Mar
6
2009

BGP MiTM attacks

Surfing the web, I have found a nice article about BGP weakness. This document, entitled “Defending Against BGP Man-In-The-Middle Attacks“, was presented by Earl Zmijewski during Black Hat DC 2009 (Hyatt Regency Crystal City – February 16-17 – Arlington, Virginia).

The slides focus on four points:

  1. BGP Routing Basics – Enough to understand and identify the threat
    1. BGP Update Messages
    2. BGP Attributes
    3. Some real examples
  2. The Man-In-The-Middle Attack:
    1. How BGP MiTM attack work
    2. What are the techniques used by an attacker to “tune” the attack (Obscuring the MITM attack with TTL adjustment)
  3. Detecting the Attack – Methods for observing the attack in the wild:
    1. Traceroute
    2. Latency
    3. BGP Alarming Services (BGPmon, IAR, …)
  4. Case Studies – Analyzing historical data for attack evidence

 

“At DEFCON 16, Alex Pilosov and Tony Kapela presented a new BGP attack in which traffic to a victim is hijacked, but then transparently routed to the intended recipient. This allows for wholesale eavesdropping, including alteration, of all incoming traffic to the victim. In this talk, we review enough BGP routing background to understand the threat and how it breaks the trust model inherent in Internet routing.

Then we review possible detection mechanisms via data aggregation from global route collection. The tip-off to such attacks includes prefix de-aggregation, invalid originations, invalid AS adjacencies, and even improbable AS paths. Detection techniques depend whether or not you know ground truth, i.e., if you are looking to defend your own network or simply observe such hijacks in the wild.

We conclude with case studies of applying these techniques to global routing data.”

 

BGP MiTM attack

1) Normal BGP behavior: AS7 announces his network to the other autonomous system

 

bgp_attack_1

 

2) The attacker (AS #666) announces the more-specific prefixes network

 

bgp_attack_2

… In BGP, most specific route to an IP address wins and the traffic is sent to AS666 instead of AS7!!!

 

References: