TCP ACK Storms
Route Hijacking
Route Leaks
BGP Session Hijacking
BGP Session Reset Attacks
BGP Attribute Manipulation
Resource Exhaustion Attacks

77
TCP Session Hijack
https://www.kareemccie.com/2018/01/what-is-tcp-session-hijacking.html

88
TCP SYN Flood
https://www.cloudflare.com/img/learning/ddos/syn-flood-ddos-attack/syn-flood-attack-ddos-attack-diagram-2.png

99
MiTM
https://www.apriorit.com/wp-content/uploads/2021/04/scheme-of-an-mitm-attack.jpg

1010
TCP Sequence Number Prediction
https://www.kareemccie.com/2018/01/what-is-tcp-session-hijacking.html

1111
TCP Connection Tear Down
https://www.google.com/url?sa=i&url=https%3A%2F%2Flearningnetwork.cisco.com%2Fs%2Fquestion%2F0D53i00000KswSeCAJ%2Ftcp-connection-termination-is-the-diagram-
correct&psig=AOvVaw31fN48L66D8FzJ1JBapdFr&ust=1716015638995000&source=images&cd=vfe&opi=89978449&ved=0CBQQjhxqGAoTCKChy8aOlIYDFQAAAAAdAAAAABD
qBA

1212
TCP ACK Storms
https://kb.mazebolt.com/knowledgebase/ack-flood/

13
Route Hijacking

1414
Route Leaks

1515
BGP Session Reset
https://slideplayer.com/slide/9598472/

1616
BGP Session Hijacking
https://slideplayer.com/slide/9598472/

1717
BGP Attribute Manipulation
https://www.kwtrain.com/blog/bgp-pt2

1818
Resource Exhaustion
https://www.cloudflare.com/learning/ddos/syn-flood-ddos-attack/

1919
BGP Security Measures

2020
RPKI – Resource Public Keying
Infrastructure
ROAs
ROAs
VALIDATOR SOFTWARE
Verification
Validated
Cache
RPKI-RTR
ROUTERS
RIR REPOSITORIES•Create ROA for owned resources for RPKI
•Implementing Validator relying software
for ROV
•RIR Repositories send ROA information to
Validator software
•Software builds a validated cache and
feed it to router infrastructure over RTR
session
•Routers enforces policies based on
Validated Cache

2121
IRR Database

2222
Filtering – BCP 194
Discard Special Case, Bogons, Prefixes
Longer than /24(v4) & /48(v6), Own
Prefixes, LAN Prefixes, Default Routes
Special-Purpose Prefixes
Unallocated Prefixes
Prefixes That Are Too Specific
Filtering Prefixes Belonging to the Local AS and Downstreams
IXP LAN Prefixes
The Default Route
Filters with Internet Peers
Filters with Customers
Filters with Upstream Providers
Inbound Filtering
Outbound Filtering

2323
Tools for Filtering
https://github.com/snar/bgpq3
IRRPT
BGPQ4

2424
RTBH
https://www.cisco.com/c/dam/en_us/about/security/i
ntelligence/blackhole.pdf

2525
URPF
https://www.cisco.com/c/dam/en_us/about/security/i
ntelligence/blackhole.pdf

2626
GTSM
•Prevent 3rd party attack on eBGP peers. Works best with MD5 Authentication. Must be configured on both peers.
•(neighbor <ipv4-ptp> ttl-security hops 1)
https://www.researchgate.net/figure/The-Generalized-TTL-
Security-Mechanism-GTSM-in-operation-Routers-set-the-TTL-
on-a_fig4_228910855

2727
MD5 Authentication
•Must be configured on both peers with same password. (neighbor <ipv4-ptp> password CISCO)
https://costiser.ro/uploads/tcp-options-
calculating-bgp-md5-digest.png

2828
Community Scrubbing
Ingress BGP peering policy
applied to transit/public/private
and downstream peers should
remove all inbound communities
with SP’s number in the high-
order bits, except for the ones
used for signaling (e.g. setting
BGP Local Preference)
https://bgphelp.com/2017/02/02/bgp-best-practices-or-dissecting-rfc-7454/

2929
Bogon Filter
https://www.team-cymru.com/bogon-networks
https://rickfreyconsulting.com/mikrotik-router-bgp-peering-with-team-cymru-for-bogons/

3030
Prefix Limit
•neighbor <x.x.x.x> maximum-prefix <max> [restart N] [<threshold>] [warning-only]
https://flylib.com/books/en/4.208.1.66/1/

3131
AS Path Length
https://aboutnetworks.net/bgp-load-sharing/
•router bgp X0
• bgp maxas-limit 5

3232
Customer Route Preference
https://networklessons.com/bgp/bgp-attributes-and-
path-selection

3333
Transit AS Filter

3434
Removing Private AS
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=k
A10g000000ClInCAK
•neighbor <ipv4-ptp> remove-private-as

3535
BGP Admin Distance
BGP Admin Distance Higher than IGP &
making external, internal, local same
distance bgp 200 200 200
https://study-ccna.com/floating-static-route/

3636
MANRS Actions

3737
MANRS Observatory
https://observatory.manrs.org/#/overview

3838
BGP Security Measures
–ROA & RPKI
•Trust Anchor, Validator Software like Routinator 3000/Fort/OctoRPKI/RPKI-Client, RTR Session, Drop Invalids
–Due Diligence Checking with IRR
•Whois query, radb, IRR of RIRs – (whois –h whois.apnic.net –i or AS10075 | grep route:)
–Filtering (Prefix & AS)
•Discard Special Case, Bogons, Prefixes Longer than /24(v4) & /48(v6), Own Prefixes, LAN Prefixes, Default Routes
–Using Tools for Filter Generation (bgpq3, rtconfig etc.)
•bgpq3 -4 –l NAME AS10075
–RTBH
•Black holing unwanted traffic to null
–URPF
•Difficult for multihoming networks. Can be used in feasible mode
–GTSM
•Prevent 3rd party attack on eBGP peers. Works best with MD5 Authentication. Must be configured on both peers.
•(neighbor <ipv4-ptp> ttl-security hops 1)
–MD5 Authentication
•Must be configured on both peers with same password. (neighbor <ipv4-ptp> password CISCO)
–Community Scrubbing
•AS should scrub communities used internally but forward foreign communities.

3939
BGP Security Measures
–Bogon Filtering
•Private and reserved addresses defined by RFC 1918, RFC 5735, and RFC 6598 and unallocated number resources to RIR by the Internet
Assigned Numbers Authority. Bogon Route Server Project by Team Cymru is a very helpful way to handle bogons.
–Prefix Limit
•neighbor <x.x.x.x> maximum-prefix <max> [restart N] [<threshold>] [warning-only]
–AS Path Length Limit
•router bgp X0
• bgp maxas-limit 5
–Customer Route Preference
•Setting high local preference on receiving customer routes
–Transit AS Filter
•Carefully making filters on upstream peers so that prefix leaking doesn’t happen.
–Removing Private ASN
•neighbor <ipv4-ptp> remove-private-as
–BGP Admin Distance Higher than IGP & making external, internal, local same
•distance bgp 200 200 200
–MANRS Actions
•Filtering, Global Validation, Co-ordination, Anti-Spoofing

4040
References
RFC-7454 (BGP Operations and Security)
RFC-2827 (Network Ingress Filtering: Defeating Denial of Service Attacks which employ IP Source Address Spoofing)
https://bgp4all.com/pfs/_media/conferences/lknog5-bgp-bcp.pdf
https://nsrc.org/activities/agendas/en/riso-5-days/networking/routing-security/en/labs/securing-bgp.html
https://wq.apnic.net/static/search.html
https://github.com/team-cymru/network-security-templates/tree/master/Secure-Router-Templates
https://www.ietf.org/archive/id/draft-gill-btsh-01.txt
https://datatracker.ietf.org/doc/html/draft-murphy-bgp-vuln-02#section-2
https://www.manrs.org

Securing BGP: Operational Strategies and Best Practices for Network Defenders, Phoenix Summit 2024

About This Presentation

Slide Content

Tags

Categories

Download

Quick Actions

Statistics

Related Slideshows

Securing BGP: Operational Strategies and Best Practices for Network Defenders, Phoenix Summit 2024

About This Presentation

Slide Content

Slide 1

Slide 2

Slide 3

Slide 4

Slide 5

Slide 6

Slide 7

Slide 8

Slide 9

Slide 10

Slide 11

Slide 12

Slide 13

Slide 14

Slide 15

Slide 16

Slide 17

Slide 18

Slide 19

Slide 20

Slide 21

Slide 22

Slide 23

Slide 24

Slide 25

Slide 26

Slide 27

Slide 28

Slide 29

Slide 30

Slide 31

Slide 32

Slide 33

Slide 34

Slide 35

Slide 36

Slide 37

Slide 38

Slide 39

Slide 40

Slide 41

Slide 42

Tags

Categories

Download

Quick Actions

Statistics

Related Slideshows

Pray For The Peace Of Jerusalem and You Will Prosper

Don_t_Waste_Your_Life_God.....powerpoint

VILLASUR_FACTORS_TO_CONSIDER_IN_PLATING_SALAD_10-13.pdf

Fertility awareness methods for women in the society

Chapter 5 Arithmetic Functions Computer Organisation and Architecture

syakira bhasa inggris (1) (1).pptx.......